Business Associate Agreement

Overview

BloomText offers a free signed Business Associate Agreement (BAA) to any covered entity using our products. The BAA is the legal contract that governs how BloomAPI, Inc. (the company behind BloomText) creates, receives, maintains, and transmits Protected Health Information (PHI) on your organization's behalf under HIPAA.

This article summarizes the BAA's key points. For the full legal text, see the canonical copy on the support site: bloomtext.com/support/baa.

Where to find your signed BAA

When a new organization signs up, BloomText sends the account owner a welcome message from Tyler Brown with the signed BAA attached or linked for the organization to use.

If you need another copy, cannot find that message, or need the BAA sent to a different compliance contact, email support@bloomtext.com. Ask for a signed BAA. The BloomText team will return a copy. There's no charge.

What the BAA covers (plain English)

The BAA is written in legal language. Here's what it says in everyday terms:

• What BloomAPI can do with your PHI. Only what is necessary to run the BloomText service, or what is required by law. No other use.
• How PHI is protected. BloomAPI agrees to safeguard PHI to prevent unauthorized use or disclosure, and to comply with the HIPAA Security Rule.
• Breach reporting. If a Breach of Unsecured PHI occurs, BloomAPI reports it to you within 30 calendar days of discovery. Unsuccessful attempts (port scans, failed logins, etc.) are considered routine and do not require individual notifications.
• Subcontractors. Any BloomAPI subcontractor that touches PHI must agree in writing to rules substantially similar to the BAA.
• Access requests. BloomAPI will provide PHI back to you within 15 calendar days of a request for it — in electronic form when possible.
• Amendments and disclosures. BloomAPI incorporates agreed-upon amendments to PHI within 30 calendar days of your written instruction, and documents disclosures so you can respond to patient accounting requests.
• On termination. When your service agreement ends, BloomAPI returns or destroys all your PHI. If return or destruction is infeasible for a specific data set, the BAA's protections continue to apply to that data for as long as BloomAPI retains it.
• Jurisdiction. Disputes over the BAA are governed by Washington state law and are heard in King County, Washington courts.

What the BAA does not cover

• Marketing, sales, or data aggregation beyond HIPAA permitted uses. BloomAPI can de-identify PHI per 45 CFR § 164.514; once de-identified it's no longer PHI under HIPAA.
• Consequential damages. Liability is capped at the aggregate fees paid to BloomAPI in the past 12 months. Neither party is liable for lost profits or indirect damages.
• Your own obligations as the covered entity. The BAA does not replace your Notice of Privacy Practices, patient consent handling, or other covered-entity duties.

Edge cases / gotchas

• The BAA is per-organization. It covers everyone in your BloomText organization — employees don't sign individually.
• Amendments happen through email, not in-app. Any written notice under the BAA (breach reports, access requests, amendments) goes through email to the address BloomText has on file. If your compliance contact changes, email support to update the notice address.
• Unsuccessful security events are not individually reported. This is standard and is called out in the BAA (Section II.D). If you need a report on failed login attempts or scan activity for a specific investigation, ask support.
• This summary is not the contract. The controlling language is the full legal text. If anything here conflicts with the signed BAA, the signed BAA wins.

Related flows

• Security and HIPAA compliance
• Administrative features — audit user activity
• Full legal text: bloomtext.com/support/baa