The PHI Tokenizer is a purpose-built application WalkerNash Development engineered in-house for one job: keeping protected health information on your own network. It runs on the facility's own computer, strips resident and patient identifiers before any cloud tool sees them, holds the token-to-PHI map locally, and restores the names only on your machine. Free with every Crucible AI facility seat.
The Tokenizer is not a cloud service with a local agent. It is a dedicated application, built in-house by WalkerNash Development, that opens and closes the PHI boundary on your own computer. Nothing about your residents crosses the wire in the clear.
A fail-closed scan runs over every outbound payload: the HIPAA 18 identifiers plus resident, payer, medical-record, and credential numbers. Each identifier is replaced with a stable token before the text reaches any cloud tool or the Crucible AI judge.
HIPAA 18 + facility IDs · fail-closedThe token-to-PHI map, the only thing that can turn [RESIDENT_1] back into a real name, is written to your own disk and never uploaded. No cloud service, including the Crucible AI judge, ever receives it.
Local-only · never uploadedBefore anything leaves, the egress gate shows you the exact outbound payload and waits. Nothing is sent until you confirm. This is the backstop for free-typed PHI the patterns might miss: the compliance officer's own last look.
Officer-confirmed egressWhen the verdict comes back, the names are restored on your machine, from your local map. The cloud holds no map, so detokenization can only ever happen here. The restored identity never appears in any cloud record.
Local detok · no cloud mapThe Tokenizer has to be the first thing the text passes through on its way out. Put it in front of whichever cloud tool you already use, and the cloud sees tokens from the very first call.
Keep your records the way you always have. The Tokenizer sits on your machine between a record and anything that leaves your network.
The scan strips identifiers, the egress gate shows you the payload, and only tokens cross the wire, on to the Crucible AI cloud judge.
The verdict returns as tokens and is detokenized on your machine. Your resident's identity was never in the clear anywhere but your own disk.
The Tokenizer protects content that passes through it. PHI sent to any cloud tool upstream of the Tokenizer egresses to that tool before the Tokenizer sees it. Tokenizing downstream does not cure a disclosure already made. Tokenization is offered as a discipline the facility must affirmatively elect and keep in protected status. The facility remains the sole party liable for the protection of resident PHI.
A privacy tool that oversells itself is a liability. Here is the boundary, plainly stated, so you can place the Tokenizer correctly in your own workflow.
If a tool received raw PHI before the Tokenizer ran, that disclosure already happened. The Tokenizer has to sit at the first point of egress; placed downstream of something that already saw the names, it protects nothing about that earlier call.
This is a discipline, not an ambient guarantee. You elect it and keep it in protected status. A switch that is off, or a workflow that routes around it, leaves the resident exposed exactly as if the Tokenizer were not installed.
The scan is fail-closed and covers the HIPAA 18 plus facility identifiers, which means it errs toward holding rather than sending. But no automated scan catches every free-typed identifier. That is exactly why the egress gate exists: your confirm is the real backstop, and seeding your own roster catches the bare names a pattern cannot.
Tokenizing a name does nothing about whether a record satisfies a regulation. Privacy and compliance are two different jobs. The Tokenizer closes the first. Ruling on the second is the Crucible AI judge's job, which is why the two are built to run together.
The PHI Tokenizer ships free with every Crucible AI facility seat, because it is the discipline that keeps resident data on your network. We would rather you never have the switch turned off, so there is no add-on and no per-record charge. Want just the privacy gate, without the compliance judge? It is a one-time $249 purchase on its own.
The Tokenizer is what keeps PHI off the cloud, so charging for it would be charging you to protect your own residents. It ships with the product. A WalkerNash-built privacy tool: fail-closed scan over the HIPAA 18 plus facility identifiers, officer-confirmed egress gate, local-only map and detokenization, cross-platform.
A single PHI disclosure to a vendor's cloud is a reportable event with federal and state exposure. A gate that keeps the identifiers home, included with the seat, is the cheapest line on the page.
Want just the privacy gate, without the compliance judge? The PHI Tokenizer is a one-time $249 purchase. Building one in-house is a developer's time plus the tooling bill, and then you maintain it yourself. $249, once, is less than that, built, tested, and kept current for you.
WalkerNash Development engineered the Tokenizer in-house for a single purpose: keeping protected health information off the cloud. It runs on the facility's own computer, strips PHI before egress, holds the token-to-PHI map locally, and detokenizes on a clean pass. It ships free with every Crucible AI facility seat, and its guarantees are the same on every machine it runs on.
The PHI Tokenizer ships free with every Crucible AI facility seat. Either way you look at it, the map never leaves your machine.
Get started