How to redact a provider signature from a medical record scan
- Step 1Export the record page to an image — If the record is a PDF or a fax saved as PDF, export the signature page to PNG or JPG — the Signature Burner uses the browser's
<img>decoder and will not render a.pdf. Many fax tools already deliver pages as TIFF or PNG; convert TIFF to PNG if needed. - Step 2Drop one record image into the tool — The burner is single-file, so process one page at a time. The picker draws it into a preview canvas capped at 640px wide; the caption shows the true source size, e.g.
source 1728×2292(a typical fax page), so you know the burn resolution. - Step 3Drag a rectangle over the provider signature — Press and drag across the clinician's signature. A red box tracks the drag and the readout reports the region in source pixels:
Region: 560×120 @ (980, 1980). The box is captured asx,y(top-left) andw,h(width, height). - Step 4Square the box with the numeric fields — Four number inputs — X, Y, Width, Height — are pre-filled from your drag. Type exact values so the box encloses the full signature, including any printed credential line beneath it if you intend to remove that too. Editing a field repaints the red overlay to confirm coverage.
- Step 5Burn the region — Run the tool. The processor fills your rectangle with solid
#000and re-encodes the image as PNG. The burn only applies when bothwandhare greater than zero — a zero-area box redacts nothing and just re-encodes, so confirm the region is non-zero first. - Step 6Download and verify before sharing — The output downloads as
<original>-burned.<ext>, keeping the input's extension though the bytes are PNG. Open it cold, zoom into the box, and try select/copy — nothing is selectable. Remember the burner does not remove other PHI; review the page for names, MRNs, and dates separately before sharing.
What the burner removes — and what it does not
Scope is exactly the rectangle you draw. The tool has no PHI auto-detection; pattern-based redaction of names, phones, or IDs lives in other tools. Use this table to plan a complete de-identification pass.
| Element on the page | Removed by Signature Burner? | Where to handle it |
|---|---|---|
| Provider's handwritten signature | Yes — draw the box and burn | This tool |
| Printed credential line under the signature | Only if inside the rectangle | Extend h to include it, then burn |
| Patient name / MRN / phone (as text data) | No auto-detect | /security-tools/email-phone-scrubber on text |
| Patient name burned into the scan image | Only if you draw a box over it | Run another box over that region |
| Hidden EXIF in a phone photo of the record | No | /image-tools/exif-scrubber |
The four burn-region controls
The Signature Burner exposes exactly four numeric options, all in source-image pixels. There is no color, blur, pixelate, auto-detect, or multi-region control — drawing on the preview sets these four numbers, which you can also type.
| Option | Meaning | Default | Set by |
|---|---|---|---|
x | Left edge of the burn rectangle, in source-image pixels | 0 | Drag start, or the X field |
y | Top edge of the burn rectangle, in source-image pixels | 0 | Drag start, or the Y field |
w | Rectangle width in px. Burn applies only when w > 0 | 0 | Drag distance, or the Width field |
h | Rectangle height in px. Burn applies only when h > 0 | 0 | Drag distance, or the Height field |
Where it runs and the file caps
Signature Burner is browser-only (Canvas) and gated at the Pro tier. File-size caps are the per-tier security-family limits; the tool processes one file per run.
| Tier | Can run? | Max file size | Files per run |
|---|---|---|---|
| Free | No — requires Pro | — | — |
| Pro | Yes | 100 MB | 1 |
| Pro-media | Yes | 500 MB | 1 (single-file) |
| Developer | Yes | 2 GB | 1 (single-file) |
Cookbook
De-identification passes for clinical documents. Coordinates are illustrative but use the tool's real x/y/w/h model and its actual image-in / PNG-out behaviour.
Burn the provider signature off a prescription scan
A patient uploads a prescription image to an insurance appeal but wants the prescriber's signature removed. Export the scan to PNG, drag over the signature, burn.
