This work addresses the privacy risks associated with uploading sensitive health data when deploying clinical large language models. To mitigate these concerns, the authors propose HERALD, a framework that selectively encrypts and redacts sensitive tokens directly on the client side, preserving both contextual integrity and model utility. HERALD innovatively integrates medical named entity recognition with part-of-speech rules, leveraging lemmatization and deterministic ciphertext substitution to achieve end-to-end privacy protection without requiring modifications to downstream models. Experimental results demonstrate that HERALD significantly outperforms full encryption approaches on clinical classification and medical question-answering tasks, achieving performance nearly on par with plaintext processing while effectively balancing privacy guarantees and practical utility.

While large language models (LLMs) are increasingly used for clinical applications, many existing pipelines require sending raw sensitive health information to remote servers for processing, which heightens the risk of privacy leakage. A natural approach to mitigate this risk is to encrypt the data before transmission. However, straightforward solutions such as encrypting the entire dataset introduce prohibitive computational, alignment, and communication overheads, rendering large-scale practical deployment infeasible. To preserve privacy while maintaining usability, we present Healthcare Encryption & Redaction via Adaptive Linguistic Decomposition (HERALD), a token-level cryptographic redaction framework designed to achieve this balance by encrypting only sensitive tokens while preserving the surrounding context for downstream model utility. HERALD combines medical named-entity recognizer (NER) with part-of-speech (POS) driven policies to select candidate tokens, performs targeted lemmatization to stabilize surface forms, and substitutes each protected token with a deterministic ciphertext wrapped in explicit delimiters. Notably, HERALD is model-agnostic and operates entirely on the client side, ensuring that sensitive content remains encrypted throughout storage, transmission, and processing without requiring changes to downstream models. We evaluated HERALD on both classification and medical question answering (MQA) tasks on public datasets. Across different tasks, experiments illustrate that fully secured baselines suffer significant utility loss, whereas HERALD consistently recovers performance close to plaintext. Overall, HERALD provides a novel utilization pipeline.