Get the app
Get the app
All legal documents

Legal

HIPAA Security & Compliance Policy

Pressor Systems LLC

Effective Date: May 23, 2026

This policy explains how Bolus is designed to support secure handling of sensitive information and what users must do to use the app responsibly in clinical settings.

Bolus is developed and operated by Pressor Systems LLC.

Security Highlights

  • Local-first clinical records: clinical case records are generally stored primarily on the user’s device.
  • Mandatory authentication: access to Bolus and case logs requires biometric authentication and/or a secure device passcode, password, or comparable device-supported method.
  • Device-supported encryption: app data is protected using security features supported by the device and operating system.
  • User-controlled exports: users decide when and where records are exported, transmitted, printed, uploaded, or shared.
  • Remote account data: certain account, profile, settings, snippets, templates, analytics, subscription, and legal acceptance data may be stored remotely to support app functionality.
  • User responsibility: HIPAA compliance depends on how the user secures devices, handles records, exports data, and follows institutional policies.
  • Future hosted features: cloud backup, sync, or hosted PHI features may require additional safeguards, terms, and business associate documentation where applicable.

1. Purpose of This Policy

Bolus is built to support anesthesia and clinical documentation workflows. This policy explains the app’s security model and the user’s responsibilities when handling protected health information (“PHI”) or other sensitive information.

This policy is intended to support safe use of Bolus. It does not replace the user’s independent obligations under HIPAA, the HITECH Act, applicable state privacy laws, professional obligations, or workplace policies.

2. Local-First Clinical Record Architecture

Bolus is designed around a local-first architecture for clinical case records. In general, clinical records and patient-related case data are stored primarily on the user’s device rather than on servers operated by Pressor Systems.

This design is intended to reduce unnecessary cloud exposure of patient-related information and keep clinical records under the direct control of the clinician using the app.

In general:

  • case logs and clinical records are stored primarily on the user’s device;
  • Pressor Systems does not routinely receive or store full clinical case records on Bolus-operated systems;
  • users control when records are exported, transmitted, uploaded, printed, or shared outside the app;
  • records stored only on a device may not be recoverable by Pressor Systems if the device is lost, damaged, reset, wiped, or the app is deleted.

Local-first storage can reduce certain risks, but it does not eliminate HIPAA or other privacy and security obligations.

3. Data That May Be Stored or Synced Remotely

Although clinical case records are generally local-first, certain non-clinical or account-related information may be stored remotely to operate the Service and support account functionality.

This may include:

  • account information;
  • name, email address, title, degree, practice, institution, or organization;
  • uploaded profile images or profile images provided through Apple, Google, or another authentication provider;
  • subscription and entitlement information;
  • app settings and preferences;
  • user-created snippets or quick phrases;
  • user-created templates;
  • usage analytics and operational metrics;
  • crash reports and diagnostic data;
  • legal acceptance records, including accepted policy versions and timestamps.

Users should avoid placing patient identifiers, PHI, or patient-specific clinical details into profile fields, settings, snippets, templates, support messages, or other reusable content unless a specific feature is designed, authorized, and appropriately safeguarded for that purpose.

4. Mandatory Authentication and Device Security

Access to Bolus and case logs requires mandatory authentication using security protections supported by the user’s device. These protections may include biometric authentication and/or a secure device passcode, password, or comparable device-supported authentication method.

Users may not disable, bypass, weaken, or interfere with authentication or access-control protections required by Bolus.

Because Bolus may store clinical records locally, the user’s device is a critical part of the security environment. Users are responsible for maintaining appropriate device security, including:

  • using a secure device passcode or password;
  • enabling biometric authentication when available and appropriate;
  • ensuring only authorized persons can unlock the device;
  • ensuring only authorized persons are enrolled in biometric access;
  • keeping the device and operating system updated;
  • using automatic screen lock;
  • maintaining physical control of the device;
  • using remote tracking or remote wipe features when available and appropriate.

If an unauthorized person can unlock the device, that person may be able to access sensitive information stored in or accessible through Bolus.

5. Required User Safeguards

Users are responsible for using Bolus in a manner consistent with HIPAA, applicable law, professional obligations, and institutional policy.

Users should not:

  • share their Bolus account credentials with unauthorized persons;
  • leave a device unlocked or unattended in a way that could expose PHI;
  • allow unauthorized individuals to use their device or account;
  • export PHI to unsecured email, cloud storage, messaging systems, or file-sharing tools;
  • store PHI in snippets, templates, settings, profile fields, or reusable content unless specifically authorized and appropriately safeguarded;
  • send PHI to Bolus support unless specifically instructed through an authorized secure workflow;
  • use Bolus in a manner prohibited by their employer, institution, facility, practice, or applicable law.

Users remain responsible for determining whether Bolus is appropriate for their specific practice setting and workflow.

6. Exporting and Sharing PHI

Bolus may allow users to export, print, upload, transmit, share, or store records outside the app.

When records leave Bolus, users are responsible for selecting lawful, secure, and appropriate destinations and transmission methods. Exports should be sent only through secure, authorized, and institution-approved workflows.

Examples of potentially appropriate workflows may include approved electronic health record systems, secure clinical storage systems, or other secure channels authorized by the user’s institution or practice.