Input: rx-scan.png (1728×2292, fax page) Drag over the provider signature → Region readout: 560×120 @ (980, 1980) Options captured: x=980 y=1980 w=560 h=120 Burn → solid #000 fills that rectangle; whole page re-encoded as PNG. Output: rx-scan-burned.png • signature pixels gone — nothing under the box • drug, dose, and instructions left intact
Include the printed credential line
Sometimes you want both the signature and the typed 'Jane Doe, MD, NPI 1234567890' line under it gone. Extend the height of the box to cover both, then burn once.
After drag over signature: x=980 y=1980 w=560 h=120 Credential line sits 30px below the signature. Edit field: h=120 → h=180 (extend down to cover line) Red overlay confirms both rows enclosed → burn. Output: note-burned.png (signature + credential gone)
Two signatures: ordering + co-signing provider
A clinical note co-signed by a supervising physician has two signatures. The burner takes one rectangle per run, so burn the first, download, drop the result back in, and burn the second.
Pass 1: input: note.jpg region: w=540 h=120 @ (300, 2000) # ordering provider output: note-burned.jpg (PNG bytes inside .jpg) Pass 2: input: note-burned.jpg (pass-1 output) region: w=520 h=120 @ (300, 2200) # co-signer output: note-burned-burned.jpg
Plan the rest of the de-identification
The burner only removes what you box. Pair it with the right tools so the shared record is fully de-identified, not just signature-free.
Page-level plan:
1. Signature Burner → burn provider signature region(s)
2. Draw a box over patient name printed in the image
header → burn again
3. For text-data PII (CSV/JSON exports of the record):
/security-tools/email-phone-scrubber
4. If sourced from a phone photo: strip GPS with
/image-tools/exif-scrubberVerify the redaction holds
For a record leaving your control, prove nothing survives under the box before it ships.
Check on <file>-burned.png:
• Zoom 800% into the black box → uniform #000, no ghost ink
• Select/copy over the box → nothing selectable (pixels)
• One flat PNG raster — no annotation objects, no /XObject
form, nothing to flatten or delete
• Re-confirm no other PHI is visible on the pageEdge cases and what actually happens
You drop the record PDF straight in
Fails to loadBoth the picker and the burn step decode with the browser's <img> element, which cannot render a PDF, so a .pdf throws 'Failed to load image' with no preview. Export the page to PNG/JPG first, or for text-layer redaction in a born-digital PDF use /pdf-tools/pdf-pii-redactor.
You expected names and MRNs to be removed too
Out of scopeThe burner removes only the rectangle you draw — it has no PHI auto-detection. To redact patient names, phones, or IDs in text data, use /security-tools/email-phone-scrubber. To remove identifiers burned into the image, draw a box over each and burn again.
Output is PNG even though you dropped a JPG
By designThe canvas is always re-encoded with toBlob(..., 'image/png'), so every output is PNG bytes regardless of input. The re-encode is what makes the redaction permanent. The file keeps its original extension in the name (<name>-burned.jpg), so it is PNG bytes inside a .jpg name — rename to .png if an EHR import is strict about extensions.
You clicked without dragging
No-opThe burn fills only when both w > 0 and h > 0. A click with no drag leaves w/h at 0, so nothing is redacted — the page is just re-encoded to PNG. Confirm the region readout shows a non-zero w×h before treating a record as redacted.
Fax page delivered as TIFF
Convert firstThe browser's <img> decoder does not reliably read TIFF, which many fax systems produce. Convert the page to PNG or JPG first, then drop it in. Standard sRGB PNG/JPG always decode.
Free-tier account tries to run it
Tier requiredSignature Burner is gated at the Pro tier (minTier pro); Free accounts cannot run it. Pro allows up to 100 MB per file, Pro-media 500 MB, Developer 2 GB. A fax or scan page is well within any of these caps.
Preview small, scan large
ExpectedThe preview is capped at 640px wide and only scaled down. The burn does not use preview coordinates — every drag is converted to source-image pixels (the caption shows the true source W×H), so a box drawn on the small preview lands exactly on the signature at full resolution.
Credential or signature spills past the box
Re-runBurn covers only the rectangle you set; a flourish, descender, or credential line outside it stays visible. Extend h/w before burning, or drop the burned file back in and burn a second box over the remainder. There is no eraser or undo within a single run.
