You might need to share a medical record with a new specialist for a second opinion, with an attorney evaluating a potential malpractice case, with your insurance company for an appeal, or with a family member helping you coordinate care. In every case, you likely want to share only what's relevant — not the full record of your medical history.
You own your records once you receive them, and you have the right to redact before sharing. The question is what to redact, and how to do it in a way that's actually secure — because drawing a black rectangle over text in Preview or Adobe Reader typically leaves the underlying text extractable, which has caused high-profile PHI leaks in court filings.
HIPAA's Safe Harbor method (45 CFR 164.514(b)(2)) is the clearest checklist for de-identifying PHI. Remove all 18 of these identifiers and the record is no longer considered protected health information under federal law. Most people won't need to strip all 18 — you're usually redacting selectively, not anonymizing — but the list is the gold standard for "what counts as PHI."
Keep: Diagnoses, test results, imaging reports, treatment history, medication list, clinically relevant dates (shift by days if concerned).
Redact: Your name, full DOB, MRN, address, phone, email, insurance ID, photos, anything non-clinical.
Keep: Dates of care, provider names, diagnoses, treatment timeline.
Redact: Personal contact info, SSN, insurance account numbers. After retaining counsel, share the full record under privilege.
Keep: Everything the insurer needs to adjudicate — your name, policy #, claim #, dates of service, diagnoses, codes.
Redact: Records unrelated to the claim under appeal, especially mental-health or SUD records if not relevant.
Keep: Provider contact info, diagnoses, medication list, care plan details.
Redact: SSN, financial info, information you haven't consented to share (mental-health, reproductive health, substance use).
Some PHI categories get extra protection under federal law and are worth extra care:
Open the PDF, draw boxes over PHI, export a truly redacted file. Nothing uploaded, nothing stored, nothing seen by FilePulp.
Open the Redaction Tool →Most free PDF tools upload your file to a remote server for processing. For a cat photo, that's fine. For a medical record, it's a categorical privacy problem. Even if the service promises to delete files after processing, your PHI has traveled across the internet and existed on a third-party server — subject to their retention policies, their breach history, and the jurisdiction their servers happen to sit in.
FilePulp takes the opposite approach. The redaction tool is a JavaScript and WebAssembly application that runs entirely inside your browser, using pdf.js to read the document and pdf-lib to write it back out. Your file is handed to the browser's memory, never transmitted over the network. You can verify this by opening DevTools → Network before uploading your record; no outbound request ever contains the file's contents. You can even disconnect from the internet after the page loads and the tool will continue to work.
FilePulp is not a HIPAA business associate and has no Business Associate Agreement (BAA). It also doesn't need one: your records never reach us. The legal framework for business associates exists because traditional SaaS handles PHI on behalf of covered entities. FilePulp's architecture makes this category of risk inapplicable by design.
Yes. You own your records once you receive them. You can redact any information before sharing with a lawyer, second-opinion doctor, insurer, or family member. HIPAA governs how covered entities (hospitals, doctors, insurers) handle your PHI — it does not restrict your own use of your records.
The Safe Harbor method is one of two ways to de-identify PHI under 45 CFR 164.514(b)(2). It requires removing 18 specific identifier categories (see the box above). Once all 18 are removed, the record is no longer protected health information. For selective redaction (sharing with a specific person, not publishing), you typically won't need to strip all 18 — but the list is the standard reference for what counts as PHI.
No. Everything runs in your browser. No file data is ever transmitted to FilePulp or any server. You can verify this by opening DevTools → Network tab — no outbound request contains your file content.
No. On export, each page is flattened into a high-quality image, physically destroying the text under your redaction boxes. The original text cannot be copy-pasted, searched, or extracted. This is true redaction — not a black rectangle hiding recoverable text.
Discuss with your attorney first. Most plaintiff's attorneys prefer unredacted records for their own review under attorney-client privilege, and redact opposing-counsel copies themselves. For informal second opinions or when the attorney specifically asks you to redact, this tool is appropriate.
No, and it doesn't need one. Business Associate Agreements apply when a vendor processes PHI on behalf of a covered entity. FilePulp's tool runs entirely client-side — your file never reaches our infrastructure, so the BAA framework isn't applicable. For organizations that require a BAA for compliance reasons despite this architecture, FilePulp isn't the right fit; use an on-premise enterprise redaction tool instead.
Redact medical records in seconds. Free, secure, browser-only, HIPAA-aware.
Redact My Medical Records →Bank Statements · Tax Documents · Legal Filings & Contracts · Screenshots & Photos