Skip to content
Sonomos Docs

Sonomos for healthcare

A quickstart for clinicians, nurses, MAs, allied-health staff, clinical admins, and hospital privacy officers who want to use AI tools in patient-care workflows without exposing Protected Health Information.

Who this is for

You’re a clinician or clinical staff member working at a HIPAA-covered entity or business associate. You’re using — or your colleagues are using — AI tools to help with workflows like:

  • Drafting patient communications and after-visit summaries
  • Summarizing visits or telehealth notes for documentation
  • Researching diagnoses, drug interactions, or treatment options
  • Writing patient education materials
  • Drafting prior-authorization letters and appeals
  • Coding and billing assistance

Every one of these workflows can quietly include PHI. Sonomos is the safety net.

The PHI Sonomos detects

The 18 HIPAA-defined identifiers, including:

  • Names, dates of birth, admission and discharge dates
  • Email addresses, phone and fax numbers
  • Social Security numbers, medical record numbers (MRNs)
  • Health plan beneficiary numbers, account numbers
  • Certificate, license, and DEA numbers; NPI; vehicle and device identifiers
  • Web URLs, IP addresses, biometric identifiers
  • Full-face photographs (via OCR on inline images)
  • Any other unique identifying number or code

See the full list with severity tiers in the Detector Reference.

ChannelWhat to install
Web AI chat (Claude.ai, Gemini, Grok, ChatGPT)Browser extension
Other web tools (patient portals, telehealth UIs)Browser extension
Native Claude Desktop, ChatGPT Desktop, CopilotComing: Sonomos Desktop
Voice dictation / transcriptionComing: Sonomos Desktop

30-minute setup

  1. Install the browser extension on every browser you use for clinical work. See Install. Allow about 5 minutes per browser including the verification step.

  2. Sign in if you’re on Professional or Teams. Compliance reports depend on a Sonomos account at my.sonomos.ai. See Account setup.

  3. Open Claude.ai (or Gemini or Grok) and toggle Cloak to on from the Sonomos widget. Repeat for each platform you use.

  4. Set Send Guard to “Banner + Modal” (default) — this gives you a non-blocking banner on medium-severity detections and a blocking modal on high-severity ones (SSNs, MRNs, MBIs, DEA numbers).

  5. Verify on a test prompt. In Claude.ai, paste a fake clinical sentence like: Patient John Doe, MRN 12345678, presented with chest pain on 01/15/1990. The widget should turn red, and on submit, Cloak should replace John Doe, 12345678, and the date with placeholders.

  6. On the Teams plan, pin admin policy so staff cannot disable Cloak or downgrade Send Guard. See Teams setup.

Clinical workflows, step by step

Drafting an after-visit summary

  1. Open Claude.ai. Confirm Cloak is on (lock icon visible).
  2. Paste your draft including patient name, DOB, and clinical details.
  3. Submit. Cloak replaces identifiers with [NAME], [DOB], etc. before transmission.
  4. The model returns a polished summary referencing the placeholders.
  5. Copy back into your EHR, replacing placeholders with the real values yourself.

Researching a diagnosis

  1. Strip identifiers from your prompt before you ask. AI doesn’t need them to answer “what’s the differential for chest pain in a 65-year-old with HTN?”
  2. If you slip and include identifiers, Cloak catches them on supported platforms; Send Guard warns you elsewhere.
  3. Use placeholders deliberately (“Patient X, age Y, presenting with…”) and the AI will reason about them just as well.

Writing patient education materials

  1. Generic education content typically has no PHI in the prompt — green widget.
  2. If you paste a patient’s specific medication list to tailor the content, you’ll see amber or red. Edit out names and DOB; keep the medications.
  3. Cloak still masks any residual on supported platforms.

Prior-authorization appeals

  1. The strongest workflow: write the appeal in your EHR (the controlled environment), then ask AI to polish the language with placeholders for any PHI references.
  2. If you must paste a redacted appeal into AI, ensure Cloak is on. Read the masked output before copying back.
  3. For the Teams plan, your compliance officer can run a monthly report to document that Cloak masking operated during prior-auth workflows.

Pitfalls to avoid

  • Voice transcription apps. Browser extensions can’t see audio captured by Dragon, Otter, or built-in OS dictation. Use these with care until Sonomos Desktop ships voice / transcript scanning.
  • Native Claude / ChatGPT desktop apps. Out of scope for the extension. Use the web versions for now, or wait for Sonomos Desktop.
  • EHR-side AI features. Most modern EHRs are adding AI summarization built into the client. The browser extension only sees what’s in the browser. Confirm your EHR vendor’s BAA covers their AI features.
  • Shared workstations. Settings sync follows your sign-in, not the device. Sign out when you walk away.
  • PHI in screenshots. OCR catches what’s in inline images on a page. Screenshots you upload externally are not yet scanned in the prototype — Sonomos Desktop will add that.

Documenting the control for compliance

On Professional or Teams, schedule compliance reports to your compliance officer or DPO. The report shows category counts, severity, platform, and timeline — enough to demonstrate to an auditor that the control was active during the period. PHI text itself is never included in the report, so the report is safe to share.

HIPAA compliance with Sonomos The full HIPAA framing — 18 identifiers, Security Rule mapping, BAA position, recommended program design.
Teams setup Rolling Sonomos out across a clinical workforce with admin-enforced policies.
Using Sonomos with AI platforms Platform-specific notes for Claude.ai, Gemini, Grok, ChatGPT, and others.