Security and HIPAA Compliance

How does BloomText secure your data?

Information security is our highest priority here at BloomText. We design and engineer our products with strong data safeguards first-and-foremost in our minds, and in compliance with all relevant regulations and best practices.

The Quick Answer

BloomText secures all data we store, receive, and transmit using industry standard encryption. Protected health information (PHI) is only accessible to a small team of HIPAA-trained employees, and all access to PHI is logged and audited by our HIPAA Security Officer. Non-PHI data (e.g. usernames, organization details) is also secured with strict, need-to-know access controls, and all accesses are similarly logged. We take this very seriously.

Protected health information (PHI) is never persisted on any device that accesses BloomText. As soon as you leave the BloomText website or close the BloomText application all temporarily stored PHI is immediately purged.

BloomText gives administrators control over their organization’s member list, allowing them to restrict membership, receive membership related notifications, and remove users as needed. A removed user immediately loses access to all your organization’s data.

We are always available to answer your security and HIPAA questions.



BloomText has a Business Associates Agreement (BAA) in place with and uses Google Cloud as our hosting provider, where we utilize a number of HIPAA compliant services to build our products.

Data Access Policy

Access to BloomText services, and data stored by these services, is strictly controlled and restricted to only essential employees by BloomText. When service configurations or data are accessed, BloomText logs and reviews all relevant activities in a timely fashion. Employee access to protected health information (PHI) is restricted to a small team of HIPAA-trained engineers, and all PHI access is logged and aditionally audited by our HIPAA Security Officer.

In the unlikely event of unauthorized data access, BloomText security personnel will promptly inform all relevant parties of the security breach, in compliance with HIPAA disclosure regulations.

Privacy Policy

Read our privacy policy.

Business Associate Agreement

BloomText offers a free signed BAA for all our customers. View a copy of our BAA.

Client-Server Communications Security

All BloomText clients (Web, Mobile, Desktop) communicate with BloomText servers via SSL. SSL is terminated at a Google Cloud load balancer and requests are forwarded onto internal BloomText hosts. BloomText hosts communicate with each other over an isolated, secure IPSEC network.

PHI On BloomText Clients

BloomText clients do not store any PHI in long-term storage on user devices. All data required to run BloomText is re-synced from the server upon each login, and this data is purged from memory on user logout or when the application is terminated. The only BloomText information stored long-term on user clients are (1) a unique device identifier (2) the identity of the last user to log in to BloomText on the device and (3) a unique session key identifying the current BloomText session.