Client Portal Privacy Policy

Last Updated: July 13, 2026

1. Scope of This Policy

Bomi Health, Inc. (“Bomi,” “we,” “us,” or “our”) provides a client portal to participating healthcare professionals and practices (“Providers”). This Client Portal Privacy Policy describes how Bomi handles personal information when a Provider’s patient, client, parent, guardian, personal representative, or other authorized proxy (“you” or “your”) accesses or uses the Bomi client portal (the “Client Portal”).

“Bomi EHR” means Bomi’s hosted electronic health record and its related software features for claims, billing, payments, and the Client Portal. The Client Portal is the client-facing component of Bomi EHR. This Policy applies to the Client Portal, related authentication and service communications, support Bomi provides directly to portal users, and any future Bomi mobile application that links to this Policy.

“Bomi Managed Billing” means Bomi’s separately purchased managed billing service. It is not part of Bomi EHR or the Client Portal, even if your Provider directs an exchange of Portal Data between Bomi EHR and Bomi Managed Billing. This Policy applies to Portal Data within the Client Portal, including data received through such an exchange, but does not make Bomi Managed Billing part of the Client Portal or govern that managed service as a whole. A different Bomi privacy notice may apply to another website, product, or relationship. If a Bomi feature presents a more specific privacy notice, that notice controls only for the feature and information it covers. The Client Portal Terms of Service govern use of the Client Portal.

2. The Provider Controls the Health Record

This Policy is not your Provider’s HIPAA Notice of Privacy Practices and does not replace it. Your Provider determines why and how patient records are created, used, disclosed, retained, and made available through the Client Portal, subject to applicable law. Contact your Provider about its privacy practices, your care, the contents of your record, amendments, copies, restrictions, proxy access, or other patient rights.

Bomi primarily processes clinical and portal information on the Provider’s behalf. When the Provider is subject to HIPAA, Bomi acts as its business associate. If a customer is itself a business associate, Bomi may act as a subcontractor business associate. Bomi’s agreement with the Provider, including the applicable Business Associate Agreement (“BAA”), governs this processing. The BAA controls if this Policy conflicts with it concerning Protected Health Information (“PHI”).

Bomi may independently determine how to handle limited information for its own account administration, security, fraud prevention, direct support, legal compliance, and business operations. Those activities remain subject to this Policy, applicable law, and any governing agreement.

If your Provider separately purchases Bomi Managed Billing, the Provider may direct Bomi to exchange information between Bomi EHR and Bomi Managed Billing to keep records consistent and support its separate clinical-software and managed-billing workflows. That exchange does not make Bomi Managed Billing part of Bomi EHR or the Client Portal. The exchange remains subject to the Provider’s instructions, the applicable BAA, this Policy, and law. If records are subject to 42 C.F.R. Part 2, Bomi and the Provider must also apply the protections and permissions required by that law.

3. Information We Handle

“Portal Data” means personal information, records, files, communications, images, audio, video, payment information, and other content submitted to, received from, or generated through the Client Portal. The Portal Data Bomi handles depends on the features your Provider enables and how you use the Client Portal. It may include:

  • Identity, contact, and profile information: name, preferred name, date of birth, pronouns, email, phone number, address, emergency contacts, relationship to a patient, proxy or representative status, and identity-verification information;
  • Account and authentication information: profile associations, authentication events, agreement acceptances, notification preferences, records used to verify or secure access, and, if single sign-on is offered and you choose it, identifiers and authentication tokens supplied by the selected identity provider;
  • Health and care information: health history, symptoms, diagnoses, medications, treatment information, clinical notes made available by the Provider, consents, referrals, questionnaires, assessments, forms, signatures, and other PHI or sensitive health information;
  • Appointment and telehealth information: Provider, service type, date, time, location, scheduling requests, attendance, telehealth connection information, and information exchanged during a session where the relevant feature supports it;
  • Communications and files: secure messages, attachments, documents, images, audio, video, support requests, and other communications sent through or about the Client Portal;
  • Billing and insurance information: insurer, member and group identifiers, claims-related information, invoices, balances, transaction history, payment tokens, and limited payment method details handled through payment providers;
  • Device, log, and security information: IP address, browser and operating system, device and session identifiers, mobile-app installation and push-notification tokens, permissions you grant, approximate location derived from IP address, pages and features used, timestamps, authentication and audit events, crash data, and security signals; and
  • Support and legal information: correspondence with Bomi, privacy or legal requests, records used to verify identity or authority, and information needed to investigate and resolve an issue.

Payment card numbers and card-verification values may be collected directly by a payment processor rather than Bomi. Bomi does not retain card-verification values after authorization.

