Seven Types of Information That Should Never Leave Your Law Firm

Every PI firm knows redaction matters. Fewer have a clear, consistent answer to exactly what needs to be caught before a document goes out.

The problem? "Sensitive information" is too broad a catch-all — easy to say, harder to operationalize. When a paralegal is reviewing a 100-plus-page medical record under time and pressure, they need to know specifically what to look for. Vague guidance produces inconsistent results, and inconsistent results are exposure.

You can't guarantee your paralegal will catch everything, even with a definite list — but specific guidelines help. The faster, more reliable way to catch it all is an AI system, but we'll get to that. First, here's what your firm should never let leave unredacted, and why.

1Social Security numbers

Forgotten SSNs are the most common issue in PI documents. It's a numbers game: SSNs are everywhere — medical billing records, insurance correspondence, intake forms, accident reports. A single unredacted SSN can mean a bar complaint, a client-notification obligation, and more. The standard for external sharing differs from the one for filed documents, but best practice calls for complete redaction.

2Medical record numbers

On their own, medical record numbers seem low-risk. But combined with other information — a name, a date of birth — in the same document or package, they can lead directly to a client's complete medical file. From hospital records to specialist notes and billing summaries, that's a lot of numbers to track across a lot of pages.

3Protected health information

PHI is an incredibly broad category: diagnoses, treatment histories, prescription records, mental health notes, and any clinical documentation. When a firm shares medical records in discovery or settlement negotiations, any PHI that falls outside the scope of the claim should be removed.

Under HIPAA's Safe Harbor standard, there are 18 specific identifier categories that must be removed before PHI is considered de-identified. Manual review rarely catches all 18 consistently at volume. Sharing excess PHI isn't just a privacy issue — it's a federal compliance issue.

4Financial account information

Like SSNs, federal court rules allow only the last four digits of a financial account number to appear in filed documents. The same should apply to what your firm sends externally: bank account numbers, credit card numbers, and routing information that show up in billing records, lien documentation, and carrier correspondence. Partial account numbers are safer than full ones, but even partial disclosure combined with other identifiers creates risk.

5Dates of birth

A date of birth alone is fairly harmless. Paired with a name and an SSN in the same document, it becomes the basis for an identity-theft attempt — and PI case files are full of documents that carry all three. Federal court rules require that only the year of birth appear in filings. The same caution should apply to external sharing: if the recipient doesn't require the full date of birth, omit it.

6Minor identifiers

With minors, extra care is required. Whether a minor is a claimant, a witness, or a dependent, everything — names, dates of birth, school records, and other documentation — should be treated as confidential by default.

7Witness and third-party personal information

Medical records, police reports, and accident documentation frequently contain the names, addresses, and contact details of witnesses and other people with no direct role in the litigation. That information doesn't belong in external production either. When firms miss it, they expose people who never consented to be part of the process — which can complicate the firm's compliance posture if the data ends up in the wrong place.

The problem with checking this list manually

A paralegal working through a high-volume production set cannot reliably catch all seven of these categories — across every document, every time. Attention drifts. Pages blur. Metadata carries information that isn't visible on screen at all. Things get missed, especially at a smaller firm where everyone is at max capacity.

That's where an AI system helps. With DataGuard, you define the policy based on your firm's risk profile, and every document going out is screened against it before it's sent. Nothing gets blocked. Anything that falls within your rules is fully removed, the document goes out clean, and you receive a full audit log.

It keeps your clients, their data, and your firm's reputation safe — and frees up your paralegals for other work. Better yet, it runs right inside Microsoft 365 with no dedicated IT team required.