Back to Note Summarizer

Patient Privacy & PHI De-Identification Policy

This page explains how the Notomed's Note Summarizer handles data, how PHI is scrubbed client-side, and why our "Date Shifting" technique protects patient identity while preserving clinical context.

Patient privacy is the core priority of this web application. Notomed.dev's Note Summarizer performs all patient health information (PHI) removal **directly in your browser**.

This ensures that no identifiable patient information is ever stored, logged, or transmitted to any server or third-party API.

Executive Summary

  • **Client-Side Only:** All scrubbing happens on your device before data transmission.
  • **Date Shifting:** Dates are mathematically shifted to fake dates to hide the actual time of service while preserving clinical timelines.
  • **Hard Redaction:** Names, phone numbers, and IDs are permanently removed.
  • **No Retention:** No patient information is stored, logged, or used for training.

How We De-Identify Data

Before any text is sent to the AI model, our client-side engine processes your note through three distinct layers of protection:

1Hard Redaction (Removal)

The following direct identifiers are detected via pattern recognition and replaced with generic placeholders (e.g., [REDACTED_NAME]):

  • Patient Names (Mr. Salvador → [REDACTED_NAME])
  • Relatives' Names (e.g., Sister Jane → [REDACTED_NAME])
  • Phone Numbers & Emails
  • Medical Record Numbers (MRN), SSNs, Account IDs
  • Home Addresses & ZIP Codes

2Date Shifting (Obfuscation)

To allow the AI to understand the progression of illness (e.g., "Creatinine rose over 3 days"), we do not simply delete dates. Instead, we use **Date Shifting**.

  • A random "offset" (e.g., -42 days) is generated for each session.
  • Every date in the document is shifted by that exact amount.
  • **Result:** The AI sees a coherent timeline, but the dates (e.g., "Sept 15, 2025") do not correspond to the patient's actual hospital visit, preventing re-identification via admission logs.

3Provider & Facility Handling

Physician names (e.g., "Dr. Smith") and facility names are generally retained to provide clinical context.

**Why this is safe:** A doctor's name is only identifying if combined with a specific date and patient details. By removing the patient's identity and falsifying the dates (via shifting), the provider's name cannot be used to link the note back to a specific patient encounter.

Data Transmission & AI Processing

This application uses OpenAI's advanced language models for summarization.

  • **Input:** Only the *scrubbed and date-shifted* text is sent to OpenAI.
  • **Training:** We do not opt-in to data training. Your inputs are not used to improve OpenAI's models.
  • **Logging:** Notomed does not save your notes to a database. Once you close the tab, the data is gone.

HIPAA Compliance & De-Identification

HIPAA describes two methods for de-identification: *Safe Harbor* and *Expert Determination*.

While the "Safe Harbor" method requires the removal of all dates, this tool utilizes a **Date Shifting** approach often used in clinical research. By shifting dates and scrubbing direct identifiers, we render the data unlinkable to the individual while maintaining the utility needed for high-quality clinical summarization.

Because identifiable elements are removed or obfuscated before leaving your device, the payload sent to the AI is not considered Protected Health Information (PHI).

User Responsibility & Disclaimer

Although our scrubber is highly advanced, no automated system is 100% perfect. Users are responsible for:

  • Reviewing the scrubbed output (preview) before submission.
  • Avoiding the upload of files containing highly sensitive, stigmatized, or non-clinical personal details.
  • Ensuring their use of this tool complies with their institution's specific data policies.

Questions or Concerns?

If you have privacy concerns, please contact us via the feedback form on Notomed.dev.

Disclaimer: This document describes the technical measures taken to de-identify data. It does not constitute legal advice. Users are responsible for adhering to their local laws and institutional regulations regarding patient data.