If a mobile app allows device-based biometric authentication, the operating system performs the biometric match and Bomi does not receive the device’s fingerprint, face scan, or biometric template. Before Bomi directly collects a biometric identifier or offers a different biometric-verification feature, Bomi will provide any separate notice, consent process, and public retention and destruction schedule required by law.

Bomi does not record telehealth audio or video by default. If Bomi or a Provider later enables recording, Bomi will provide separate notice and obtain all permissions required by law before recording. Any recording Bomi maintains for the Provider becomes Portal Data subject to the Provider’s instructions, the applicable BAA, and this Policy.

4. Where Information Comes From

We may receive personal information:

  • from you when you use the Client Portal or contact us;
  • from your Provider and its authorized workforce members when they create, maintain, or share a profile or record;
  • from a parent, guardian, personal representative, proxy, or another person authorized to interact with the Provider;
  • from Bomi EHR, Bomi Managed Billing if separately purchased by your Provider, and Provider-selected integrations, payers, clearinghouses, payment processors, laboratories, pharmacies, and other healthcare or service organizations, at the Provider’s direction; and
  • automatically from your browser, device, and interaction with the Client Portal.

5. Why We Handle Information

Subject to the Provider’s instructions, the BAA, and applicable law, Bomi handles personal information as reasonably necessary to:

  • provide the Client Portal and Provider-enabled Bomi EHR software features, including appointments, forms, documents, messages, telehealth access, claims and billing information, and payments;
  • create and associate profiles, authenticate users, verify authority, manage sessions, and prevent unauthorized access;
  • transmit information and instructions between you, your Provider, authorized representatives, and Provider-selected services;
  • exchange information between Bomi EHR and separately purchased Bomi Managed Billing when your Provider directs the exchange to support its separate clinical-software and managed-billing workflows;
  • send access links, reminders, receipts, security alerts, support responses, legal notices, and other service communications;
  • operate, maintain, support, debug, test, analyze, secure, develop, and improve the Client Portal and Bomi EHR for you and the Provider, consistent with the data-use limitations in Section 7;
  • detect and address fraud, abuse, security incidents, technical problems, and violations of applicable terms;
  • comply with law, respond to lawful process, protect legal rights and safety, and establish, exercise, or defend legal claims; and
  • carry out another purpose with legally sufficient permission.

Bomi does not make treatment decisions or determine how your Provider uses your health information to provide care. Automated security and fraud tools may flag activity for review, but Bomi does not use portal information to make decisions about your eligibility for healthcare, insurance, employment, credit, housing, or another similarly significant service.

6. When We Disclose Information

Bomi may disclose personal information only as permitted by the Provider’s instructions, the BAA, this Policy, and applicable law:

  • To your Provider: to make the Client Portal and its contents available to the Provider and its authorized workforce;
  • To authorized users and representatives: when the Provider has configured access or you have lawfully authorized another person, subject to permissions and applicable law;
  • To Bomi service providers: for hosting, security, support, communications, payment processing, and other services they perform for Bomi under written privacy, security, and confidentiality obligations, including a downstream BAA where HIPAA requires one;
  • To Provider-selected services: when the Provider directs Bomi to exchange information with an integration, payer, clearinghouse, payment processor, telehealth service, or another recipient;
  • Between Bomi EHR and Bomi Managed Billing: when the Provider has separately purchased Bomi Managed Billing and directs an exchange for its separate clinical-software and managed-billing workflows, subject to the applicable agreements, BAA, and access controls;
  • For legal, security, and safety reasons: when required by law or lawful process, or when reasonably necessary to investigate fraud, protect the Client Portal, defend legal rights, or prevent a serious threat, in each case subject to applicable legal and contractual limits; and
  • In a business transaction: in connection with a merger, financing, reorganization, bankruptcy, or sale of relevant assets, subject to continuing legal and contractual protections and required notice.

An independent service selected by you or your Provider is governed by its own privacy practices after receiving information at that direction. A service provider Bomi selects to operate the Client Portal is Bomi’s subprocessor; Bomi does not disclaim its own contractual or HIPAA obligations merely because it uses a subprocessor.

7. Data-Use Commitments

Bomi does not sell or license Portal Data, whether identifiable or deidentified, to data brokers, advertisers, employers, insurers, or unrelated third parties. Bomi does not use identifiable Portal Data for targeted or cross-context behavioral advertising or unrelated marketing.

