De-identify patient photos. Zero PHI uploads.
Redact faces, tattoos, wristbands and chart labels in clinical photos, and strip the GPS and device data hiding in every phone image — right in your browser. The files never reach our servers.
The rule that governs your vendor stack.
HIPAA defines who counts as a business associate — and when an agreement is required.
A covered entity may disclose protected health information to a business associate… if the covered entity obtains satisfactory assurances… that the business associate will appropriately safeguard the information.
The business-associate model exists because cloud vendors create, receive, maintain, or transmit PHI. keptimage does none of those — clinical images are processed locally in your browser and never reach our servers. Photographs of a patient are themselves an identifier under the Safe Harbor method (§164.514(b)); keptimage helps you remove them. See the HIPAA page for the full architecture argument.
What an uploaded clinical photo can trigger.
HHS OCR enforcement
Civil penalties are tiered by culpability, reaching into the millions per calendar year per category. Each image of a patient can count as a separate record.
60-day breach notification
Once a breach is identified you have 60 days to notify affected individuals — and the HHS Secretary if 500+ are involved. A vendor incident starts your clock.
State law on top of federal
State attorneys general have independent enforcement authority, and state statutes (CA CMIA, TX HB 300, NY SHIELD) stack additional duties on every disclosure.
Built for clinical imaging workflows.
Redact patient identifiers
Black out faces, tattoos, wristbands, MRNs and chart labels visible in dermatology, wound and procedure photos. The pixels are destroyed and the output carries a SHA-256 certificate.
Strip the EXIF a phone adds
Photos taken on a clinic phone embed GPS, timestamps and a device serial. keptimage removes them on export — and shows you what was there first.
No transit, no retention
Images don't reach our servers — by design there is no upload endpoint to attack, subpoena, or breach. The most sensitive data you handle never leaves your control.
DICOM de-identification Roadmap
Today keptimage handles JPG, PNG and WebP clinical photos. In-browser DICOM tag de-identification is on the roadmap — tell us if it would help your practice.
How our architecture changes the BAA question.
A Business Associate Agreement governs how a third party handles PHI on a covered entity's behalf. The Privacy Rule defines a business associate as someone who creates, receives, maintains, or transmits protected health information for a function performed on your behalf.
When you redact a clinical photo or strip its metadata in keptimage, the file is processed entirely inside your browser. The code that does the work loads once on the page visit; after that, no image content returns to our servers. Because we don't create, receive, maintain, or transmit your PHI, we believe a BAA most likely isn't required — but this is an informational summary, not legal advice, and you and your compliance counsel should make that call. If your policies require one regardless, we'll sign a BAA without conceding business-associate status.
You shouldn't have to take our word for it. Open the Verify page, open your browser's network tab, and watch zero outbound uploads happen.
Note: keptimage does not claim to be "HIPAA compliant" — compliance is a property of your covered entity, not of a vendor. We are HIPAA-aware: built so that using us does not create new disclosures for you to manage.
Pricing for practices.
Business
- Every image tool, unlimited use
- PHI redaction with audit certificate
- EXIF / GPS metadata scrub
- Images up to 500 MB
- Priority support
Team 2026
- Everything in Business
- HIPAA BAA available
- SOC 2 Type II (planned)
- SSO + audit logs
Solo clinician? Start free — no card, or upgrade to Pro ($9/mo) inside the app.