Business Associate Agreement
Version 2026-07-13
This Business Associate Agreement (“BAA”) is effective when accepted electronically and is entered into between the practice or other legal entity identified during registration (“Customer”) and Bomi Health, Inc. (“Bomi”). To the extent Customer is a “Covered Entity” or “Business Associate” and Bomi creates, receives, maintains, or transmits PHI on Customer’s behalf, this BAA applies and Bomi acts as Customer’s “Business Associate” or “Subcontractor Business Associate,” as those terms apply under HIPAA.
1. Purpose, Scope, and Definitions
This BAA supplements the Terms of Service, each managed-services or other services agreement between the parties, and every applicable Order Form (each a “Services Agreement”). “Bomi Products” means every software product or managed service that Customer orders from Bomi under a Services Agreement, including Bomi EHR, Bomi Managed Billing, Bomi Credentialing, their integrations, and separately ordered optional features. To the extent Bomi creates, receives, maintains, or transmits Protected Health Information (“PHI”) in connection with a Bomi Product for or on behalf of Customer, Bomi acts as Customer’s Business Associate or Subcontractor Business Associate.
This is a master BAA covering all Bomi Products, even when separate Services Agreements govern their commercial terms. PHI remains subject to this BAA when it is exchanged, copied, or otherwise processed across Bomi Products. This master scope does not make one Bomi Product part of another or change the products, fees, or services included in a particular Services Agreement.
“Breach,” “Designated Record Set,” “Disclosure,” “Discovery,” “Electronic Protected Health Information” (“ePHI”), “Individual,” “Required by Law,” “Security Incident,” “Subcontractor,” “Unsecured PHI,” and “Use” have the meanings assigned by the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164, as amended (collectively, “HIPAA”). “PHI” includes ePHI. Capitalized terms not defined here have the meanings in the applicable Services Agreement.
2. Permitted Uses and Disclosures
Bomi may use and disclose PHI only:
- as necessary to provide the Bomi Products described in an applicable Services Agreement for or on behalf of Customer, including hosting, securing, backing up, transmitting, and displaying records to authorized users; operating Bomi EHR clinical, claims, billing, payment, Client Portal, support, and integration workflows; providing separately ordered Bomi Managed Billing and Bomi Credentialing services; and following Customer’s lawful instructions;
- as expressly permitted by this BAA; or
- as Required by Law.
Bomi will not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Customer, except for uses and disclosures expressly permitted below for Bomi’s proper management and administration or legal responsibilities. Bomi will limit uses, disclosures, and requests for PHI to the minimum necessary where HIPAA’s minimum-necessary standard applies.
Bomi may use PHI for its proper management and administration or to carry out its legal responsibilities. Bomi may disclose PHI for those purposes only if Required by Law or if Bomi obtains reasonable written assurances from the recipient that the PHI will remain confidential, will be used or further disclosed only as Required by Law or for the purpose disclosed, and the recipient will notify Bomi of any known breach of confidentiality.
Bomi will not use or disclose PHI for Bomi’s or a third party’s marketing or fundraising and will not directly or indirectly receive remuneration in exchange for PHI. This does not prohibit ordinary fees Customer pays for Bomi Products or permitted Business Associate services that are not payment for a sale or disclosure of PHI to another person.
3. Safeguards and Security Rule Compliance
Bomi will use appropriate administrative, technical, and physical safeguards to prevent uses or disclosures of PHI not permitted by this BAA. Bomi will comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI and with 45 C.F.R. Part 162 when conducting a Standard Transaction for or on behalf of Customer.
4. Subcontractors
Bomi will ensure that each Subcontractor that creates, receives, maintains, or transmits PHI on Bomi’s behalf enters into a written agreement imposing the same restrictions, conditions, and requirements concerning PHI that apply to Bomi under this BAA, as required by 45 C.F.R. §§ 164.502(e), 164.504(e), and 164.308(b). If Bomi knows of a material pattern or practice by a Subcontractor that violates that agreement, Bomi will take reasonable steps to cure the violation or end it and, if unsuccessful, terminate the relationship where feasible.