Bomi may create or use information that has been properly deidentified or aggregated only when the Provider agreement and law permit it. Deidentified PHI must satisfy HIPAA’s deidentification standard, and Bomi will not attempt to reidentify it or attribute it to you or the Provider. Bomi contractually requires a recipient of deidentified information to maintain it in deidentified form, take reasonable measures against reidentification, and not attempt to reidentify it except where law expressly permits testing of the deidentification process. Product improvement and benchmarking across Providers use only properly deidentified or aggregated information.

Bomi may use properly deidentified or aggregated information for internal security, analytics, benchmarking, research, product development and improvement, and development of insights and tools. Bomi may disclose that information only to contracted service providers acting for Bomi under written use and reidentification restrictions or in benchmark, research, or similar outputs that do not identify and cannot reasonably be linked to an individual or Provider.

AI and Machine Learning

Identifiable Portal Data may be used as reasonably necessary to support, debug, test, secure, analyze, and improve Provider-specific functions for you and your Provider only when the Provider’s agreement, BAA, and law permit that processing. Cross-Provider analytics, benchmarking, research, and product development use only properly deidentified or aggregated information.

Bomi does not use PHI or other identifiable Portal Data to train, fine-tune, evaluate, or improve any general-purpose, cross-Provider, product-specific, or Provider-specific artificial-intelligence or machine-learning model unless the Provider has expressly agreed in an applicable Order Form or other feature-specific writing and all required legal bases and individual authorizations have been obtained. This restriction does not prohibit the use of properly deidentified or aggregated information described above, provided it remains deidentified and cannot reasonably be linked to you or a Provider.

Bomi may process identifiable Portal Data through an approved model solely for ordinary inference, Provider-specific retrieval, summarization, transcription, or workflow processing needed to provide a Provider-specific feature expressly ordered by the Provider and governed by an applicable Order Form or other feature-specific written terms. Each applicable model provider must be bound by appropriate privacy and security obligations, including a downstream BAA when required, and contractually prohibited from retaining inputs or outputs beyond the permitted processing or using them to train, fine-tune, evaluate, or improve its own or any third party’s models.

AI-generated output is draft output, may be incomplete or inaccurate, and must be reviewed and approved by an appropriately qualified Provider user before it is used for clinical care, documentation, coding, claims, or patient communications.

The applicable Order Form or other feature-specific written terms will address recording and transcription consent; model and provider identity; prompt, transcript, and output retention; clinician review; prohibited autonomous decisions and patient-facing communications; state-specific restrictions; incident handling; and whether the feature is beta or production.

Under Bomi’s BAA, your Provider may opt out by written notice to privacy@billwithbomi.com from future use of its source data in cross-Provider product-improvement analytics. The opt-out takes effect within thirty days and survives termination. Bomi may retain properly deidentified information, statistics, and non-reversible aggregate results created before the opt-out takes effect, but will not create new cross-Provider analytics from the Provider’s source data afterward.

No mobile information, including phone numbers and SMS opt-in data, will be shared with third parties or affiliates for marketing or promotional purposes. Bomi may provide that information to the Provider, messaging providers, and carriers only as necessary to honor your choices, deliver requested messages, and support messaging operations, not for their own marketing or promotion.

8. Cookies, Analytics, and Similar Technologies

The Client Portal uses cookies and similar technologies that are reasonably necessary for authentication, session continuity, preferences, security, fraud prevention, load balancing, and core operation. Bomi may also use limited first-party or contracted analytics, performance, and error-reporting technologies to understand and improve reliability. Bomi does not permit those providers to use authenticated Client Portal information for their own advertising or unrelated purposes.

Bomi does not permit third-party advertising or social-media pixels, cross-site behavioral tracking, session-replay technology, or keystroke capture on authenticated Client Portal pages. Other parties do not collect information there about your activities over time and across unrelated websites for advertising. Browser controls may allow you to block or delete necessary technologies, but doing so may prevent authentication or other Client Portal features from working.

Because Bomi does not track authenticated Client Portal users over time across unrelated websites for advertising, the Client Portal does not respond to legacy browser “Do Not Track” signals. Global Privacy Control and similar legally recognized opt-out signals address different covered activities; Bomi honors them where applicable law requires and a covered activity applies.

9. Your Choices and Privacy Requests

You may update information and communication preferences through available Client Portal features. Essential access, transaction, security, legal, and service communications are not marketing and may continue while relevant. Contact your Provider to change the email or phone number used by the Provider, correct a patient record, change proxy access, or stop using the Client Portal.

Depending on applicable law and Bomi’s role, you may have rights to know, access, correct, delete, or obtain a copy of personal information; restrict or object to processing; opt out of sale, targeted advertising, or certain profiling; appeal a decision; or use an authorized agent. Bomi does not discriminate against a person for exercising a privacy right. We may verify identity and authority before acting and may deny or limit a request where law permits, with an explanation and appeal instructions where required.

