Calendar Icon White
May 17, 2024
Clock Icon
 min read

PII & PHI Redaction

Learn how to remove personal data, PII (Personally Identifiable Information), PHI (Protected Health Information)

PII & PHI Redaction
Calendar Icon White
May 17, 2024
Clock Icon
 min read

PII & PHI Redaction

Learn how to remove personal data, PII (Personally Identifiable Information), PHI (Protected Health Information)



  • Protecting PII and PHI data is crucial in the digital age to prevent identity theft and legal repercussions.
  • Strac offers APIs for redacting sensitive data from unstructured text, documents, and SaaS apps.
  • Sending sensitive data to LLM models is prohibited due to potential risks of model training, employee access, and data retrieval vulnerabilities.
  • Redacting PII and PHI is essential for compliance, security, and maintaining trust with customers and stakeholders.
  • Strac provides tools and APIs to help businesses protect sensitive data and achieve regulatory compliance.

Overview: Why Redact Sensitive PII/PHI Data?

In today's digital age, protecting sensitive information is crucial. Personally Identifiable Information (PII) and Protected Health Information (PHI) are prime targets for cybercriminals. Unauthorized access to this data can lead to identity theft, financial loss, and legal repercussions. Redacting sensitive data ensures compliance with regulations such as GDPR, HIPAA, and CCPA, and helps maintain trust with customers and stakeholders.

Redact PII or PHI in Unstructured Text

In today’s digital communication landscape, sensitive data often finds its way into unstructured text formats such as chat messages, email bodies, and chat transcripts. Ensuring the privacy and security of this information is paramount. Strac offers robust APIs designed specifically for the programmatic redaction of sensitive data from unstructured text. Whether you need to safeguard personally identifiable information (PII) or protected health information (PHI), Strac’s APIs provide a seamless and efficient solution.

Redact Sensitive Data like PII, PHI in Chat Transcript, Chat Messages, Email Body, etc.

By integrating Strac’s APIs, you can automatically identify and redact sensitive information, ensuring compliance with privacy regulations and protecting your organization from potential data breaches. These APIs are versatile, easy to implement, and designed to handle various text formats, making them an ideal choice for businesses looking to enhance their data protection measures.

For more detailed information on how to utilize Strac’s redaction API, please visit the API documentation.

‎Redact PII or PHI in Documents

Similarly, it is common to redact out sensitive parts in documents (pdf, jpeg, png, image, docx, screenshots, xlsx). Strac has the solution for that as well. Checkout the API: ‎

W2 Tax Return Redacted Form
Strac: Redacted W2

Redact PII or PHI in SaaS Apps

In the modern workplace, a multitude of SaaS applications such as Zendesk, Slack, Jira, Confluence, Salesforce, Gmail, M365, OneDrive, SharePoint, and Google Drive are commonly used for communication and collaboration. However, these platforms often become repositories for sensitive data, either inadvertently shared by customers or employees. Managing and redacting this information is crucial to maintaining privacy and compliance with data protection regulations.

Strac offers a No-Code solution for redacting PII and PHI across these SaaS apps. This solution integrates seamlessly with your existing workflows, allowing you to automatically identify and remove sensitive information without the need for complex coding or manual intervention. Strac’s integrations ensure that your data remains secure, compliant, and protected from unauthorized access.

For a complete list of our integrations and to learn more about how Strac can help safeguard your data, please visit Strac Integrations.

Strac Zendesk Redaction

Redact PII or PHI before sending to LLM Models

Generative AI models, particularly large language models (LLMs) like GPT-4, have become increasingly popular for a wide range of applications, from drafting emails and creating content to coding assistance and customer support. However, a crucial caveat in their terms of use is the strong advisory: "DO NOT SEND SENSITIVE DATA" to these models. Understanding the reasons behind this advisory is essential for both individuals and organizations leveraging these powerful tools.

Why Is Sending Sensitive Data to LLM Models Prohibited?

  1. Potential Use in Model Training
    1. Generative AI models are designed to learn from the data they receive. While OpenAI and other organizations have policies to protect user data, there remains a risk that sensitive information could be inadvertently included in the data sets used for future training. This could lead to unintended exposure of confidential information. For instance, if sensitive data such as personal identifiers, financial information, or proprietary business details are included in the input, there's a possibility that such data could influence the model's responses or be used to generate similar data in future outputs.
  2. Employee Access
    1. Another critical reason for the prohibition is the potential access that employees or contractors of the AI service provider might have to user data. Despite stringent access controls and privacy policies, the human element introduces a non-negligible risk. In environments where data is used to improve AI models or troubleshoot issues, employees might encounter sensitive information. This access, although often limited and monitored, poses a privacy risk that organizations and individuals should avoid.
  3. Data Retrieval Vulnerabilities
    1. A particularly concerning issue is the ability to trick LLM models into revealing previously provided data. Techniques such as prompt injection attacks can exploit vulnerabilities in the model to extract sensitive information. These models, while sophisticated, do not possess the same contextual awareness and privacy safeguards as human beings. Consequently, with cleverly crafted inputs, it might be possible to coerce the model into regurgitating confidential data that was inputted by another user.

Strac Proxy that will redact incoming prompt and then send to the downstream LLM Partner


Redacting PII and PHI is not just a regulatory requirement but a fundamental practice to ensure the security and privacy of individuals' information. Strac offers a comprehensive suite of tools and APIs to help businesses protect sensitive data across various formats and platforms. By integrating Strac's solutions, organizations can achieve compliance, enhance security, and maintain the trust of their customers and stakeholders.

Founder, Strac. ex-Amazon Payments Infrastructure (Widget, API, Security) Builder for 11 years.

Latest articles

Browse all