Users should avoid transmitting PHI through unsecured or unapproved systems.

Once a record is exported, transmitted, uploaded, printed, copied, edited, stored, or shared outside Bolus, Pressor Systems may have no ability to control, retrieve, correct, delete, monitor, verify, or secure that information.

7. Snippets, Templates, Settings, and Reusable Content

Bolus may allow users to create, store, and sync snippets, quick phrases, templates, settings, preferences, and other reusable content.

These features are intended to support workflow efficiency. They are not intended to store patient-specific information unless a specific feature expressly supports that use and includes appropriate safeguards.

Users should not include patient names, dates of birth, medical record numbers, procedure-specific patient identifiers, or other PHI in snippets, templates, profile fields, settings, or reusable content unless specifically authorized and appropriate for the feature.

Users are responsible for reviewing reusable content before using it in clinical documentation to ensure it is accurate, appropriate, and does not introduce incorrect or patient-specific information into the wrong record.

8. Support Communications and PHI

Users should not send PHI, patient identifiers, case logs, exported records, screenshots containing patient information, or clinical documents to Pressor Systems through general support channels unless specifically instructed through an authorized secure workflow.

If a user voluntarily sends PHI or patient-related information to Pressor Systems outside an approved secure process, the user is responsible for ensuring that the disclosure is lawful, authorized, and consistent with applicable privacy and institutional requirements.

Pressor Systems may use support communications, diagnostic information, screenshots, logs, or attachments provided by users to troubleshoot issues, improve the Service, and respond to user requests, subject to applicable law and the Bolus Privacy Policy.

9. Legal and Professional Obligations

Users remain responsible for complying with:

  • HIPAA;
  • the HITECH Act;
  • applicable state privacy and security laws;
  • professional confidentiality obligations;
  • employer, practice, hospital, ambulatory surgery center, dental office, or facility policies;
  • medical staff rules;
  • payer requirements;
  • record retention requirements;
  • credentialing and quality review requirements.

Bolus provides software tools and safeguards, but Pressor Systems does not control the user’s clinical environment, device management, institutional access policies, workforce compliance, export destinations, or professional documentation practices.

10. Security Incidents, Breach Response, and User Responsibility

Users are responsible for promptly following their employer, practice, facility, or institutional policies for reporting, investigating, and responding to suspected privacy or security incidents involving:

  • lost or stolen devices;
  • unauthorized access to a device or Bolus account;
  • improper exports or transmissions;
  • disclosure of PHI to the wrong recipient;
  • use of unsecured or unauthorized systems;
  • compromised credentials;
  • records stored or shared outside Bolus.

Pressor Systems is not responsible for HIPAA violations, privacy breaches, unauthorized disclosures, data loss, or compliance failures caused by a user’s acts or omissions, including failure to secure a device, restrict access, use authorized workflows, maintain appropriate safeguards, or handle patient records in accordance with applicable law and institutional policy.

11. Data Loss, Retention, and Recovery

Local-first storage reduces unnecessary cloud exposure, but it also means recovery may be limited.

Records may become unavailable or permanently lost if a device is lost, stolen, damaged, reset, wiped, compromised, deleted, or otherwise rendered inaccessible, or if the application is deleted.

Pressor Systems may not be able to recover records stored only on the user’s device.

Users are responsible for exporting, retaining, archiving, and preserving records when required for legal, billing, clinical, professional, payer, credentialing, or institutional purposes.

12. Future Cloud or Hosted PHI Features

Bolus may offer additional hosted or cloud-based features in the future, such as backup, synchronization, collaboration, hosted record storage, or multi-device clinical record access.

If those features involve PHI or other regulated information, additional safeguards, disclosures, user choices, supplemental terms, and business associate documentation may apply where legally required.

Users should not assume that a feature is authorized for PHI unless the feature, documentation, or applicable terms expressly indicate that it is designed for that purpose.

13. Security Limitations

No app, device, server, network, storage system, or transmission method can be guaranteed to be completely secure.

Bolus is designed to support secure documentation workflows, but good security also depends on how the user manages the device, controls access, handles exports, stores records, and follows institutional policies.

14. User Acknowledgment and Responsibility

By accessing or using Bolus, you acknowledge that you have read and understand this HIPAA Security & Compliance Policy and agree to use the Service in a manner consistent with the safeguards described in this policy, applicable law, and the privacy and security requirements of your employer, practice, hospital, ambulatory surgery center, dental office, or other institution.

You acknowledge and agree that you are responsible for maintaining HIPAA-compliant practices in connection with your use of Bolus, including how you access, store, export, transmit, share, retain, and safeguard PHI.

Pressor Systems LLC is not responsible for any HIPAA violation, privacy breach, unauthorized disclosure, loss of PHI, or other compliance failure caused by your acts or omissions, including your failure to follow this policy, secure your device, restrict access, use authorized workflows, avoid inappropriate storage of PHI in reusable content, or otherwise handle patient records in accordance with applicable law and institutional requirements.

15. Questions

Questions about this policy should be directed to:

Pressor Systems LLC

Email: contact@bolusanesthesia.com

Website: bolusanesthesia.com