We have seen a lot – and you probably have to – posts on various social media and blogging platforms showing how you can redact text using a large language model (LLM). They present a fairly simple solution to the complex problem of redaction. Can we really just let an LLM handle our text redaction and be done with it? The answer is simply no.
Here is one such example: https://ravichinni.medium.com/using-generative-ai-for-content-redaction-46ee61a3a4e6 (Don’t do this.)
Posts like this can make it tempting to consider leveraging an LLM to help identify and redact sensitive information, such as personally identifiable information (PII) and protected health information (PHI). While LLMs have demonstrated impressive capabilities in natural language understanding, they are not well-suited for the critical task of detecting and redacting sensitive data.
This post describes some reasons why relying solely on an LLM for redaction and de-identification is a bad idea, and a hybrid solution, such as the open source Philter software, that utilizes rule-based, dictionary-based, and natural language processing is better suited for redaction and de-identification.
So, before you prompt an LLM to “Redact the PII and PHI in the following text”, be aware of the risks described below.
Redaction Requirements are Often Complex
Very often it is not enough to simply mask PII and PHI with asterisks. Various regulations have different requirements for how PII and PHI should be redacted, and your business needs can lead to complicated redaction policies. For instance, it may be enough to mask the first 5 digits of an SSN or only mask zip codes whose population is less than some threshold. Or, perhaps you need to anonymize all occurrences of a person’s name consistently across multiple documents. Prompting an LLM to successfully meet these redaction requirements is a challenge, if not impossible.
(Philter provides these redaction capabilities through its redaction policies. You can tailor a redaction policy specific to your needs and redact the data just how you need to.)
Decreased Accuracy
LLMs operate probabilistically, meaning they generate outputs based on patterns in their training data rather than deterministic rules. This makes LLMs unreliable for consistently identifying and redacting PII and PHI. An oversight—such as missing a social security number —could lead to data exposure and non-compliance with privacy regulations like HIPAA. Likewise, an LLM might redact information that isn’t sensitive or fail to recognize context-specific PII/PHI, leading to a false sense of security.
(Philter uses a combination of rule-based, dictionary-based, and natural language processing for redaction.)
Inconsistent Performance Across Contexts
The performance of LLMs varies significantly based on context, phrasing, and language structure. Sensitive information may appear in different formats, abbreviations, or contextual clues that an LLM may struggle to recognize.
For instance, an LLM might successfully identify and redact a clearly labeled patient name in one document but fail to recognize the same name in a physician’s notes when it appears alongside medical conditions. In contrast, purpose-built systems can be trained and tested with structured validation methods to ensure comprehensive and reliable redaction.
Risks of Hallucination and Data Leakage
LLMs sometimes “hallucinate”, meaning they generate information that was not in the original text. This poses a serious risk when dealing with sensitive data. If an LLM inadvertently generates or reconstructs PII/PHI that was previously redacted, it could lead to data breaches or compliance violations. Additionally, some LLMs may inadvertently store and reuse information from previous interactions, increasing the risk of accidental exposure if proper safeguards are not in place.
Lack of Explainability
One of the fundamental challenges with LLMs is their black-box nature. Unlike rule-based systems that provide clear logic for why a particular piece of information was redacted, LLMs do not offer transparency into their decision-making process. This lack of explainability makes it difficult to audit redaction decisions, troubleshoot errors, or prove compliance with regulatory requirements.
Organizations need to demonstrate accountability in handling sensitive data, and relying on a model that cannot provide a clear rationale for its decisions makes compliance reporting challenging.
(Philter’s API provides an /explain endpoint that provides a detailed explanation of why each token was identified as PII or PHI to help you understand Philter’s actions.)
Scalability and Cost Considerations
Running LLMs at scale for real-time PII and PHI detection can be very expensive. Many LLMs require significant processing power which increases operational costs. In contrast, traditional rule-based redaction tools are much more efficient, allowing for much faster and much more cost-effective redaction.
Additionally, the cost of remediating errors caused by LLM misclassifications—whether through manual review or regulatory penalties—can be far higher than investing in a more robust, deterministic redaction approach from the start. (Note that Philter is open source software.)
If you don’t make the investment in the necessary hardware to utilize an LLM locally, you will have to resort to third-party hosted LLMs. Sending sensitive text to a third-party for redaction comes with its own set of risks. Is your data being shared? Is it encrypted? Do you know how you’re allowing the third-party to use that data? This can quickly lead to compliance risks described below.
Regulatory and Compliance Risks
Data privacy regulations like GDPR, HIPAA, and CCPA require stringent controls over how PII and PHI are processed and protected. If an LLM fails to properly redact sensitive data, an organization could face severe legal and financial consequences.
Using third-party or cloud-based LLMs introduces additional concerns regarding data residency, storage, and transmission. Many compliance frameworks require that sensitive data not be processed or stored in untrusted environments, and relying on an external AI model may violate these mandates.
A Better Choice: A Hybrid Approach to Redaction
Instead of relying entirely on LLMs for PII and PHI redaction, organizations should leverage solutions that apply deterministic, rule-based systems for the PII and PHI data that follows well-defined patterns. These methods provide greater reliability and transparency.
For cases where more advanced context understanding is needed, a hybrid approach—combining rule-based methods with traditional machine learning models specifically trained for redaction—offers a more accurate and compliant solution. These models can be fine-tuned, tested, and validated against real-world data without the unpredictability of general-purpose LLMs.
(Philter uses rules to identify many kinds of PII and PHI. Items such as email addresses and social security numbers follow well-defined patterns. A rule-based system will be much more efficient and accurate than an LLM at identifying these types of PII and PHI.)
Conclusion
While LLMs are powerful tools for many natural language tasks, they are not the best choice for the critical task of redacting PII and PHI. Their probabilistic nature, risk of errors, lack of transparency, and compliance concerns make them a less than ideal choice for organizations handling sensitive data. A structured and deterministic approach—either through rule-based systems or specialized AI models—is a safer and more efficient choice.
Learn more about Philter at https://www.philterd.ai/philter/ and its approach to redaction and de-identification.