Skip to content
Home / Discover / Patient Data in the Chat Box
016 / PII READING · ~9 MIN
Discover guide · Miscellaneous

Patient Data in the Chat Box.

A frank, practical guide to PII, AI agents, and what actually happens between the moment you hit send and the response appearing on your screen.

Every few weeks, a GP asks us some version of the same question: "Is it actually safe to type about my patients in here?"

This guide also covers your AI Hygiene Score — a private dashboard that tracks how often your prompts are already clean, so anonymisation becomes a habit rather than an afterthought. See yours on the profile page.

Security · Prompt Anonymisation
! INSECURE — DO NOT USE
Mrs J. Smith (DOB 14/02/1972) presents with central chest pain radiating to the jaw. She lives at 12 High Street, Hexham.
SECURE — CLINICAL CONTEXT
A 52-year-old female presents with central chest pain radiating to the jaw. No significant past medical history.
Zero retention API
No model training
Part 01

Understanding patient identifiable information

PII — patient identifiable information — is any data that could, alone or in combination, identify a specific individual. The obvious examples are easy: full name, date of birth, NHS number. But the less obvious ones are where people get caught out.

Consider this combination: "70-year-old retired teacher, lives in Hexham, diagnosed with a rare condition." None of those are dramatic on their own, but together, they might describe exactly one person.

The one rule that covers almost everything

Type what you would say to a colleague in a corridor — not what you would document in a clinical record. Describe the clinical picture without naming or identifying the patient.

If something does slip through — an NHS number dictated out loud, a postcode left in a paste — ClinicQuest has a safety net that catches the obvious cases before they reach the AI. It's described in Part 02 below. It's a backstop, not a licence to skip the rule above.

Reference

What to include, what to omit

Always fine Do

  • Anonymised age and sex

    "a woman in her early 50s"

  • Presenting complaint, history, and exam

    Clinical findings are not PII.

  • Relevant past medical history

    Without specific dates or identifiers.

  • Medications and doses

    Safe to include.

  • Clinical reasoning

    Safe to include.

  • NICE pathways, BNF checks

    Safe to include.

Never include Don't

  • !
    Full name

    Forename and surname together.

  • !
    Date of birth

    Exact or approximate combined with details.

  • !
    NHS number or address

    Or even partial address like postcode.

  • !
    Phone number or email

    Never include contact info.

  • !
    Rare diagnosis context

    Combined with demographic detail.

  • !
    Photographs

    Containing faces or identifiable backgrounds.

Part 02

How ClinicQuest handles your data

Zero data retention at the provider. ClinicQuest uses enterprise API agreements. AI providers (OpenAI, Google) do not log, store, or retain your prompts after the response is generated.
No model training — ever. Your conversations are never used to train or fine-tune AI models. Zero retention means you cannot train a model on data you never store.
Your threads, your account. Completed conversations are stored in ClinicQuest's own database with row-level access controls. Only you can read your threads.
Encrypted everywhere. Every connection uses HTTPS with TLS encryption. Database access is scoped to your account.
A safety net for the obvious slips. In main chat, portfolio chat, fact-checking, task labels, and ordinary dictation, ClinicQuest quietly checks for the structured identifiers that most often slip through — NHS numbers, full UK postcodes, UK phone numbers, email addresses, and dates of birth — and replaces them with a placeholder before anything is saved or sent to the AI. If it removes anything, a small toast at the top of the chat tells you what was caught. AKT Teacher and Notebook Agent prompts are educational study inputs and are not pre-scrubbed. Clinical event dates and investigation numbers are deliberately left alone so your clinical reasoning is intact. How this works in detail.
Part 03

AI Hygiene Score — building the habit

Anonymisation is a skill, and skills get better with feedback. Every time the scrubber sees your prompt — clean or otherwise — it writes a content-free metadata event: how many structured identifiers were caught, which categories, on which surface (chat, dictation, or fact-check). No prompt text, no snippets, no thread titles. Just counts.

Those counts feed your AI Hygiene Score, a private dashboard on your profile page. It starts at 50 — neutral, neither good nor bad — and moves with the last 30 days of your prompts: clean prompt rate, identifier severity (NHS numbers weighted heavier than postcodes), high-risk prompt count, clean streak, and a 14-day trend. After ten submissions, the score uses your real data; before that, it blends with the neutral baseline so early feedback is visible without overclaiming.

Why the score exists

Clinical AI is new. The habits formed in the next year or two will set the tone for how UK GPs use these tools for the rest of the decade. The score is here to make "anonymise by default" a visible, trackable habit — not a compliance metric. There is no league table, no penalty, no nudge to your trainer or practice manager. It is just feedback, for you, on the part of using AI that no one else will teach you.

The dashboard also surfaces your most common redaction category and a single targeted nudge — for example, if NHS numbers are your most-caught identifier, you'll see a reminder to use "the patient" as a label instead. The nudge updates as your habits change.

See your hygiene score → How scrubbing works

Be sensible, not paranoid.

Anonymise by default, and let the zero-retention architecture handle the rest.

Open ClinicQuest → Back to Discover