Demo: Sanitizing Medical Documents with Differential Privacy using Large Language Models

Rushil Thareja; Gautam Gupta; Preslav Nakov; Praneeth Vepakomma; Nils Lukas

Demo: Sanitizing Medical Documents with Differential Privacy using Large Language Models

Rushil Thareja, Gautam Gupta, Preslav Nakov, Praneeth Vepakomma, Nils Lukas

Published: 12 Oct 2025, Last Modified: 13 Oct 2025GenAI4Health 2025 PosterEveryoneRevisionsBibTeXCC BY 4.0

Keywords: Differential Privacy, Personally Identifiable Information (PII), Large Language Models (LLMs), Medical Document Sanitization, Healthcare Data Privacy

TL;DR: We propose a method for medical document sanitization that combines privacy-sensitive token tagging with token-level Differential Privacy in LLMs, enabling use of GenAI models (even untrusted ones) without compromising patient privacy.

Abstract: Medical documents often contain sensitive information such as disease history and symptoms. Regulations like GDPR strictly prohibit leakage of such content. A natural solution is to sanitize documents with large language models (LLMs) before sending them to untrusted providers. However, LLM-based paraphrasing remains vulnerable to membership inference attacks (MIA), which can reveal what private tokens were present in the input. Differentially Private Inference (DPI) offers formal guarantees against such leakage, but standard approaches severely degrade utility. Recent methods improve trade-offs by applying DP only to private tokens, yet this requires accurate tagging of private spans. In practice, privacy in medical text is highly context dependent and varies across organizations/jurisdictions, leading existing taggers to perform poorly. LLM-based taggers achieve higher accuracy but require costly fine-tuning and risk leaking private data through memorization. We address this by introducing constitutional classifiers for private information tagging. Here, we learn a constitution i.e a set of natural language rules, directly from a small annotated subset, achieving stronger performance than existing taggers while requiring no fine-tuning. Importantly, the learned rules remain interpretable and auditable, allowing human experts to verify or edit them for compliance. We integrate our constitutional tagger with DPI through DP-Fusion, yielding an end-to-end pipeline for utility-preserving medical document sanitization using LLMs. The system is deployed and publicly available at www.documentprivacy.com .

Submission Number: 169

Loading