Does this guarantee HIPAA Safe Harbor de-identification?

No. It catches the structured identifiers — dates, MRNs, phones, emails, SSNs, ZIPs, ages over 89, and titled names — but Safe Harbor requires removing all 18 categories including free-text names and locations. A human must review the output before any AI use.

Does my clinical text get uploaded anywhere?

No. All pattern matching runs entirely in your browser. Nothing is sent to a server, logged, or stored, which is essential for PHI.

Why are ages over 89 redacted?

HIPAA treats ages over 89 as identifying because the small population at those ages raises re-identification risk. The tool flags "90 years old" and similar phrasings.

Can it create false positives?

Yes. A 5-digit number can look like a ZIP code, and a capitalized word after "Dr" can be a condition rather than a name. Review the redactions rather than trusting them blindly.

What are the 18 HIPAA identifiers?

They include names, geographic subdivisions smaller than a state, all date elements, phone and fax numbers, emails, SSNs, medical record numbers, account numbers, device identifiers, URLs, IP addresses, biometric identifiers, and full-face photos, among others.

Medical PII Scrubber (HIPAA-Aware)

Medical PII scrubber (HIPAA-aware)

Clinical text is some of the most sensitive data there is, and pasting it into an AI tool without de-identification is a HIPAA problem waiting to happen. This scrubber detects and redacts the structured HIPAA identifiers in clinical notes and records — locally, in your browser — so you can produce a de-identified version for AI analysis.

How it works

Paste a note and the tool runs a set of patterns aligned to the HIPAA Safe Harbor identifier list: dates, medical record numbers, phone and fax numbers, email addresses, Social Security numbers, URLs, IP addresses, ZIP codes, ages over 89, and names following titles like “Patient”, “Mr”, or “Dr”. Each match is replaced with a bracketed token such as [NAME] or [MRN], and you get a per-category count of what was caught. Nothing leaves your browser.

Tips and notes

Not a Safe Harbor guarantee. Patterns catch structured identifiers, but free-text names and locations need a human pass — Safe Harbor demands all 18.
PHI never uploads here. Everything runs locally, which is the only way a browser tool should ever touch protected health information.
Expect some over-redaction. A 5-digit number may be flagged as a ZIP; that’s the safe direction, but check it didn’t mangle clinical values.
Review every output. Treat the result as a strong first pass, then read it before it reaches any AI model.