For information controlled by the Provider, contact the Provider first. Bomi will forward or assist with an authenticated request as required by its agreement and law but generally cannot alter, release, or delete the Provider’s record without the Provider’s instruction. For limited information Bomi controls directly, email privacy@billwithbomi.com and describe your Provider relationship and the right you wish to exercise.

Bomi responds within the period applicable law requires. Where a forty-five-day response period applies, Bomi may take a legally permitted extension after notifying you of the reason and revised due date.

Whether a state consumer-privacy or consumer-health law applies depends on statutory thresholds, exemptions, Bomi’s role, and the information involved. Any supplemental notice Bomi provides for a particular state, product, or data type controls if it conflicts with this general Policy for that information.

10. Retention and Deletion

The Provider controls retention of its patient and clinical records, subject to applicable law, professional duties, and its agreement with Bomi. Bomi retains Portal Data while directed by the Provider and as reasonably necessary to provide the Client Portal, and then deletes or returns it under the Provider agreement, BAA, and documented retention procedures.

Information remaining in protected backups is isolated from ordinary use, remains protected, and ages out under the ordinary backup lifecycle. A legal hold may preserve only affected information for as long as necessary. If PHI cannot feasibly be returned or destroyed, the BAA governs continued protection and restricted use.

Bomi may retain limited account, agreement-acceptance, transaction, security, support, privacy-request, and audit information under separate schedules based on legal, fraud-prevention, dispute, and operational needs. Properly deidentified information may be retained where the Provider agreement and law permit it. Loss of portal access does not necessarily mean the Provider’s underlying record has been deleted.

11. Security

Bomi maintains reasonable administrative, technical, and physical safeguards designed to protect personal information in light of its sensitivity and applicable law. These safeguards include encryption at rest and in transit, access controls, secure authentication, and audit logging. We limit access to personnel and providers with an appropriate need and confidentiality obligations. No system is completely secure, and Bomi cannot guarantee absolute security.

You can help protect information by securing your email account, devices, and authentication links; signing out of shared devices; not forwarding access links; and promptly reporting suspected unauthorized access to your Provider and support@billwithbomi.com. Security incidents concerning PHI are handled under the BAA and applicable law.

12. Minors and Proxy Access

A Provider may offer the Client Portal to a minor directly or through a parent, guardian, or other authorized representative when permitted by law. Bomi therefore does not state that it never receives personal information directly from a child. The Provider is responsible for determining who may consent to care and who may access particular records under applicable law.

A parent or guardian does not necessarily have access to every adolescent health record. The Provider’s policies and applicable law govern age screening, parental notice and consent, confidential services, proxy permissions, revocation, and transition of account control. Bomi may process information needed to verify an authorized relationship and apply the Provider’s access instructions. Contact the Provider with questions about a minor’s profile or records.

Child portal access is provisioned at the Provider’s direction. The Provider is responsible for providing required notices and obtaining verifiable parental consent before directing Bomi to collect personal information through Client Portal access for a child under thirteen when COPPA applies, unless an exception applies. Bomi remains responsible for duties that apply directly to Bomi and may require proof of authorization before enabling or continuing access.

If Bomi learns that it collected personal information from a child outside a Provider-directed or otherwise legally permitted context, Bomi will delete it unless applicable law requires retention and will take reasonable steps to prevent further unauthorized collection.

13. United States Processing

The Client Portal is presently intended for use in connection with United States Providers. Information may be processed in the United States and other locations used by authorized service providers, subject to contractual and legal protections. Bomi does not represent through this Policy that the Client Portal supports Canadian privacy or provincial health-information requirements. Canadian availability, if offered, requires applicable contractual terms and privacy disclosures.

14. Changes to This Policy

Bomi may update this Policy to reflect changes in its practices, law, or the Client Portal. We will post the updated date and provide appropriate advance notice of material changes through the Client Portal or by email. We will obtain consent where law requires it. A policy update does not retroactively authorize a materially different use of personal information or reduce protections promised by the BAA or another governing agreement.

15. Contact Us

Contact your Provider first for questions about its privacy practices, your care, your health record, or proxy access. For questions about this Policy or a privacy request concerning information Bomi controls, email privacy@billwithbomi.com. For technical support, email support@billwithbomi.com. Written correspondence may be sent to Bomi Health, Inc., Attn: Privacy, 1111B S Governors Ave STE 6453, Dover, DE 19904.

Bomi’s official email domain is billwithbomi.com. Bomi will not ask you by unsolicited email or text to disclose a Client Portal authentication link, full payment-card number, password, or one-time security code.

© 2026 Bomi Health