Security and HIPAA Compliance

How does Bloom secure your data?

Information security is our highest priority here at Bloom. We design and engineer our products with strong data safeguards first-and-foremost in our minds, and in compliance with all relevant regulations and best practices.

The Quick Answer

Bloom secures all data we store, receive, and transmit using industry standard encryption. Protected health information (PHI) is only accessible to a small team of HIPAA-trained employees, and all access to PHI is logged and audited by our HIPAA Security Officer. Non-PHI data (e.g. usernames, organization details) is also secured with strict, need-to-know access controls, and all accesses are similarly logged. We take this very seriously.

Protected health information (PHI) is never persisted on any device that accesses Bloom. As soon as you leave the Bloom website or close the Bloom application all temporarily stored PHI is immediately purged.

Bloom gives administrators control over their organization’s member list, allowing them to restrict membership, receive membership related notifications, and remove users as needed. A removed user immediately loses access to all your organization’s data.

We are always available to answer your security and HIPAA questions.

Details

Hosting

Bloom has a Business Associates Agreement (BAA) in place with and uses Google Cloud as our hosting provider, where we utilize a number of HIPAA compliant services to build our products.

Data Access Policy

Access to Bloom services, and data stored by these services, is strictly controlled and restricted to only essential employees by Bloom. When service configurations or data are accessed, Bloom logs and reviews all relevant activities in a timely fashion. Employee access to protected health information (PHI) is restricted to a small team of HIPAA-trained engineers, and all PHI access is logged and aditionally audited by our HIPAA Security Officer.

In the unlikely event of unauthorized data access, Bloom security personnel will promptly inform all relevant parties of the security breach, in compliance with HIPAA disclosure regulations.

Privacy Policy

Read the full Bloom privacy policy here.

Business Associate Agreement

Bloom offers a free signed BAA for all our customers. View a copy of our BAA here.

Client-Server Communications Security

All BloomText clients (Web, Mobile, Desktop) communicate with BloomText servers via SSL. SSL is terminated at a Google Cloud load balancer and requests are forwarded onto internal BloomText hosts. BloomText hosts communicate with each other over an isolated, secure IPSEC network.

PHI On Bloomtext Clients

BloomText clients do not store any PHI in long-term storage on user devices. All data required to run BloomText is re-synced from the server upon each login, and this data is purged from memory on user logout or when the application is terminated. The only BloomText information stored long-term on user clients are (1) a unique device identifier (2) the identity of the last user to log in to BloomText on the device and (3) a unique session key identifying the current BloomText session.