Handling Modes
Scrub offers four modes for handling detected PHI. Choose the mode that best fits your compliance requirements.
Flag / Audit Mode (Default)
Detect and log PHI, but allow requests to proceed.
Best for:
- Initial setup and testing
- Monitoring what PHI your application sends
- Low-risk use cases with existing PHI controls
How it works:
- PHI is detected and logged
- Request proceeds to AI provider unchanged
- Response includes PHI detection headers
- Full audit trail is maintained
# Request with PHI proceeds normally
curl https://api.scrub.health/v1/chat/completions \
-H "Authorization: Bearer $SCRUB_API_KEY" \
-d '{"model": "gpt-4", "messages": [{"role": "user", "content": "Patient SSN is 123-45-6789"}]}'
# Response headers indicate PHI was detected
# X-Scrub-PHI-Detected: true
# X-Scrub-PHI-Types: ssn
Block Mode
Reject requests that contain PHI.
Best for:
- Strict compliance requirements
- Applications that should never send PHI
- Training users to avoid including PHI
How it works:
- PHI is detected
- Request is immediately rejected with 403 error
- No data is sent to AI provider
- Rejection is logged for audit
# Request with PHI is blocked
curl https://api.scrub.health/v1/chat/completions \
-H "Authorization: Bearer $SCRUB_API_KEY" \
-d '{"model": "gpt-4", "messages": [{"role": "user", "content": "Patient SSN is 123-45-6789"}]}'
# Response: 403 Forbidden
{
"error": {
"message": "Request blocked: PHI detected in content",
"type": "phi_error",
"code": "phi_blocked",
"phi_types": ["ssn"]
}
}
Redact Mode
Remove PHI from requests before forwarding.
Best for:
- Applications that may inadvertently include PHI
- Balancing functionality with compliance
- Cases where context can be preserved without the PHI
How it works:
- PHI is detected
- PHI is removed from the content
- Redacted request is forwarded to AI provider
- Original and redacted versions are logged
# Original: "Patient John Smith, SSN 123-45-6789, has diabetes"
# Sent to AI: "Patient , has diabetes"
Note: Redaction may affect AI response quality if important context is removed.
Mask Mode
Replace PHI with placeholder tokens.
Best for:
- Preserving context and sentence structure
- Applications where the AI needs to know "there was a value here"
- Testing and development environments
How it works:
- PHI is detected
- PHI is replaced with type-specific placeholders
- Masked request is forwarded to AI provider
- Original and masked versions are logged
# Original: "Patient John Smith, SSN 123-45-6789, has diabetes"
# Sent to AI: "Patient [NAME], SSN [SSN], has diabetes"
Placeholder Tokens
| PHI Type | Placeholder |
|---|---|
| SSN | [SSN] |
| Date of Birth | [DOB] |
| Phone | [PHONE] |
[EMAIL] | |
| Address | [ADDRESS] |
| MRN | [MRN] |
| Name | [NAME] |
| Medicare ID | [MEDICARE_ID] |
Choosing a Mode
| Requirement | Recommended Mode |
|---|---|
| Just want visibility into PHI exposure | Flag/Audit |
| Must prevent any PHI from reaching AI | Block |
| Need AI functionality, can't send PHI | Redact or Mask |
| Testing/development | Flag/Audit or Mask |
| Strictest compliance | Block |
Changing Modes
- Log in to your Dashboard
- Go to Settings
- Select your desired PHI Handling Mode
- Click Save
Changes take effect immediately for all new requests.