5. Reporting of Impermissible Uses, Disclosures, and Security Incidents
Impermissible Uses and Disclosures. Bomi will report to Customer, without unreasonable delay and no later than five business days after becoming aware, any Use or Disclosure of Customer’s PHI not permitted by this BAA, whether or not the event is ultimately determined to constitute a Breach of Unsecured PHI.
Security Incidents. Bomi will report to Customer, without unreasonable delay, any Security Incident affecting Customer ePHI of which Bomi becomes aware. Bomi will provide written preliminary notice no later than three business days after becoming aware of a successful or reasonably suspected Security Incident that Bomi reasonably believes (i) involves Customer ePHI or Customer’s access to or use of an affected Bomi Product and (ii) materially affects that Bomi Product or Customer’s use of it, requires notice to Customer under applicable law, or activates Bomi’s incident-response or disaster-recovery procedures based on the reasonably suspected impact to Customer ePHI or Customer’s use.
Bomi will provide written notice no later than five business days after Discovery of a Breach of Customer’s Unsecured PHI. The contractual deadlines of three business days and five business days are additional requirements and do not narrow the broader reporting obligations in this Section. These contractual targets do not extend any shorter deadline imposed by law.
Mitigation. Bomi will mitigate, to the extent practicable, any harmful effect known to Bomi resulting from a Use or Disclosure of PHI in violation of this BAA or from a Security Incident affecting Customer ePHI. Bomi will take reasonable steps to contain the event, preserve relevant evidence, and provide rolling updates.
To the extent known, an initial notice will describe the impermissible Use or Disclosure, Security Incident, or Breach; awareness, Discovery, and occurrence dates as applicable; affected systems; types of PHI; affected customers and Individuals; containment and mitigation; and known or anticipated impact. Bomi will provide rolling written updates as material facts become available, preserve relevant evidence consistent with law, reasonably cooperate with Customer’s investigation, and provide information required for notifications under 45 C.F.R. § 164.410.
Customer controls legally required notices to Individuals, HHS, state regulators, and media unless Customer expressly directs Bomi in writing to provide a notice and the parties agree on its content and delivery, except to the extent Bomi is independently required by applicable law to provide a notice or report. In that case, Bomi will, where legally permitted, coordinate with Customer and will not unreasonably delay either party’s compliance. Allocation of reasonable response costs is governed by the Services Agreement and responsibility for the event.
The parties acknowledge and agree that unsuccessful pings, port scans, failed authentication attempts, blocked malware, firewall events, and similar unsuccessful events that do not result in unauthorized access, Use, Disclosure, modification, destruction, or material interference are deemed reported upon acceptance of this BAA and require no separate notice unless they become part of a reportable pattern or result in an adverse event.
6. Individual Rights and Delegated Duties
If Bomi receives a request directly from an Individual concerning Customer-controlled PHI, Bomi will forward it to Customer within two business days and will not approve or deny it unless Customer has expressly delegated that authority in writing.
Bomi will make PHI maintained in a Designated Record Set available to Customer, or to the Individual or designee as directed by Customer, as necessary for Customer to satisfy 45 C.F.R. § 164.524. Bomi will provide responsive information under its control within five business days after Customer’s request unless the parties agree otherwise or a shorter legal deadline applies.
Bomi will make PHI in a Designated Record Set available for amendment and will incorporate amendments or take other measures as directed or agreed to by Customer under 45 C.F.R. § 164.526. Bomi will maintain and make available within ten business days the information under its control that Customer reasonably needs to provide an accounting of disclosures under 45 C.F.R. § 164.528.
