Privacy Policy
Last Updated: July 13, 2026
1. Scope of This Policy
Bomi Health, Inc. (“Bomi,” “we,” “us,” or “our”) provides an electronic health record and related software features, including software features for claims, billing, payments, and the Client Portal (“Bomi EHR” or the “Services”), to healthcare practices. “Bomi Managed Billing” means Bomi’s separately purchased managed billing service. It is not part of Bomi EHR or the Services, even if it exchanges information with or otherwise integrates with Bomi EHR. “Bomi Credentialing” means Bomi’s separately purchased managed credentialing and payer enrollment service. It also is not part of Bomi EHR or the Services. This Privacy Policy is a notice describing how Bomi handles personal information for its own business purposes, including information relating to our websites, prospective and current customer relationships, account administration, support, billing, security, and service communications.
This Policy is not a healthcare practice’s HIPAA Notice of Privacy Practices and does not replace one. A practice remains responsible for its own patient-facing notices and legal obligations. This Policy is also not a blanket consent to every use of personal information. Where law requires consent for a particular activity, we will request it separately.
This Policy does not cover personal information Bomi handles about job applicants, employees, or contractors in an employment or workforce context. Bomi provides a separate applicant or workforce notice where applicable law requires one.
The Client Portal Privacy Policy provides the more specific notice for patients, clients, and authorized representatives using the Client Portal. It controls if it conflicts with this Policy concerning the Client Portal experience or information handled through it.
2. Our Role Depends on the Context
Bomi’s legal role depends on the information, customer, and activity:
- Websites, sales, accounts, support, and security. Bomi generally determines why and how this information is handled and acts as an independent business or controller.
- Records for a HIPAA-covered practice. Bomi acts as the practice’s HIPAA business associate and service provider when it creates, receives, maintains, or transmits Protected Health Information (“PHI”) in connection with a Bomi product or managed service.
- Records for another type of customer. If a practice is not a HIPAA covered entity, or a customer is itself a business associate, Bomi acts as a service provider, processor, or subcontractor under the parties’ agreement and other applicable law.
- Patient-facing accounts. Bomi primarily processes portal and clinical information for the practice. Bomi may handle limited account, device, security, and direct-support information for authentication, fraud prevention, support, and legal compliance as explained in the Client Portal Privacy Policy when that portal is offered.
The Terms of Service and Business Associate Agreement (“BAA”) govern information Bomi processes on behalf of a customer. The BAA controls if this Policy conflicts with it about PHI. The healthcare practice controls its patient records and decides how they may be used, subject to law.
3. Information We Handle
Depending on the Services used, information may include:
- Contact and account information: name, email, practice affiliation, account role, authentication events, and agreement acceptances, including document version, timestamp, IP address, and user agent;
- Practice and professional information: legal and business names, addresses, specialties, professional licenses, credentials, identifiers such as NPI and tax identifiers, payer relationships, and directory or profile content;
- Clinical and practice records: patient demographics, registration, appointments, notes, diagnoses, treatment information, forms, questionnaires, assessments, messages, attachments, referrals, and audit history;
- Billing and payment information: claims, eligibility, payer and clearinghouse information, remittances, transaction history, payment tokens, refunds, and limited bank or card details handled through payment providers. Bomi does not retain card verification values after authorization;
- Communications: support requests, emails, forms, feedback, and other communications sent to us. We will provide notice before recording any support call;
- Device, log, and security information: IP address, browser and operating system, device identifiers, pages or features used, approximate location derived from IP address, timestamps, authentication and audit events, crash information, and security signals; and
- Integration information: information imported from or exchanged with customer-selected EHRs, payers, clearinghouses, payment providers, and other integrations at the customer’s direction.
We receive information directly from practices, authorized account users, patients using supported portal features, integrations and service providers, payers and clearinghouses, public professional sources, and automatically from use of the Services.
4. Why We Handle Information
We handle personal information as reasonably necessary to:
- provide, operate, maintain, secure, and support the Services;
- create accounts, authenticate users, manage permissions, and keep audit records;
- process appointments, records, claims, eligibility, payments, and other transactions at a customer’s direction;
- onboard customers, respond to questions, troubleshoot problems, and communicate about service or security matters;
- prevent fraud, abuse, unlawful activity, and threats to patients, customers, or the Services;
- improve the Services using operational information and properly deidentified or aggregated information as permitted by contract and law;
- send marketing to business contacts where permitted, subject to the right to opt out; and
- establish, exercise, or defend legal rights and satisfy legal, regulatory, tax, accounting, and contractual obligations.
