Free · Open Source · MIT Licensed
HIPAA Shield.
Catch PHI before it leaks.
A free Chromium browser extension that warns when Protected Health Information is being typed or pasted into a browser form — especially AI chat interfaces like ChatGPT, Claude, Gemini, and Copilot, which don't sign HIPAA Business Associate Agreements. 100% client-side detection. Zero telemetry. Ever.
Chrome Web Store listing coming soon · Currently install via Developer Mode
The problem
Staff paste patient data into ChatGPT every day. The browser is where the disclosure happens.
A medical assistant pastes a chart note into ChatGPT to summarize. A biller drafts an appeal letter with claim details. A front desk coordinator cleans up a sensitive patient email. Nobody flagged any of it as a problem. It didn't feel like a breach — it felt like being resourceful.
Under HIPAA, every one of those moments is a potentially reportable disclosure to a third party without a Business Associate Agreement. Consumer ChatGPT, consumer Claude, consumer Gemini, consumer Copilot — none of them sign BAAs at the default tier. The paste is the breach.
The intervention has to happen at the moment of the choice, not in retrospect during an audit. That's the browser. That's what HIPAA Shield does.
What it detects
Eight detection rules. Each toggleable.
| Rule | Severity | Pattern |
|---|---|---|
| Social Security Number | high | XXX-XX-XXXX format with prefix validation |
| Date of birth | high | MM/DD/YYYY 1900–2099 |
| Credit card number | high | Visa/MC/Amex/Discover with Luhn check |
| Medical Record Number (MRN) | high | MRN-prefixed identifiers |
| Phone number | medium | Standard US phone formats |
| Email address | medium | Standard email format |
| ICD-10 diagnosis code | low | Standard ICD-10 format |
| Diagnosis terms | low | Clinical keyword patterns |
Where it works
Any text input on any website.
The extension scans every text input, textarea, and editable field on every page. It's especially useful for:
- ChatGPT (chatgpt.com)
- Claude (claude.ai)
- Google Gemini
- Microsoft Copilot
- Perplexity
- Gmail compose
- All web forms, textareas, and contenteditable fields on any site
Privacy
100% client-side. Zero network requests.
The extension does not collect, transmit, store on any server, or share any data. Period. Every check happens inside your browser, on your device.
No telemetry. No analytics. No error reporting. No usage tracking. The manifest declares zero host_permissions and the source code contains zero fetch calls. You can audit this yourself.
FAQ
Frequently asked questions
Is HIPAA Shield really free?
Yes. The extension is open source under the MIT license. There is no premium tier, no paid plan, and no upsell. Patient Protect publishes it as a free contribution to closing the casual-disclosure breach category.
Does the extension send my data anywhere?
No. The extension makes zero network requests, contains zero telemetry, and never transmits page content, form contents, detection results, or any other data. All detection runs entirely in your browser. Verify in the source: github.com/patient-protect/hipaa-shield.
What does it detect?
Social Security Numbers, dates of birth, credit card numbers (Luhn-validated), Medical Record Numbers, ICD-10 codes, and clinical diagnosis terms. Phone numbers and email addresses are detected but disabled by default to reduce noise. Each rule is toggleable.
Will it work on Firefox or Edge?
It works on any Chromium-based browser today: Chrome, Edge, Brave, Arc, Opera, Vivaldi. A Firefox port is in progress and will ship when Manifest V3 compatibility is finalized.
Is this a replacement for our compliance program?
No. The extension catches casual disclosures at the moment of entry — particularly the 'let me just paste this into ChatGPT' use cases that drive the fastest-growing breach category. It is not a substitute for workforce training, a written AI-use policy, BAAs, or platform-level data loss prevention.
Can I customize what it detects?
Yes. Click the extension icon to open the settings popup, then toggle individual detection rules on or off. Settings are stored locally in your browser via chrome.storage.local and never transmitted.
One free tool in a larger toolkit.
HIPAA Shield is one of 21 free resources Patient Protect publishes to close the compliance and security gap for independent healthcare practices. See the full catalog — risk assessments, breach intelligence, training modules, an open dataset, and more.
From free tools to a running program
Ready to start the real work?
The browser extension catches the casual disclosure. The Patient Protect platform keeps the whole compliance program running between assessments — continuous monitoring, BAA tracking, audit-log review, workforce training enforcement, and incident response.
14-day free trial · Credit card required · Cancel any time