Patient Privacy & PHI De-Identification Policy

This page explains how the NotoMed.dev Note Summarizer handles data, how PHI is scrubbed, and why this workflow is designed so that protected health information (PHI) is not stored, logged, or sent to third-party APIs.

Patient privacy is the core priority of this web application. NotoMed.dev's Note Summarizer performs all patient health information (PHI) removal directly in your browser, ensuring that no identifiable patient information is ever stored, logged, or transmitted to any server or third-party API.

This document explains how the tool handles data, how PHI is scrubbed, and why this workflow does not require HIPAA compliance.

Executive Summary (what you should know upfront)

  • All PHI scrubbing happens client-side, in your browser.
  • Only a de-identified version of your text is ever sent to the model.
  • No patient information is stored, logged, retained, or used for training.
  • You remain in control of all data — nothing leaves your device until it has been scrubbed.

Data This App Accepts

The Note Summarizer accepts de-identified clinical notes, histories, physical exams, or narrative text for summarization. No patient identifiers are required for the tool to function, and users are encouraged to avoid including identifiable information whenever possible.

However, if PHI is accidentally included, the tool removes it before any processing occurs.

PHI Scrubbing and Handling of Sensitive Information

Before any text is sent to the model, the tool applies an internal PHI-scrubbing layer that identifies and removes common patient identifiers, including but not limited to:

  • Patient names
  • Dates of birth
  • Medical record numbers
  • Contact information
  • Addresses
  • Insurance or account numbers

Provider names are generally not considered patient identifiers under HIPAA and can safely remain in place without increasing patient risk.

How Scrubbing Works

The scrubber uses a hybrid regex and machine-learning system to detect and redact PHI, replacing it with neutral placeholders such as:

  • "the patient"
  • "relative"
  • and other similar generic terms

Where Scrubbing Occurs

All PHI removal happens in the user's browser. The original note never leaves your device in identifiable form.

User-Side Encouraged De-Identification

Although the scrubber performs exhaustive client-side redaction of sensitive information, users are strongly encouraged to:

  • Avoid typing or pasting explicit identifiers.
  • Remove names or MRNs before submitting.
  • Upload only de-identified documents whenever possible.

Uploaded files are scrubbed in the browser before processing. The app can still handle accidentally copied PHI, but minimizing it adds an extra layer of protection.

What Does "Client/User-Side Scrubbing" Mean?

In this context, "client-side" means that:

  • No PHI is transmitted over the internet.
  • No server receives identifiable information.
  • Only the cleaned, de-identified text is sent to the model for summarization.
  • The original text is never stored, saved, logged, or cached by the application.

This design ensures you remain the sole owner of the original content.

Which Language Model Does This Tool Use?

This application uses OpenAI's GPT-5.1 for summarization and structured output. Only de-identified text is sent to the model. No PHI-containing content is ever transmitted to OpenAI or any other third-party API.

App Workflow

  1. You paste or upload note(s).
  2. In your browser, that data is scrubbed of all PHI using the client-side redaction layer.
  3. A cleaned version of each note is generated and then sent to the language model to enable summarization and structured output.
  4. You interact with the cleaned data and structured output within the application.

At the close of each session, all data is discarded. The app does not retain the input notes or generated summaries.

What This Tool Does Not Do

This app does not:

  • Store or save any user input.
  • Log or track patient information.
  • Send PHI to OpenAI.
  • Retain summaries or cleaned text.
  • Use your content for training.
  • Create user profiles based on note content.
  • Forward data to any third-party service.

Your data is processed once and then discarded.

Does This App Need to Be HIPAA Compliant?

HIPAA compliance is required when PHI is stored, transmitted, or used by a covered entity or business associate. Because the Note Summarizer:

  • Scrubs PHI before transmission.
  • Never stores or forwards identifiable data.
  • Only processes de-identified text.

…it is designed so that the data handled by the model no longer meets HIPAA's definition of PHI.

You may reasonably ask: "But I'm still copying patient notes… how does that not make HIPAA relevant?" The key point is that HIPAA only applies to protected health information (PHI). Because identifiers are removed before any data leaves your device, the text transmitted to the model is no longer considered PHI under HIPAA definitions.

Questions or Concerns?

If you have privacy concerns, suggestions, or feedback, please contact me using the feedback form on NotoMed.dev, and involve your institution's compliance and legal teams for organization-specific guidance.

Disclaimer: This document describes how the tool handles data and de-identification but does not constitute legal advice. Users are responsible for ensuring compliance with their own organization's privacy regulations and applicable laws.