A PHI de-identification layer you can self-host.
REST API, FHIR support and a native MCP server. Strip PHI to reversible tokens, send de-identified data to any model, re-identify locally. Docker in your own environment — no BAA negotiations, no vendor lock-in.
Credits never expire · Free for 501(c)(3) healthcare nonprofits
# de-identify · PHI replaced with tokens
curl -X POST https://your-proxy/api/deidentify \
-H "X-API-Key: msk_live_..." \
-d '{"text":"Patient Jane Doe, DOB 1985-03-12"}'
# response
{ "text": "Patient [NAME_1], DOB [DATE_1]",
"sessionId": "ses_abc123" }
→ session key stored in your Redis only
← re-identify with the same session key
Your infra, two commands.
Every interface you need. One proxy.
REST API, native MCP server, FHIR R4 reads, and a persistent CDR — all running in your Docker environment with the same de-identification pipeline.
REST API
POST /api/deidentify · /api/reidentify · /api/fhir/deidentify. JSON in, JSON out. Any language, any framework.
Native MCP server
First-class Model Context Protocol support so Claude Desktop, Claude Code, and any MCP-compatible host can call the proxy as a tool.
FHIR R4 client
Read structured resources — Patient, Condition, Observation, MedicationRequest, DocumentReference — straight from Epic, Cerner (Oracle), athenahealth, or eClinicalWorks.
CDR persistent context
Medplum-backed Clinical Data Repository keeps a full longitudinal record per patient so every call has the whole chart, not just the latest payload.
Reversible tokenization
PHI is replaced with deterministic tokens ([NAME_1], [DATE_1], …). The session key lives only in your infra — re-identify after the model responds.
18 Safe Harbor IDs
All 18 identifier types specified in 45 CFR §164.514(b)(2) are stripped before any outbound request. Auditable, documented, CISO-ready.
Trade fidelity for tokens, on your terms.
Every format is reversible except llm-optimized. Validated on 557 real Synthea bundles — ~400,000 resources.
Full FHIR structure, unchanged.
Whitespace stripped, keys preserved.
Prose-shaped for model context.
One system panel. Everything self-hosted.
- Proxy, Clinical Data Repository, and Redis all run as Docker in your own environment.
- REST, MCP, and FHIR endpoints exposed on localhost — wire them into any stack.
- Ephemeral sessions; the tokenization key that maps tokens back to PHI never leaves your machine.

Four endpoints. Infinite clinical context.
Authenticate with an API key. Every endpoint returns JSON. All FHIR resources are de-identified in-flight before the response leaves the proxy.
# clinical text de-identification
POST /api/deidentify
POST /api/reidentify
# FHIR R4 resources (de-identified)
POST /api/fhir/deidentify
POST /api/fhir/reidentify
# session management
GET /api/session
DELETE /api/session
# health
GET /health
# pull and run in your environment
docker pull ghcr.io/1putt-health/medscrub-proxy
# configure your EHR credentials
cp .env.example .env
# start the stack
docker compose up -d
# proxy running at localhost:3001
→ 500 free credits · no credit card required
PHI never leaves your infra. By design.
The de-identification proxy runs entirely in your environment. The session key that maps tokens back to real patient data never travels outside your Docker container.
No PHI leaves your infra
The proxy runs in your Docker environment. PHI is stripped and the session key never travels to a model API.
No BAA with a model vendor
Because the AI model only sees de-identified data, you are not disclosing PHI to it — no Business Associate Agreement required.
18 Safe Harbor identifiers removed
Names, dates, MRNs, SSNs, addresses, phone numbers, and all other 45 CFR §164.514(b)(2) identifiers are stripped on every request.
Deterministic, auditable de-id
The tokenization logic is documented code — not a black-box ML classifier. You can read exactly what gets removed and why.
HIPAA Safe Harbor · 45 CFR §164.514(b)(2) · 18/18 identifier types removed