5. PHI and Other Health Information
When Bomi is a business associate, we use and disclose PHI only as authorized by the BAA or required by law. This includes processing necessary to provide the contracted Services and permitted activities directed by the practice. Bomi does not independently determine treatment, payment, or healthcare-operations uses of a practice’s PHI. Bomi may deidentify PHI only if authorized by the BAA and only using a method permitted by HIPAA. We do not attempt to reidentify it.
Health-related information is not always PHI. Information associated with a non-HIPAA practice, a public website, or a direct Bomi activity may instead be protected by state consumer-health privacy laws, the FTC Act, contractual duties, or other law. We apply the customer’s instructions, our agreements, and applicable privacy protections rather than assuming HIPAA displaces those requirements.
Customers are responsible for identifying whether their organization or records are subject to 42 C.F.R. Part 2 or special rules governing psychotherapy notes, minors, HIV/STI information, genetic information, reproductive-health information, or other specially protected data. Such data should be submitted only where the Services and applicable contractual addenda support it.
6. Analytics, Cookies, Advertising, and AI
The Services use cookies necessary for authentication, security, and core functionality. We may use limited diagnostics, error monitoring, and first-party or service analytics to protect, operate, and improve the Services. Where a vendor receives PHI, Bomi uses it only for a HIPAA-permitted purpose and requires an appropriate BAA.
Bomi does not permit third-party advertising pixels, cross-site behavioral tracking, or session-replay technology on authenticated EHR or Client Portal pages. Bomi does not sell or license clinical, customer, or Client Portal information, whether identifiable or deidentified, to data brokers, advertisers, employers, insurers, or unrelated third parties. We do not use PHI or identifiable customer or Client Portal information for targeted advertising or “share” it for cross-context behavioral advertising. Because we do not conduct those activities, an opt-out signal such as Global Privacy Control does not change how authenticated Services operate. We will honor legally required browser opt-out signals if our practices change or a covered activity applies.
Bomi may use properly deidentified information and non-identifying aggregate results derived from it for internal security, analytics, benchmarking, research, product development and improvement, and development of insights and tools. Bomi may disclose that information only to contracted service providers acting for Bomi under written use and reidentification restrictions or in benchmark, research, or similar outputs that do not identify and cannot reasonably be linked to an individual or customer. Under the BAA, a customer may opt out by written notice to privacy@billwithbomi.com from future use of its source data in cross-customer product-improvement analytics. The opt-out takes effect within thirty days and survives termination; previously created deidentified data, statistics, and non-reversible aggregate results may be retained as provided in the BAA.
Bomi does not use PHI or other identifiable customer or Client Portal information to train, fine-tune, evaluate, or improve any general-purpose, cross-customer, product-specific, or customer-specific artificial-intelligence or machine-learning model unless the customer has expressly agreed in an applicable Order Form or other feature-specific writing and all required legal bases and individual authorizations have been obtained. This restriction does not prohibit the use of properly deidentified information and non-identifying aggregate results described above, provided they remain deidentified and cannot reasonably be linked to an individual or customer.
Bomi may process identifiable customer or Client Portal information through an approved model solely for ordinary inference, customer-specific retrieval, summarization, transcription, or workflow processing needed to provide a customer-specific feature expressly ordered by the customer and governed by an applicable Order Form or other feature-specific written terms. Each applicable model provider must be bound by appropriate privacy and security obligations, including a downstream BAA when required, and contractually prohibited from retaining inputs or outputs beyond the permitted processing or using them to train, fine-tune, evaluate, or improve its own or any third party’s models.
AI-generated output is draft output, may be incomplete or inaccurate, and must be reviewed and approved by an appropriately qualified authorized user before it is used for clinical care, documentation, coding, claims, or patient communications.
The applicable Order Form or other feature-specific written terms will address recording and transcription consent; model and provider identity; prompt, transcript, and output retention; clinician review; prohibited autonomous decisions and patient-facing communications; state-specific restrictions; incident handling; and whether the feature is beta or production.
7. When We Disclose Information
We may disclose information:
- to cloud hosting, communications, payments, support, security, error-monitoring, and other subprocessors that help operate the Services and are bound by appropriate written obligations;
- to a practice’s authorized users and to integrations, payers, clearinghouses, or healthcare participants at the practice’s lawful direction;
- when reasonably necessary to prevent fraud, protect safety or security, enforce our agreements, or protect legal rights;
- when required by law or valid legal process. Where lawful and appropriate, we notify the affected customer before disclosing customer-controlled information; and
- in a merger, financing, acquisition, reorganization, bankruptcy, or sale of relevant assets, subject to continuing contractual and legal protections and notice where required.
No mobile information, including phone numbers and SMS opt-in data, will be shared with third parties or affiliates for marketing or promotional purposes. Bomi may disclose that information to messaging providers and carriers only as necessary to deliver requested messages and support messaging operations, not for their own marketing or promotion.
