HIPAA and online PDF tools — a reality check
A nurse messages us roughly once a fortnight: "Is your tool HIPAA compliant?" The honest answer is more nuanced than yes or no, and the nuance matters. HIPAA was never designed to certify SaaS tools — it regulates covered entities (your clinic, your hospital) and their business associates (anyone they hand patient data to). What follows is a plain-English walk-through, not legal advice.
Disclaimer: This is editorial, not legal advice. Consult a privacy officer or HIPAA-qualified attorney for your specific situation. Cited sources include the U.S. Department of Health and Human Services published guidance at hhs.gov.
What HIPAA actually requires
The Privacy Rule and Security Rule together require that a covered entity:
- Not disclose Protected Health Information (PHI) to anyone without authorisation or a permitted purpose.
- Sign a Business Associate Agreement (BAA) with anyone who processes PHI on the covered entity's behalf.
- Implement administrative, physical, and technical safeguards.
The trap most free PDF tools fall into
If you, as a covered entity employee, upload a PDF containing PHI to a typical "free online PDF tool," you have just disclosed PHI to that tool's operator. The tool's operator is now, by law, a business associate — and you are almost certainly out of compliance because you do not have a signed BAA with them.
The "we delete after 2 hours" line on those sites is irrelevant to this question. The compliance failure happened at the upload, not at deletion. The fact that the operator did not retain the file long-term does not erase the disclosure.
The client-side answer
A tool that runs entirely in the browser changes the analysis. If processing happens on the device the covered entity already controls, no disclosure to a third party has occurred. The PDF never leaves the device. The tool operator never received PHI.
Whether a BAA is required in this scenario is, per published HHS guidance, generally no: if the operator does not create, receive, maintain, or transmit PHI on the covered entity's behalf, the business-associate relationship does not arise. (See HHS guidance on business-associate definitions.)
What you still need to do
Even with a client-side tool, the covered entity is responsible for its own technical safeguards:
- Workstation security: the laptop running the browser must itself meet HIPAA technical safeguards.
- Audit logging: your clinic's own systems should record the workflow.
- Verifying the tool is what it claims: open the browser network panel and confirm there are no requests containing the file body. Pin the page as a Progressive Web App and run it offline as a final test.
How to actually verify "client-side"
Marketing copy is not verification. The two-minute version:
- Open Chrome DevTools → Network tab.
- Load the tool's page.
- Upload a small known file.
- Filter the network panel by request type "Fetch/XHR". Look at request bodies. If the file content does not appear in any outgoing body, the operator never received it.
- For belt-and-braces: enable Chrome's "Block network requests" matching */(api|upload).
- Best test: disconnect from the network entirely after the page loads and confirm the tool still works.
Where this leaves you
For routine handling of PHI in a small practice — combining scanned intake forms, redacting before sending to a specialist, compressing before email — a client-side PDF tool is a defensible compliance position in a way that free server-side tools fundamentally are not. For larger-scale or higher-risk workflows, you still want an enterprise vendor with a BAA on file.
Merge Everything's product, InstantFileTools, processes every operation in the browser. The deployed site has no upload endpoint. You can verify this in the network panel before trusting any patient document to it. The redaction tool is the one most relevant to PHI workflows.
If this resonates, try InstantFileTools — the privacy-first tools described in this article, available free in your browser.