Compliance 2026 · 5 min read

HIPAA Redaction Software

Detect and redact Protected Health Information (PHI) from medical records, insurance claims, and healthcare documents.

The 18 HIPAA Identifiers

HIPAA's Privacy Rule defines 18 types of identifiers that constitute Protected Health Information (PHI). SafeRedact is not HIPAA compliant — users are solely responsible for regulatory compliance.

1. Names

Full, first, last, maiden names

2. Geographic Data

Addresses, cities, zip codes

3. Dates

Birth, admission, discharge, death

4. Phone Numbers

All telephone numbers

5. Fax Numbers

All fax numbers

6. Email Addresses

All email addresses

7. SSN

Social Security numbers

8. Medical Record #

MRN and chart numbers

9. Health Plan ID

Beneficiary numbers

10. Account Numbers

Financial account numbers

11. License Numbers

Certificates, licenses

12. Vehicle IDs

VIN, license plates

13. Device IDs

Medical device serials

14. URLs

Web URLs

15. IP Addresses

Internet protocol addresses

16. Biometric IDs

Fingerprints, voiceprints (non-text)

17. Photos

Full-face photos (image-based)

18. Other Unique IDs

Any unique code or number

AI-detected | Non-text (requires manual review)

How HIPAA Redaction Works

1

Upload Your Document

Drop a medical record, insurance claim, or healthcare document into SafeRedact. Your file stays in your browser - it's never uploaded to our servers.

2

AI Detects PHI

Our AI (powered by Claude) scans for all HIPAA identifiers: patient names, dates of birth, SSNs, addresses, medical record numbers, and more.

3

Review & Adjust

See highlighted PHI in your document. Add additional redactions or remove false positives. You're always in control.

4

Export De-identified Document

Download a clean PDF with permanent, pixel-level redaction. The original PHI is completely removed, not just hidden.

Privacy-First Architecture

When redacting PHI, how your tool handles files matters as much as the redaction itself.

Other Redaction Tools

  • Upload entire document to cloud servers
  • PHI stored on external servers (even briefly)
  • Third-party staff could access documents

SafeRedact

  • Files never leave your browser
  • Only extracted text sent for AI analysis
  • We only see extracted text — never your original files

Important Note for Covered Entities

SafeRedact is not HIPAA compliant and does not offer Business Associate Agreements (BAAs). Users are solely responsible for regulatory compliance. If your organization is a HIPAA covered entity and requires a BAA, please consult with your compliance team before use. Our privacy-first architecture minimizes exposure, but formal compliance requires appropriate agreements.

HIPAA Redaction Use Cases

Medical Records Requests

Redact third-party information before sharing patient records with attorneys or other requesters.

Insurance Claims

Remove patient identifiers from Explanation of Benefits (EOB) or claims documents.

Research & Studies

De-identify patient data for research purposes or case studies.

Legal Discovery

Prepare medical records for litigation while protecting non-relevant patient information.

Audit Preparation

Create de-identified samples for compliance audits or training purposes.

Breach Notification

Prepare redacted documents for breach notification reports.

HIPAA De-Identification: Two Legal Methods

The HIPAA Privacy Rule (45 CFR § 164.514) provides two methods for de-identifying protected health information.

Safe Harbor Method (§ 164.514(b))

Remove all 18 HIPAA identifiers and confirm the remaining data cannot be used to identify an individual. This is the most common approach because it provides clear, categorical rules.

When to use: Most standard redaction workflows — sharing records for research, responding to subpoenas, inter-facility transfers of de-identified data.

SafeRedact approach: AI detects the 18 identifier categories automatically. You review, confirm, and redact permanently.

Expert Determination (§ 164.514(a))

A qualified statistical or scientific expert determines that the risk of identifying an individual from the remaining data is "very small." The expert must document their methods and results.

When to use: When you need to retain more data elements than Safe Harbor allows — typically for clinical research or population health studies.

Note: Requires hiring a qualified expert. More flexible but more expensive and slower than Safe Harbor.

HIPAA Penalty Tiers

The HHS Office for Civil Rights (OCR) enforces HIPAA with a four-tier penalty structure based on culpability.

$137–$68,928

per violation

Tier 1: Did Not Know

The covered entity was unaware and could not have reasonably known. Annual max: $2.07M.

$1,379–$68,928

per violation

Tier 2: Reasonable Cause

Due to reasonable cause, not willful neglect. Should have known but wasn't intentional. Annual max: $2.07M.

$13,785–$68,928

per violation

Tier 3: Willful Neglect (Corrected)

Due to willful neglect, corrected within 30 days of discovery. Annual max: $2.07M.

$68,928–$2.07M

per violation

Tier 4: Willful Neglect (Not Corrected)

Not corrected within 30 days. Criminal penalties may also apply — up to $250K and 10 years for knowing misuse of PHI.

Penalty amounts reflect 2024 inflation adjustments per 45 CFR § 160.404.

BAA Requirements and SafeRedact

Understanding when a Business Associate Agreement is — and isn't — required.

Important Disclaimer

SafeRedact is not HIPAA compliant. Extracted text from your documents is sent to a third-party AI provider (Anthropic) for PII classification.

It is the user's sole responsibility to determine whether SafeRedact is appropriate for documents containing PHI or other regulated data.

When You Still Need a BAA

If your compliance team determines that text extraction constitutes "access to PHI," a BAA may be required. Consult your HIPAA compliance officer.

SafeRedact does not offer BAAs or HIPAA compliance at any tier. Contact us to discuss.

Pricing

Pay when you need it

Try free with watermark. Remove it when you're ready.

Day Pass
$12

24 hours from purchase

Get Day Pass
Clean output, no watermark
Unlimited documents
One-time purchase
Best value
Subscribe
Monthly $29 · Annual $99
$29 /mo

Cancel anytime

Subscribe — $29/mo
Everything in Day Pass
Unlimited documents
Cancel or change anytime
Enterprise Custom pricing

Bulk DSAR & compliance for teams that process thousands of documents.

25,000+ files per batch DSAR selective redaction 10 file types DPA & audit log Zero retention
Contact Sales

Or try free with watermark — no signup required.

HIPAA Redaction FAQ

Is SafeRedact HIPAA compliant?

No. SafeRedact is not HIPAA compliant and does not offer Business Associate Agreements (BAAs). Users are solely responsible for determining whether SafeRedact meets their regulatory requirements.

What types of PHI does SafeRedact detect?

SafeRedact's AI detects common PHI types including names, addresses, dates, SSNs, MRNs, phone numbers, emails, and account numbers. Organizations should verify detection meets their specific requirements. Biometric identifiers and photographs require manual review as they are non-text elements.

Can SafeRedact handle scanned medical records?

Yes. SafeRedact includes OCR (optical character recognition) to extract text from scanned documents and images. The AI then analyzes the extracted text for PHI.

Is the redaction permanent?

Yes. SafeRedact creates pixel-level redactions that permanently remove the underlying content. The redacted information cannot be recovered or extracted from the output file.

Important: SafeRedact is not HIPAA compliant and does not offer Business Associate Agreements (BAAs). It is the user's sole responsibility to determine whether SafeRedact is appropriate for their use case and regulatory requirements. This page is for educational purposes only.

Start Redacting Free

See if it fits your workflow. No account required for the free tier.

Get Started View Pricing
Free with watermark No credit card required Files never leave your browser
Found this useful?
Link copied!