To the extent Bomi carries out an obligation of Customer under Subpart E of 45 C.F.R. Part 164, Bomi will comply with the requirements of Subpart E applicable to Customer in performing that obligation. Bomi will make its internal practices, books, and records relating to PHI available to the Secretary of HHS for determining compliance with HIPAA.
7. Deidentification, Analytics, and AI
Bomi may use PHI to provide contracted analytics and health care operations services for or on behalf of Customer.
Customer authorizes Bomi to create information deidentified in accordance with 45 C.F.R. § 164.514(b) (“De-Identified Data”) from PHI in accordance with this Section. Bomi will use either a documented Expert Determination or HIPAA’s Safe Harbor method, including the required removal of identifiers and absence of actual knowledge that remaining information can identify an Individual. Bomi will address small groups, rare conditions, unusual combinations, and other reidentification risks through the applicable methodology. Neither Bomi nor a recipient acting for Bomi may attempt to reidentify an Individual or attribute De-Identified Data to Customer.
Bomi may use De-Identified Data for analytics, benchmarking, research, security, product improvement, and development of insights and tools. Bomi may not use PHI for independent research without a separate lawful basis and required documentation. Bomi will not sell PHI or identifiable Customer or patient information.
Bomi will not use PHI or other identifiable Customer Data to train, fine-tune, evaluate, or improve any general-purpose, cross-customer, product-specific, or customer-specific artificial-intelligence or machine-learning model unless Customer has expressly agreed in an applicable Order Form or other feature-specific writing and all required legal bases and individual authorizations have been obtained. This restriction does not prohibit Bomi’s permitted use of De-Identified Data under this Section, provided it remains deidentified and cannot reasonably be linked to an Individual or Customer.
Bomi may process identifiable Customer Data through an approved model solely for ordinary inference, customer-specific retrieval, summarization, transcription, or workflow processing needed to provide a Customer-specific feature expressly ordered by Customer and governed by an applicable Order Form or other feature-specific written terms. Each applicable model provider must be bound by appropriate privacy and security obligations, including a downstream BAA when required, and contractually prohibited from retaining inputs or outputs beyond the permitted processing or using them to train, fine-tune, evaluate, or improve its own or any third party’s models.
AI-generated output is draft output, may be incomplete or inaccurate, and must be reviewed and approved by an appropriately qualified Authorized User before it is used for clinical care, documentation, coding, claims, or patient communications.
The applicable Order Form or other feature-specific written terms will address recording and transcription consent; model and provider identity; prompt, transcript, and output retention; clinician review; prohibited autonomous decisions and patient-facing communications; state-specific restrictions; incident handling; and whether the feature is beta or production.
Customer may opt out of future use of its source data in cross-customer product-improvement analytics by written notice. The opt-out becomes effective within thirty days and survives termination. Bomi may continue customer-specific analytics. Previously created De-Identified Data, statistics, and non-reversible aggregate results may be retained, but Bomi will not create new cross-customer analytics from Customer’s source data after the effective date. Customer may opt back in by written notice.
8. Customer Obligations
Customer will:
- notify Bomi of limitations in its Notice of Privacy Practices that affect Bomi’s permitted uses or disclosures;
- notify Bomi of changes in an Individual’s permission, revocations, agreed restrictions, and confidential-communication requirements that affect Bomi’s processing;
- not request a use or disclosure that Customer could not lawfully make itself, except as expressly permitted for a Business Associate;
- ensure it has authority to provide PHI to Bomi and direct its processing, administer Authorized Users, and promptly disable unauthorized access; and
- remain responsible for approving or denying Individual requests unless decision-making authority is expressly delegated to Bomi in writing.
9. Term, Material Breach, and Termination
This BAA begins upon acceptance and remains effective while Bomi creates, receives, maintains, or transmits Customer’s PHI or until all such PHI is returned or destroyed in accordance with this BAA.
