How Veridax protects PHI
Veridax audits Medicare DME documentation without storing, transmitting, or retaining Protected Health Information in raw form. This page describes the technical controls that make that true — not as marketing, but as architecture.
PHI never leaves the browser in raw form.
This is a technical constraint, not a policy. Before any clinical note reaches our servers, it is redacted in your browser by code running locally on your device. Even if our servers were compromised, the raw PHI was never there to leak.
Policies can be broken by accident, insider action, or misconfiguration. Architecture that never receives the data in the first place cannot leak it.
How Auto-Scrub actually works
When you click Auto-Scrub PHI, the note goes through two sequential passes. The raw note is never transmitted — only the already-redacted output of Stage 1 is sent anywhere.
Runs entirely in your browser. Never transmitted.
Eight regular-expression patterns match structured PHI — Social Security numbers, phone numbers, email addresses, dates of birth, Medical Record Numbers, NPIs, ZIP codes, and labeled patient names — and replace each match with a bracketed placeholder like [REDACTED-SSN]. This code runs in JavaScript on your device. Nothing is sent to Veridax at this stage.
Catches narrative PHI the regex can't.
The output of Stage 1 — already scrubbed of structured identifiers — is sent over TLS to a serverless function that calls an AI model to catch free-text PHI: physician names in prose, facility names, street-level geographic references, and other identifiers that don't match a fixed pattern. The model returns a further-redacted note, which replaces the textarea content. The original unredacted text never leaves your device.
What we enforce
| Control | Detail | |
|---|---|---|
| ✓ | No PHI storage | Notes are processed in-memory during a single request and discarded. No database writes, no logs containing note contents. |
| ✓ | No patient database | Veridax has no patient records table and no concept of a "patient account." There is nothing to query, export, or breach. |
| ✓ | TLS encryption in transit | All requests to veridax.ai and to our AI provider use TLS 1.2+. Connections without valid certificates are refused. |
| ✓ | Auto-Scrub gate enforcement | The Run Compliance Audit button is disabled until a clean scrub pass confirms the textarea contains no detected PHI. Editing the note after a clean pass re-locks the gate. |
| ✓ | No third-party data sharing | Scrubbed text is shared only with our AI provider (Anthropic) for audit analysis. We do not sell, rent, or syndicate clinical content to anyone. |
| ✓ | Serverless architecture | Audit functions run on Netlify Functions — ephemeral containers that spin up per request. No long-lived servers with persistent local state. |
| ✓ | API key never exposed to browser | The Anthropic API key is set as a server-side environment variable on Netlify. It is never bundled into the HTML, never sent to the client, and never retrievable by inspecting the page. |
Commitments, stated as absences
- We do not store your notes. Submitted text is discarded immediately after the audit response is returned.
- We do not maintain patient records. No names, DOBs, MRNs, or any patient identifier is written to any database we operate.
- We do not sell your data. There is no ad network, no analytics broker, no data resale business model. Revenue comes from the monthly subscription alone.
- We do not train AI models on your submitted notes. Your clinical documentation is used for the single audit you request and is not added to training corpora.
What we need from you
No privacy system is complete on the vendor side alone. A few responsibilities stay with you:
- Run Auto-Scrub before every audit. The button is gated for a reason — please don't work around it. If you paste a new note or edit a scrubbed one, re-scrub before submitting.
- Review audit results before acting on them. Veridax identifies documentation gaps against published LCD criteria; it does not practice medicine or adjudicate claims. A human clinician or compliance officer must review findings before any billing or clinical decision.
- Report concerns to privacy@veridax.ai. If you believe PHI was handled incorrectly, a scrubber pattern missed something, or you have a privacy question, email us directly. We respond within two business days.
Safe Harbor, and honest limits
HIPAA's Safe Harbor method (45 CFR 164.514(b)(2)) defines 18 categories of identifiers that must be removed for data to be considered de-identified, along with a requirement that the covered entity have no actual knowledge that the remaining information could identify an individual. Our two-stage scrubber targets the Safe Harbor identifier list and is designed to remove each category.
That said — we want to be direct with you:
Automated scrubbing is not certified Safe Harbor de-identification. No algorithm can guarantee that 100% of PHI is caught in all possible clinical narratives, and Veridax has not been audited by a qualified expert under the Expert Determination method. You remain responsible, as a covered entity or business associate, for confirming that the data you submit is appropriate for the tool. When in doubt, redact manually before pasting.