Black box drawn in a viewer instead of here
Reversible — avoidA rectangle added as an annotation in a PDF viewer is a separate layer; deleting it or running pdftotext exposes the signature. For a record that leaves your control, that recoverable redaction is exactly the disclosure risk burning prevents.
Phone photo of the record carries GPS
Handle separatelyBurning removes signature pixels but does not touch EXIF, so a phone photo can still carry GPS and a timestamp. Run it through /image-tools/exif-scrubber, or preview the embedded location first with /security-tools/exif-map-previewer.
Frequently asked questions
Is the provider's signature actually removed, or just hidden?
Removed. The tool fills your rectangle with solid #000 and re-encodes the whole image as a new PNG. The output contains only the pixels the canvas painted — the ink under the box was never written into the result. There is no annotation, layer, or form object to delete, which is the difference from a deletable PDF-viewer black box.
Does the burner also remove the patient's name and MRN?
Not automatically — it removes only the rectangle you draw and has no PHI auto-detection. If a name or MRN is printed in the image, draw a box over it and burn again. For pattern-based redaction of emails, phones, and IDs in text data exported from the record, use /security-tools/email-phone-scrubber.
Can I redact the signature in the record PDF directly?
Not in this tool — it decodes input with the browser's <img> element, which cannot render a PDF, so a .pdf throws 'Failed to load image'. Export the page to PNG/JPG and burn that, or use /pdf-tools/pdf-pii-redactor for the text layer. Strip hidden PDF metadata separately with /pdf-tools/pdf-metadata-scrubber.
Does the health record get uploaded anywhere?
No. The burner runs entirely on the HTML Canvas in your browser tab; the record never reaches a server, so PHI stays on your machine during redaction. An audit-log entry is emitted locally so you have a contemporaneous note the redaction step ran.
Why is my output a PNG when I dropped a JPG?
The canvas is always re-encoded with toBlob(..., 'image/png') — that re-encode bakes the black box permanently into the pixels. So a JPG in becomes PNG out. The file keeps its original extension in the name (<name>-burned.jpg); it is PNG bytes inside a .jpg name, so rename to .png if an EHR import is strict about extensions.
How do I remove the signature and the printed credential line together?
Extend the rectangle's height so it covers both rows before burning. After dragging over the signature, raise h in the numeric field until the red overlay encloses the credential line beneath it, then burn once. Both are removed in a single pass.
Can I redact a co-signed note with two provider signatures?
Yes, in two passes — the tool takes one rectangle per run. Burn the ordering provider's signature, download, drop the result back in, and burn the co-signer's. Each pass re-encodes to PNG and leaves untouched pixels visually identical, so chaining is safe.
Can I pixelate the signature instead of blacking it out?
No. The fill is solid opaque black (#000) and is not configurable — there is no color, blur, or pixelate control here, and a fixed solid fill cannot be reversed. For pixelating faces in clinical photos or video, see /video-tools/face-pixelate.
My fax came as a TIFF — can I use it?
Not directly. The browser's <img> decoder does not reliably read TIFF, which many fax systems produce, so it may throw 'Failed to load image'. Convert the page to PNG or JPG first, then drop it in. PNG, JPG, GIF, WebP, and BMP all decode.
Why did nothing get redacted when I ran it?
The burn applies only when both width and height are greater than zero. A click with no drag leaves w and h at 0, so the rectangle is a no-op and the page is just re-encoded to PNG. Confirm a non-zero w×h in the readout, or type values into the Width/Height fields, then run again.
What tier and file size do record pages need?
The tool requires the Pro tier (Free cannot run it). File-size caps follow the security family: Pro 100 MB, Pro-media 500 MB, Developer 2 GB per file. It is single-file regardless of tier — one page per run, no batch mode.
How do I confirm the record is safe to share?
Open the -burned.png cold, zoom to 800% into the box (uniform #000, no ghost ink), and try to select/copy over it (nothing, because it is pixels). The file is one flat PNG with no layers or annotations to delete. Then re-scan the page for other PHI, scrub text exports with /security-tools/email-phone-scrubber, and check phone photos for EXIF with /image-tools/exif-scrubber. Confirm your specific de-identification standard with your compliance team.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.