'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
HIPAA
Details on how Blue handles Protected Health Information (PHI) in accordance with HIPAA regulations.
Last updated: April 12, 2026
1. Introduction
This HIPAA Compliance page explains how Bloo, Inc. (“we”, “us”, or “Blue”) protects the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This page applies to our platform at blue.cc when used to handle PHI.
This page supplements our Terms of Service, Privacy Policy, and Data Processing Agreement. For the contractual obligations governing PHI, see our Business Associate Agreement.
2. Definitions
- Protected Health Information (PHI): Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
- Covered Entity: Health care providers, health plans, and health care clearinghouses that transmit health information electronically.
- Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity.
3. Our Role
Blue acts as a Business Associate to Covered Entities when our platform is used to handle PHI. We are committed to complying with HIPAA regulations in this capacity.
4. PHI We May Handle
As a Business Associate, we may handle various types of PHI, including but not limited to:
- Patient names
- Addresses
- Dates (birth, admission, discharge, etc.)
- Phone numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
5. Use and Disclosure of PHI
We will only use or disclose PHI as permitted by our Business Associate Agreement with the Covered Entity and in compliance with HIPAA regulations. This may include:
- Providing our process management platform services
- Conducting data analysis to improve our services
- Performing system maintenance and troubleshooting
We will not use or disclose PHI for marketing purposes or sell PHI unless explicitly authorized by the Covered Entity and the individual.
6. AI and Automated Scanning
Blue’s automated compliance scanning systems may process metadata associated with PHI (including file names, file sizes, upload dates, and file types) for the purposes of Terms of Service enforcement, abuse detection, and platform safety. Automated scanning systems do not access or process the contents of files containing PHI. All enforcement decisions related to accounts covered by a Business Associate Agreement are made by humans.
For details on Blue’s general content scanning practices, see Section 5.4 of our Privacy Policy and Section 10.4 of our Terms of Service.
7. Data Security Measures
We implement robust security measures to protect PHI, including:
- Enterprise-level encryption (AES-256) for data at rest and in transit
- Advanced monitoring and alert systems
- Multi-factor authentication (MFA) for backend systems
- Regular third-party security audits
- Daily data backups
- Collaboration with external security researchers
8. Employee Training and Access
All our employees receive regular training on HIPAA compliance. Access to PHI is restricted to authorized personnel on a need-to-know basis.
9. Data Retention
We retain PHI only for as long as necessary to provide our services or as required by law. Upon termination, PHI is deleted from active systems within 90 days and from backups within 90 days of deletion from active systems, consistent with our Data Processing Agreement.
10. Data Storage and Transfer
PHI is stored encrypted at rest in EU data centers (Germany). All data processing infrastructure is located within the European Union. We ensure appropriate safeguards are in place and comply with all applicable laws and regulations for any data transfers.
11. Breach Notification
In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, as required by HIPAA. For data breaches subject to GDPR, the notification timeline set forth in the Data Processing Agreement (72 hours) applies.
12. Individual Rights
We will assist Covered Entities in fulfilling their obligations to provide individuals with their rights under HIPAA, including:
- Right to access their PHI
- Right to request amendments to their PHI
- Right to an accounting of disclosures
- Right to request restrictions on use and disclosure of their PHI
- Right to request confidential communications
Individuals should contact their healthcare provider (the Covered Entity) to exercise these rights.
13. Business Associate Agreements (BAAs)
As a Business Associate, Blue is committed to entering into Business Associate Agreements (BAAs) with Covered Entities as required by HIPAA. A signed BAA must be in place before any PHI is processed through our platform.
To request a BAA, contact [email protected]. Our team will respond within 2 business days.
Please note:
- We use a standard BAA template that has been reviewed by our legal team for HIPAA compliance.
- Any modifications to our standard BAA may require additional review and approval.
- We recommend that you have the BAA reviewed by your own legal counsel before signing.
14. Changes to This Policy
Changes to this HIPAA Compliance page are governed by Section 19 of our Terms of Service.
15. Contact Us
If you have any questions about this HIPAA Compliance page, our data practices, or our BAA process, please contact:
Emanuele Faja, CEOEmail: [email protected]