Paste a scenario. Get a Safe-Harbor-aligned redaction and a "what was removed" report — so you can use the consumer LLM you actually want, without sending PHI to a vendor you don't have a BAA with.
Everything below runs locally in your browser. Nothing is uploaded, logged, or stored.
| Category | Original | Replaced with |
|---|
The patterns below look like they could be names but didn't match any of the detection rules. Review and redact manually if needed.
Output will appear here.
Three commitments. No exceptions.
Pattern matching runs in your browser using JavaScript. There is no server endpoint receiving your text. The only network requests are to load this page's own HTML, CSS, and JS, plus — if you activate Pro — a single license-key check. None of them carry your clinical text, and you can audit them all.
Detects names (titled and contextual), dates, ages ≥ 90, addresses, ZIPs, phone & fax, emails, URLs, IPs, SSNs, MRNs, account & license numbers, facility names, and VINs — the categories from §164.514(b)(2).
Every redaction shows up in the report: what was matched, what category it was assigned, and what it was replaced with. Nothing happens silently.
Free to use with no signup — de-identify and copy as much as you like. Pro unlocks the prompt-wrapper export and the redaction-report export.
Billed monthly. Cancel anytime.
$4.08/mo equivalent. Two months free.
No account system — no password, no profile. After checkout, Stripe gives you a unique license key that unlocks the Pro features in your browser. Keys are per-customer and revocable, so a shared key can be switched off without affecting anyone else.
This tool helps you implement the Safe Harbor method (45 CFR §164.514(b)(2)) for de-identifying PHI before it leaves your control. It is not a Business Associate; using it does not make your prompts to a non-BAA LLM compliant by itself. You remain responsible for verifying the output before pasting it anywhere. Because processing happens in your browser, the tool itself never receives or stores PHI.
This tool implements Safe Harbor (the pattern-based method), not Expert Determination (the statistical method that requires a qualified expert). Safe Harbor is faster and more practical for one-off prompts; Expert Determination is what you'd use for a dataset.
Yes — click "Choose PDF or image…" and select a file. Text-based PDFs (EHR exports, chart prints, lab reports) are parsed instantly using Mozilla's pdf.js. Scanned PDFs and images (PNG, JPG, WEBP, TIFF) trigger an offer to run OCR — open-source Tesseract.js running in WebAssembly. Both libraries run entirely in your browser; the file never leaves your device. The first OCR run downloads ~14MB of trained data (cached after); each page takes roughly 5–30 seconds depending on your laptop. OCR accuracy is ~90% on clean printed text and lower on faxes or handwriting — anything the OCR mis-reads also misses the de-identifier, so review the output carefully.
Validated against six common clinical formats: ER admit notes, office visit notes, consult notes (e.g. cardiology, endocrine), lab reports (CMP, CBC, etc., including specimen and accession IDs and CLIA numbers), radiology reports (with accession numbers and comparison study dates), and discharge summaries. The engine handles both narrative prose and tabular/structured EHR exports — including "Lastname, Firstname M." style demographics blocks, multiple date formats, and labeled identifiers like MRN, Accession #, Specimen ID, Encounter ID, NPI, and DEA. Lab values, reference ranges, and clinical findings are preserved unchanged.
Yes. Pattern matching can't catch every name, every address, or every uncommon identifier. The "Worth a second look" section flags capitalized phrases that could be names but didn't match a rule — a prompt to review manually. Always read the output before sending.
There's still nothing to sign up for — no password, no profile. After you subscribe, Stripe hands you a unique license key. Activating it makes one quick call to verify the key (your key only — never your clinical text), then it's remembered in your browser. Because keys are per-customer, a shared or leaked key can be revoked on its own without affecting anyone else.
Yes — the de-identifier has no runtime network dependencies, so once the page is loaded you can disconnect and keep redacting. The one exception is the first time you activate a Pro license key, which makes a single call to verify it (never your clinical text). After that, Pro stays unlocked offline too.
Yes. The report is meant for your own audit trail — showing exactly what was redacted and what it was replaced with — and it necessarily includes the original values. The download stays on your machine, but you should treat the file as PHI: don't paste it into a non-BAA tool, don't share it unencrypted, and delete it when you're done. The export button asks for confirmation before downloading, and the file itself starts with a warning header.
Each category is replaced with a bracketed token: [NAME], [DATE],
[MEDICAL_RECORD_/_ACCOUNT_#], etc. Tokens are deterministic, so if the same value appears
multiple times, it gets the same token. The report shows every replacement.
A clinician who got tired of seeing colleagues paste real patient charts into consumer AI products "just this once." If you've seen the PHI footer on my posts, that's me.