Business Associate Agreement

Last Updated: September 17, 2024

This Business Associate Agreement (“Agreement”) is supplemental to and made pursuant to the Fathom standard terms available at https://fathom.video/terms, Service and License Agreement or the relevant agreement executed between Fathom and Customer for Fathom’s provision of the Service (the “Service Agreement”) as of the effective date of such Service Agreement (“Effective Date”) and is by and between Fathom Video Inc., a Delaware corporation (“Business Associate”), and the Customer that executed or entered into the Service Agreement (“Covered Entity”). By entering into the Service Agreement as a Covered Entity, Covered Entity agrees to the terms of this Agreement.

Recitals

  1. Business Associate and Covered Entity are engaged in a business relationship pursuant to the terms of a Service Agreement whereby Covered Entity purchases and Business Associate provides certain software based products and related services to Covered Entity (“Business Relationship”).
  2. As part of the Business Relationship, Business Associate performs or assists in performing a function or activity for or on behalf of Covered Entity that may involve the access, maintenance, transmission, creation, use or disclosure of Protected Health Information as defined in 45 CFR 160.103 (“PHI”).
  3. The parties desire to enter into this Agreement for the purpose of safeguarding PHI in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology Economic and Clinical Health Act of 2009 and associated implementing regulations, including, without limitation, Privacy Regulations and Security Regulations (collectively, “HIPAA Regulations”).

NOW, THEREFORE, for good and valuable consideration, the receipt of sufficiency of which is hereby acknowledged, the parties agree as follows:

  1. Definitions. All terms used, but not otherwise defined, in this Agreement, shall have the same meaning ascribed to them in the HIPAA Regulations.
  2. Obligations and Activities of Business Associate.
    1. Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as required by law.
    2. Safeguards. Business Associate agrees to implement and at all times utilize all appropriate safeguards and shall comply with the Security Regulations with respect to electronic PHI to prevent any Use or Disclosure of the PHI other than as provided for by this Agreement.
    3. Minimum Necessary Standard. Business Associate agrees to access, request, Use or Disclose only the minimum necessary PHI to accomplish the intended purposes of the Business Relationship.
    4. Reporting. Business Associate agrees to report to Covered Entity in writing any Use or Disclosure of PHI not provided for by this Agreement (“Incident”) without unreasonable delay and no later than five (5) days following discovery of the Incident by Business Associate.
    5. Subcontractors. Business Associate shall ensure that any subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate to fulfill Business Associate’s obligations to Covered Entity, agrees in writing, to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information.
    6. Access to PHI. To enable Covered Entity to respond to a patient’s request to access the patient’s PHI, Business Associate agrees to make available within a reasonable time, not to exceed twenty (20) calendar days of receiving a request for access, PHI in a Designated Record Set, to Covered Entity in order to meet the requirements under the Privacy Regulations. If Business Associate uses or maintains an electronic health record with respect to PHI, Business Associate shall provide such PHI in electronic format, if requested, to enable Covered Entity to fulfill its obligations under the HITECH Act and the Privacy Regulations.
    7. Amendment of PHI. To enable Covered Entity to respond to a patient’s request to amend the patient’s PHI, Business Associate agrees, within a reasonable time, not to exceed twenty (20) calendar days of receiving a request for amendment, to make available PHI for amendment and incorporate any amendment(s) to PHI in a Designated Record Set that the Covered Entity agrees to in accordance with the Privacy Regulations.
    8. Disclosures to Secretary of DHHS. Business Associate agrees to (i) make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in the time and manner as designated the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Regulations, and (ii) provide Covered Entity with a copy of all documents made available to the Secretary within three (3) days of providing such documents to the Secretary.
    9. Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with the Privacy Regulations. Within twenty (20) calendar days of receiving a request for accounting, Business Associate agrees to make available to Covered Entity the following information concerning such disclosures: the date of the disclosure, the name and address (if known) of the recipient, a brief description of the PHI disclosed, and a brief statement regarding the purpose of such disclosure.
    10. Additional Compliance Requirements. Business Associate shall (i) comply with the Security Regulations and all other requirements of the HIPAA Regulations applicable to Business Associate; (ii) maintain and transmit all PHI in encrypted manner which complies with DHHS issued guidance regarding securing PHI, and (iii) comply with applicable state laws concerning use or disclosure of PHI, provided that any patient and other notifications required under such laws shall be made only consistent with the requirements specified in Section II(d) above. To the extent Business Associate is to carry out a Covered Entity’s obligation under the Privacy Regulations, Business Associate shall comply with the requirements of the Privacy Regulations that apply to Covered Entity in the performance of such obligation.
  3. Permitted Uses and Disclosures by Business Associate.

    Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI as necessary for performance of its obligations to Covered Entity in the Business Relationship and may:

    1. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
    2. Disclose PHI for the proper management and administration of the Business Associate or to carry out legal responsibilities of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
    3. de-identify PHI and may Use and Disclose de-identified information for any purpose; and
    4. use PHI to provide Data Aggregation services related to the healthcare operations of the Covered Entity consistent with the HIPAA Regulations, solely if requested in writing by Covered Entity.
  4. Agreements and Obligations of Covered Entity.
    1. Covered Entity shall make its Notice of Privacy Practices available to Business Associate by publishing the Notice of Privacy Practices on Covered Entity’s website.
    2. Covered Entity shall provide Business Associate with notice of any changes in, or revocation of, a patient’s authorization to Use or Disclose PHI, if such action would, in Covered Entity’s determination, affect Business Associate’s permitted or required Uses or Disclosures of PHI.
    3. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, other than as permitted hereunder.
    4. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522 if such restriction would, in Covered Entity’s determination, affect Business Associate’s permitted or required Uses or Disclosures of PHI.
  5. Additional Restriction on Uses and Disclosures.

    Business Associate may not Use or Disclose PHI if such use and disclosure would violate the Privacy Regulations if performed by Covered Entity, subject to the provisions of Section III of this Agreement.

  6. Term and Termination.
    1. Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
    2. Termination for Cause. Upon knowledge of either party of a material breach of the other party of the terms of this Agreement, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within the time specified by the non-breaching party, which time shall not be less than thirty (30) days, then the non-breaching party shall have the right to terminate this Agreement. In the event the Covered Entity properly terminates this Agreement under this section VI(b) and if Business Associate necessarily has access to PHI through its provision of the Business Relationship, the Covered Entity shall have the right and ability to terminate the Business Relationship and the Service Agreement.
    3. Effect of Termination.

      Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

      1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
      2. Return to Covered Entity or, if agreed to by Covered Entity, destroy, the remaining PHI that the Business Associate still maintains in any form;
      3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI; and
      4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions under “Permitted Uses and Disclosures By Business Associate” which applied prior to termination.
  7. Miscellaneous.
    1. Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required.
    2. Amendment. This Agreement may be modified or amended only upon mutual written consent of the parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Regulations and any other applicable law.
    3. Assignment. Covered Entity may assign its rights and obligations under this Agreement without Business Associate’s consent. Business Associate may not assign its rights and obligations under this Agreement without the prior written consent of Covered Entity, except that Business Associate may assign its rights and obligations under this Agreement, without the Covered Entity’s prior written consent, to an affiliate or any successor entity of Business Associate including by way of merger or other acquisition of all or substantially all of its assets or stock.
    4. Survival. The respective rights and obligations of Business Associate under Section II(d), VI(c), VII(e), VII(f) and VII(h) of this Agreement shall survive the termination of this Agreement for any reason.
    5. Interpretation. This Agreement shall be considered an amendment to the Service Agreement. Any limitations of liability in the Service Agreement shall apply to this Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Regulations. A waiver by either party of a breach or failure to perform under this Agreement shall not constitute a waiver of any subsequent breach or failure. This Agreement may be executed in counterparts, each of which shall be deemed to be an original and all of which together shall constitute one and the same document. A copy of the Agreement bearing a signature transmitted via electronic means shall be deemed to be an original. In the event of any inconsistency between the terms of this Agreement and the terms of the Service Agreement, the terms of this Agreement shall prevail with respect to the subject matter hereof notwithstanding any contrary provision in the Service Agreement. The terms of this Agreement are not intended and shall not be construed to confer upon any person other than the parties hereto any rights, remedies, obligations or liabilities whatsoever.
    6. Status of the Parties. Covered Entity and Business Associate shall be independent contractors. Nothing in this Agreement and no action taken by either party, or its officers, employees or agents pursuant to this Agreement, shall be deemed to create any agency, partnership, joint venture, association or syndicate between the parties, nor shall any such action be deemed to confer upon either party any express or implied right or authority to assume, or create any obligation or responsibility on behalf of, or in the name of, the other party. The parties to this Agreement are independent entities, contracting with each other solely for the purpose of carrying out the terms and conditions of this Agreement. The parties acknowledge and agree that Business Associate (a) has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed, all work to be performed by Business Associate under the Service Agreement, and (b) Business Associate is not an agent of Covered Entity and has no authority to represent Covered Entity as to any matters, except as expressly authorized in the Service Agreement.
    7. Notices. Any notices to be given hereunder shall be deemed effectively given as set forth in the Service Agreement.
    8. Entire Agreement. This Agreement constitutes the entire agreement between the parties hereto relating to the subject matter hereof, and supersedes any prior or contemporaneous agreement verbal or written agreements. Notwithstanding any provision in any agreement related to the Business Relationship indicating that it is the sole agreement governing the Business Relationship between the parties, the terms of this Agreement shall be effective and shall govern the Business Relationship between the parties with respect to the subject matter hereof.
    9. Governing Law. This Agreement shall be governed by California law notwithstanding any conflicts of law provisions to the contrary.
    10. Scope. This Agreement applies to all present and future agreements and relationships, whether written, oral or implied, between Covered Entity and Business Associate, pursuant to which Covered Entity provides PHI to Business Associate in any form or medium whatsoever. This Agreement shall automatically be incorporated into all subsequent agreements between Covered Entity and Business Associate involving access to or Use or Disclosure of PHI, whether or not expressly referenced therein.