Customer may terminate this BAA as to an affected Bomi Product and the applicable Services Agreement if Bomi materially breaches this BAA and, where cure is reasonably possible, fails to cure or end the violation within thirty days after Customer’s written notice. Customer may require a shorter reasonable cure period when necessary to protect PHI or comply with law. Customer may terminate immediately as to the affected Bomi Product if the breach cannot reasonably be cured or creates a continuing material risk. Customer may suspend further disclosures of PHI where reasonably necessary to protect PHI or comply with law. Bomi may terminate an affected Bomi Product if Customer materially breaches this BAA and fails to cure within the same framework, subject to Bomi’s patient-access, return, and offboarding duties.
10. Return, Export, Retention, and Destruction
On termination, Bomi will provide the transition and export access stated in the Services Agreement and will return or destroy Customer’s PHI as Customer directs, where feasible. Available exports will be provided in reasonably accessible and usable electronic formats. Reasonable additional migration assistance may be provided under the Services Agreement at rates disclosed in advance.
After the applicable transition period, Bomi will delete PHI from active production systems, active replicas, and the systems of Subcontractors that maintain the relevant PHI, under documented procedures and applicable contractual controls, except where retention is Required by Law or subject to a legal hold. PHI in protected backups, archives, and logs will be isolated from ordinary product use, remain protected by this BAA, and become inaccessible or be overwritten through the ordinary documented retention cycle. Upon written request, Bomi will certify completion of deletion, subject to disclosed lawful retention, Subcontractor confirmation where applicable, and protected backup, archive, and log cycles.
If Bomi determines that return or destruction of PHI is infeasible, Bomi will notify Customer in writing of the conditions that make it infeasible, extend the protections of this BAA to retained PHI, and limit further uses and disclosures to the purposes that make return or destruction infeasible for as long as Bomi maintains the PHI.
11. Amendment and Order of Precedence
The parties will amend this BAA as necessary to comply with HIPAA or other applicable law. Bomi may present an amended BAA for affirmative electronic reacceptance by Customer’s authorized representative. An electronic record of acceptance has the same effect as a signed writing and must be retainable and accurately reproducible. If a change is Required by Law, it will become effective after notice to the minimum extent and on the date legally required even if Customer does not reaccept it. Any other amendment requires affirmative reacceptance; no posting alone amends a BAA previously accepted by Customer.
If this BAA conflicts with a Services Agreement concerning PHI, this BAA controls for every affected Bomi Product. If the parties later execute a written BAA that expressly replaces this BAA or expressly governs identified Bomi Products or PHI, the later, more specific BAA controls only for that stated scope and only to the extent of a conflict; this BAA remains effective for all other Bomi Products and PHI. Except as expressly modified here, each Services Agreement remains in effect, including its governing-law, notices, assignment, dispute, indemnification, and limitation-of-liability provisions to the extent they do not prevent either party from complying with HIPAA.
12. Interpretation, No Third-Party Beneficiaries, and Survival
Any ambiguity will be interpreted to permit both parties to comply with HIPAA and other applicable law. This BAA creates no third-party beneficiaries.
Provisions concerning PHI retained after termination, confidentiality, permitted uses of De-Identified Data, cooperation regarding incidents occurring during the Term, and provisions that by their nature should survive will survive termination.
Acceptance
This BAA may be accepted by checking an agreement box, electronic signature, execution of an Order Form that expressly incorporates this BAA, or another affirmative electronic acceptance method presented by Bomi. The individual accepting represents that they are authorized to bind Customer. Bomi will not create, receive, maintain, or transmit PHI for Customer before this BAA or another applicable written BAA is effective.
Bomi will maintain an acceptance record appropriate to the method used, including the accepted document version, Customer legal name, account and organization identifiers, acceptance method, signatory name and email, timestamp, and available IP address and user agent. Bomi will maintain an accurately reproducible copy of the accepted version and make a downloadable copy available to Customer.
Business Associate: Bomi Health, Inc., 1111B S Governors Ave STE 6453, Dover, DE 19904.