HIPAA-aware PDF tools. Zero PHI uploads.
Process patient records right in your browser. The files never reach our servers.
The rule that governs your vendor stack.
HIPAA defines who counts as a business associate and when an agreement is required.
A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurances… that the business associate will appropriately safeguard the information.
The BAA model exists because cloud vendors create, receive, maintain, or transmit PHI. KeptPDF does none of those things: files are processed locally inside your browser and never reach our servers. See the technical explanation below.
What an uploaded PDF can trigger.
HHS OCR enforcement fines
Tiered penalties ranging from $50,000 per violation up to $1.9M per calendar year per category. Each record can count as a separate violation.
60-day breach notification
Once a breach is identified, you have 60 days to notify affected individuals, and the HHS Secretary if 500+ are involved. Vendor incidents start your clock.
State AG actions
State attorneys general have independent HIPAA enforcement authority, plus state-specific laws (CA CMIA, TX HB 300, NY SHIELD) that stack on top.
Built for clinical workflows.
Automatic PHI redaction
Automatically flag patient identifiers, dates of service, MRNs and prescriber DEA numbers, or black out free-text notes by hand, then truly destroy the text underneath, not just cover it. Output ships with a SHA-256 audit certificate for your compliance records.
No transit, no retention
Files don't reach our servers. By design, there is no upload endpoint to attack, subpoena, or breach.
Metadata scrub
Redaction rebuilds the file from scratch, stripping embedded device IDs (DICOM/EHR exports), software signatures, prior editor names, and hidden annotation layers.
Searchable PDF (OCR)
Digitize legacy paper records on-device. OCR runs in your browser. No cloud OCR service ever sees a scanned chart.
How our architecture changes the BAA question.
A Business Associate Agreement exists to govern how a third party handles PHI on a covered entity's behalf. The HIPAA Privacy Rule defines a business associate as a person or organization that creates, receives, maintains, or transmits protected health information for a function or activity on behalf of a covered entity.
When you redact a chart, scrub metadata, or merge two reports, the file is processed entirely inside your browser. The JavaScript that does the work is loaded once on the initial page visit; after that, no file content ever returns to our servers. Because we don't create, receive, maintain, or transmit your PHI, whether a BAA is required is a call for you and your compliance counsel to make. This is an informational summary, not legal advice. If your policies require one regardless, we provide a BAA template based on HHS sample provisions for you and your counsel to review and adapt.
You shouldn't have to take our word for that. Open the Verify page, load a tool, and turn on Airplane Mode: it still works, because no PHI ever leaves the browser. With the network on you will see only small first-party pings for the quota and analytics, never your file.
Note: KeptPDF does not claim to be "HIPAA compliant." Compliance is a property of your covered entity, not of a vendor. We are HIPAA-aware: built so that using us does not create new disclosures to manage.
Pricing for practices.
Pro
For a solo clinician. $290/yr saves 2 months
- PHI redaction with SHA-256 audit certificate
- Clean output, no KeptPDF watermark
- Saved redact lists: always-redact patient names & MRNs, never-flag your usual false positives
- Metadata scrub + on-device OCR
- Unlimited bulk PHI redaction across charts
- Larger files (practical limit ~500 MB)
- Priority support
Practice
Everything in Pro, for your whole practice. $990/seat/yr saves 2 months
- Shared always-redact list: patient names & MRNs scrubbed on every clinician’s document automatically
- Team never-flag list: tune out a false positive once, for the whole practice
- End-to-end encrypted: we can’t read your practice’s list
- Practice-wide redaction counts for audits
- 2–25 seats on one invoice · one bill · priority support
Lock $99 per seat for life
The Practice rate goes up as the suite grows. Founding firms never pay more than today's price, for as long as you stay. For the first 25 practices.
Prefer to try first? Start free, no card required.