HIPAA Information

Revised: March 27, 2025

Bloom is committed to supporting our clients by providing infrastructure and services that meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). As a HIPAA-compliant Cloud Service Provider (CSP), we ensure that our platform provides the necessary safeguards to securely store, process, and transmit Protected Health Information (PHI).

Business Associate Agreement (BAA)

Bloom offers a signed Business Associate Agreement (BAA) to covered entities and business associates, as required by HIPAA. This agreement outlines our responsibilities in protecting PHI and ensures a shared understanding of compliance roles.

Security Safeguards

Bloom implements all required technical, administrative, and physical safeguards under HIPAA, including:

• Data encryption: All data managed by Bloom is encrypted both in transit and at rest.
• Access controls: Role-based access, multifactor authentication (MFA), and least-privilege principles.
• Audit logging: System-level logs of access and activity for traceability and compliance reporting.
• Automatic backups: Secure, encrypted backups with disaster recovery support.

Infrastructure Controls

Our physical infrastructure is hosted in secure data centers that comply with standards such as: SOC 2, SOC 3, CSA, STAR Level 1 and APEC PRP. Access is limited, logged, and monitored 24/7.

Staff Training and Policies

All personnel undergo regular HIPAA training and operate under strict internal privacy and security policies. We maintain procedures for incident response, breach notification, and ongoing risk assessments.

What This Means for You

• Bloom can be safely used to store and process PHI
• Bloom can help you meet your own HIPAA obligations by ensuring our infrastructure is secure and compliant
• With our BAA in place, you can confidently store and process PHI using our services

Contact

If you have any questions regarding this information, please do not hesitate to contact us.