HIPAA image redaction, explained — and done on your device.
A patient's photo is itself an identifier. Here's what the de-identification standard asks you to remove from an image, and how keptimage does it without the file ever leaving your browser.
The de-identification standard.
Two methods under the Privacy Rule. Both start with removing identifiers from the data — including images.
Health information that does not identify an individual… is not individually identifiable health information. The Safe Harbor method requires removal of 18 specified identifiers, including (16) full-face photographs and any comparable images.
Photographs are called out by name in the Safe Harbor list. The Expert Determination method (§164.514(b)(1)) instead relies on a qualified statistician's analysis. Either way, the practical first step for a clinical image is to remove what makes the patient identifiable — keptimage is built for exactly that step.
The identifiers that hide in a photo.
Several of the 18 Safe Harbor identifiers routinely appear inside an image — or in the metadata wrapped around it.
Faces & comparable images
Identifier #16. A recognizable face, and often a distinctive tattoo or scar, identifies the patient on its own. A flattened redaction removes it for good.
Names, MRNs & numbers on labels
Wristbands, chart corners and specimen labels caught in frame carry names, medical record numbers and account numbers — identifiers #1, #7 and #8.
Geography & GPS in EXIF
Geographic subdivisions are identifier #2 — and a phone photo embeds precise GPS coordinates in EXIF. Re-encoding the image drops that metadata entirely.
Dates & device serials
Service dates visible on a monitor (identifier #3) and a camera/device serial number embedded in the file (#17–18) are both removed when keptimage rebuilds the image.
How keptimage removes them.
You mark the regions to hide — a face, a wristband, a label. keptimage overwrites those pixels with a solid fill and then re-encodes the entire image from the raw canvas. There is no hidden layer or alpha channel preserving the original, and the re-encode drops every EXIF, GPS and device field the file was carrying. The result is a clean image plus an optional plain-text certificate containing a SHA-256 hash of the exact file you downloaded, so anyone can confirm it hasn't been altered since.
All of this happens in your browser. The JavaScript loads once on the page visit; after that, no image content returns to our servers. There is no upload step to attack, no copy to retain, and nothing for a breach or subpoena to reach.
"Is keptimage HIPAA compliant?"
The honest answer: compliance is a property of your organization, not of a tool. No software can make a covered entity HIPAA compliant by itself. What a tool can do is avoid becoming a new source of risk. keptimage is HIPAA-aware — built so that using it does not create a fresh disclosure of PHI to manage.
Because images are processed locally and never reach our servers, we don't create, receive, maintain, or transmit your PHI — the four verbs that define a business associate under the Privacy Rule. On that basis we believe a Business Associate Agreement most likely isn't required for keptimage. This is an informational summary, not legal advice; you and your compliance counsel should make the determination. If your policies require a BAA regardless, we'll sign one without conceding business-associate status on our Team plan.
Don't take our word for the architecture — open the Verify page, open your browser's network tab, and watch zero uploads happen as you process an image.
Plans for regulated work.
Business
- Every image tool, unlimited use
- De-identification redaction + certificate
- EXIF / GPS metadata scrub
- Images up to 500 MB
- Priority support
Team 2026
- Everything in Business
- HIPAA BAA available
- SOC 2 Type II (planned)
- SSO + audit logs
Just need to de-identify a few images? Start free — no card.