HIPAA and online PDF tools: what healthcare teams should know

Under HIPAA, any vendor that creates, receives, maintains, or transmits protected health information (PHI) on a covered entity's behalf is a business associate, and you must have a signed Business Associate Agreement (BAA) with them before they handle it (45 CFR §164.502(e)). Upload a patient record to an online PDF tool and that tool becomes a vendor receiving PHI — which is exactly the relationship the BAA rule governs.

The practical problem: most free and consumer online tools simply do not offer a BAA. Without one, routing PHI through them is not permitted, no matter how good their security marketing sounds. This is the same reason many consumer apps carry a “do not use with PHI” note.

This is a statement about the category of free online tools, not an accusation against any specific product — always check a given vendor's own BAA policy before trusting it with PHI.

HIPAA penalties are tiered by culpability and can reach roughly $2.1 million per violation category, per year, on top of the breach-notification, reputational, and operational fallout. For a small practice, a single mishandled-PHI incident can be existential.

The way to sidestep the entire question is to use a tool that never receives the PHI. DukPdf runs every tool in your browser with WebAssembly, so when you OCR a scanned record or merge documents, the file is processed on your machine and never uploaded. No upload means no business associate, no BAA to negotiate, and no new breach surface.

We deliberately say “HIPAA-friendly,” not “HIPAA-certified” — compliance depends on your whole workflow, not one tool. See how local processing works on the private PDF editor page.