A provider a customer independently selects is governed by that provider’s terms. A provider Bomi selects to operate the Services is Bomi’s subprocessor; Bomi does not disclaim its own contractual or HIPAA obligations merely because it uses a subprocessor.
8. Security
Bomi maintains reasonable administrative, technical, and physical safeguards designed to protect personal information in light of its sensitivity and applicable law. These safeguards include encryption at rest and in transit, access controls, secure authentication, and audit logging. We limit access to personnel and providers with an appropriate need and confidentiality obligations. No system is completely secure, and Bomi cannot guarantee absolute security.
Customers and users also have important responsibilities, including protecting email accounts, authentication links and devices, assigning appropriate permissions, and securely handling exported information. Security incidents concerning PHI are handled under the BAA; other incidents are handled under applicable law and agreement.
9. Retention and Deletion
A customer controls retention of its clinical records, subject to law and the parties’ agreement. HIPAA itself does not establish a medical-record retention period; requirements may arise from state law, professional duties, payer rules, or customer policy. During the customer relationship, Bomi retains Customer Data as needed to provide the Services and follow lawful customer instructions.
Following termination, authorized users have the transition and export period stated in the Terms of Service. After that period, Bomi deletes Customer Data from active systems under its documented procedures, unless earlier deletion is requested or retention is legally required. Data remaining in protected backups is isolated from ordinary use, remains protected, and ages out under the ordinary backup lifecycle. A legal hold may preserve only affected information for as long as necessary. If PHI cannot feasibly be returned or destroyed, the BAA governs continued protection and restricted use.
Account, agreement-acceptance, billing, tax, security, and audit information may follow separate schedules based on legal, fraud-prevention, dispute, and operational needs. Properly deidentified information may be retained where permitted by the BAA and law. We do not claim that every copy is immediately erased when deletion begins.
10. Privacy Choices and Requests
You may update available account information through the Services. Business contacts may unsubscribe from marketing using the link in a message; essential service, legal, billing, and security messages are not marketing and continue while relevant.
Depending on applicable law and Bomi’s role, you may have rights to know, access, correct, delete, or obtain a copy of personal information; restrict or object to processing; opt out of sale, targeted advertising, or certain profiling; appeal a decision; or use an authorized agent. Bomi does not discriminate against a person for exercising a privacy right. We may verify identity and authority before acting and may deny or limit a request where law permits, with an explanation and appeal instructions where required.
For patient records controlled by a practice, contact the practice first. We will forward or assist with an authenticated request as required by our agreement and law, but we generally cannot change or release a practice’s records without its instruction. For information Bomi controls directly, submit a request to privacy@billwithbomi.com and describe your relationship with Bomi and the right you wish to exercise.
Whether a particular state privacy law applies depends on statutory thresholds, exemptions, Bomi’s role, and the data involved. If Bomi becomes subject to additional notice-at-collection, consumer-health, or state-specific requirements, the applicable supplemental notice will control for that information.
11. Minors and Portal Access
The provider-facing Services are intended for authorized workforce members, not children. Bomi may nevertheless process information about minors for a practice and, where supported and lawfully configured, a minor may interact with a patient-facing portal directly or through a parent, guardian, or other proxy. We therefore do not state that Bomi never collects information directly from a child.
The practice is responsible for determining who may consent to care and who may access particular records under applicable state law. A parent or guardian does not necessarily have access to every adolescent health record. Portal eligibility, age screening, consent, proxy access, revocation, confidential services, and transition of account control are governed by the practice’s policies, applicable law, and the Client Portal Terms when the portal is offered. Bomi does not knowingly operate a child-directed consumer service without implementing legally required parental notice and consent.
If Bomi learns that it collected personal information from a child outside a practice-directed or otherwise legally permitted context, Bomi will delete it unless applicable law requires retention and will take reasonable steps to prevent further unauthorized collection.
12. United States Processing
The EHR Services and this Policy are presently intended for United States practices. Information may be processed in the United States and other locations used by authorized service providers, subject to contractual and legal protections. Bomi does not represent through this Policy that the Services support Canadian privacy or provincial health-information requirements. Canadian availability, if offered, requires applicable contractual terms and privacy disclosures.
13. Changes to This Policy
We may update this Policy to reflect changes in our practices, law, or the Services. We will post the updated date and provide appropriate advance notice of material changes through the Services or by email. We will obtain consent where law requires it. A policy update does not retroactively authorize a materially different use of information or reduce protections promised by the BAA or another agreement.
14. Contact Us
For privacy questions or requests, contact privacy@billwithbomi.com. For general support, contact support@billwithbomi.com. Written correspondence may be sent to Bomi Health, Inc., Attn: Privacy, 1111B S Governors Ave STE 6453, Dover, DE 19904.