Private Redaction

Guide · 7 min read

GDPR and HIPAA redaction: what "redacted" has to mean for compliance

Under GDPR and HIPAA, a redaction that merely covers the data is still a disclosure — and, if it's found, a reportable breach. Here's what proper redaction actually requires, and how to check it held.

This is general information, not legal advice. Requirements depend on your jurisdiction, role and data. Consult your DPO, privacy officer or counsel for your situation.

In a compliance context, redaction isn't a formatting choice — it's the line between a lawful disclosure and a breach. And the failure mode is exactly the same one that trips everyone else up: covering data instead of removing it. If the personal data or health information is still present in the file, it hasn't been redacted. It's been disclosed with a black rectangle on top.

GDPR: covered data is still personal data

Under the GDPR, information only leaves scope when it is genuinely anonymised — when the individual can no longer be identified from it. Black bars over live text don't anonymise anything; the data is still there and still recoverable, so it's still personal data and still your responsibility.

This bites most often in two places:

HIPAA: PHI has to actually be gone

For protected health information, HIPAA's de-identification standard recognises two routes: Safe Harbor (removing the 18 specified identifiers — names, dates, contact details, record numbers, and so on) or Expert Determination. Either way, the identifiers have to be removed. A redaction that leaves the underlying text recoverable hasn't removed anything, so the PHI is still disclosed — an impermissible disclosure that can trigger breach notification.

What compliant redaction requires

  1. Remove, don't cover. The content must be gone from the file — not selectable, searchable, or retrievable by OCR or inspecting the file's structure.
  2. Deal with the hidden layers. Metadata, tracked changes, comments and hidden text carry identifiers too. Strip them.
  3. Verify every output. Copy-paste the redacted zones, OCR the file, and confirm nothing survives. Make it a routine step, not a spot check.
  4. Control who processes the data. If you send documents to a third-party service to redact them, you've shared personal data or PHI with a processor — which generally needs the right contractual footing (a GDPR processor agreement, or a HIPAA Business Associate Agreement) and adds a place the data can be exposed.
  5. Keep it demonstrable. Being able to show how a document was handled matters as much as the redaction itself.

The processing question people miss

Redaction increasingly involves AI to find the identifiers — and that usually means sending the text to someone else's servers, which is precisely the kind of third-party exposure the rules care about. Two design choices reduce that exposure:

Private Redaction is built this way: the file is redacted in your browser and never uploaded, and the AI detection step runs in a verified private enclave with a downloadable attestation you can check independently. That reduces the third-party-exposure surface compared with a tool that ships your document to a server.

Be clear about what that does and doesn't do. Reducing exposure is not the same as making you compliant. Automated detection can miss an identifier, so you must review the output. Using the tool is not a substitute for your own compliance programme, and it does not by itself provide a Business Associate Agreement or a processor contract. For anything regulated, treat it as one control among several, and get advice specific to your obligations.

Takeaways

Private Redaction keeps your file on your device and runs the AI step in a verified private enclave, with a downloadable attestation receipt. Free, in your browser. Review the output before relying on it — it's a tool, not legal advice.