HIPAA-aware PDF tools. Zero PHI uploads.
Process patient records without a BAA — because we never see them.
The rule that governs your vendor stack.
HIPAA defines who counts as a business associate and when an agreement is required.
A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurances… that the business associate will appropriately safeguard the information.
The BAA model exists because cloud vendors create, receive, maintain, or transmit PHI. KeptPDF does none of those things — files are processed locally inside your browser and never reach our servers. See the technical explanation below.
What an uploaded PDF can trigger.
HHS OCR enforcement fines
Tiered penalties ranging from $50,000 per violation up to $1.9M per calendar year per category. Each record can count as a separate violation.
60-day breach notification
Once a breach is identified, you have 60 days to notify affected individuals — and the HHS Secretary if 500+ are involved. Vendor incidents start your clock.
State AG actions
State attorneys general have independent HIPAA enforcement authority — plus state-specific laws (CA CMIA, TX HB 300, NY SHIELD) that stack on top.
Built for clinical workflows.
Redaction of PHI
Black out patient identifiers, dates of service, MRNs, prescriber DEA numbers, and free-text notes. Output ships with a SHA-256 audit certificate.
No transit, no retention
Files don't reach our servers. By design — there is no upload endpoint to attack, subpoena, or breach.
Metadata scrub
Strips embedded device IDs (DICOM/EHR exports), software signatures, prior editor names, and hidden annotation layers.
Searchable PDF (OCR)
Digitize legacy paper records on-device. OCR runs in your browser — no cloud OCR service ever sees a scanned chart.
Why we don't need a BAA.
A Business Associate Agreement exists to govern how a third party handles PHI on a covered entity's behalf. The HIPAA Privacy Rule defines a business associate as a person or organization that creates, receives, maintains, or transmits protected health information for a function or activity on behalf of a covered entity.
KeptPDF's architecture means none of those four verbs apply to us. When you redact a chart, scrub metadata, or merge two reports, the file is processed entirely inside your browser. The JavaScript that does the work is loaded once on the initial page visit; after that, no file content ever returns to our servers. We do not create, receive, maintain, or transmit PHI — so the conventional BAA model does not apply.
You shouldn't have to take our word for that. Open the Verify page, open your browser's network tab, and watch zero outbound file uploads happen.
Note: KeptPDF does not claim to be "HIPAA compliant" — compliance is a property of your covered entity, not of a vendor. We are HIPAA-aware: built so that using us does not create new disclosures to manage.
Pricing for practices.
Business
- Every PDF tool, unlimited use
- PHI redaction with audit cert
- Metadata scrub + on-device OCR
- Files up to 500 MB
- Priority support
Team Q3 2026
- Everything in Business
- SOC 2 Type II report
- Centralized seat management
- Optional BAA for ancillary services