Research Data Use Policy

Last updated: August 31, 2022

Please read this data use policy carefully before using Our Service.

In the context of this policy, the User (Covered Entity) has certain rights to the use and storage of their research data that the Company, William D Shannon Consulting LLC d/b/a BioRankings (Data Recipient), must abide.

Covered Entity may Disclose or make available to Data Recipient, and Data Recipient may Use, Disclose, receive, transmit, maintain, create from, or otherwise utilize certain information in conjunction with the research described herein; and

Certain information the Covered Entity may Disclose or make available to the Data Recipient may be subject to the protections of the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder; and

The Covered Entity and Data Recipient are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations promulgated thereunder (collectively “HIPAA”); and

The purpose of this Agreement is to satisfy the obligations of the Covered Entity under HIPAA and to ensure the integrity and confidentiality of certain information that the Covered Entity may Disclose or make available to Data Recipient for Use in connection with the research described herein.


  1. Individual shall have the same meaning as the term “individual” in 45 CFR Sect. 160.103 of the Privacy Rule and shall include a person who qualifies as a personal representative in accordance with 45 CFR Sect. 164.502(g) of the Privacy Rule.
  2. Limited Data Set shall have the same meaning as the term “limited data set” in 45 CFR 164.514(e) of the Privacy Rule.
  3. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended from time to time.
  4. Protected Health Information or PHI shall have the same meaning as the term “protected health information” in 45 CFR Sect. 160.103 of the Privacy Rule, to the extent such information is created or received by Data Recipient from Covered Entity.
  5. Required by Law shall have the same meaning as the term “required by law” in 45 CFR Sect. 164.501 of the Privacy Rule.
  6. Capitalized terms not otherwise defined in this Policy shall have the meanings set forth in the Privacy Rule.

Scope and Purpose

  1. This Policy sets forth the terms and conditions pursuant to which Covered Entity will Disclose certain information (the “Limited Data Set”) to the Data Recipient.
  2. Except as otherwise specified herein, Data Recipient may make all Uses and Disclosures of the Limited Data Set necessary to conduct the research requested

Obligations and Activities of Data Recipient

  1. Data Recipient agrees to not Use or Disclose the Limited Data Set for any purpose other than the Research Project or as Required by Law. Data Recipient further agrees not to Use or Disclose the Limited Data Set in a manner that would violate the Privacy Rule if done by Covered Entity.
  2. Data Recipient agrees to use all appropriate safeguards to prevent Use or Disclosure of the Limited Data Set other than as provided for by this Policy.
  3. Data Recipient agrees to report to the Covered Entity any Use or Disclosure of the Limited Data Set not provided for by this Agreement of which Data Recipient becomes aware, including without limitation, any Disclosure of PHI to an unauthorized subcontractor, within two (2) days of its discovery, which report shall include a description of any remedial actions taken by Data Recipient in connection with such incident. In the event Covered Entity determines that such incident constitutes a Breach of Unsecured PHI as such terms are defined in the Health Information Technology for Economic and Clinical Health Act of 2009 and the regulations promulgated thereunder (“HITECH Act”), Data Recipient shall, as directed by Covered Entity, either (a) at Data Recipient’s sole cost, comply with all applicable requirements of the HITECH Act in connection with such incident, it being agreed that Data Recipient shall not provide any notification to any party regarding such incident without obtaining prior written approval of Covered Entity with respect to the content of any such notification, or (b) fully cooperate with Covered Entity in taking all steps as may be required for Covered Entity to comply with the HITECH Act.
  4. Data Recipient agrees to ensure that any agent, including a subcontractor, to whom it provides the Limited Data Set agrees to the same restrictions and conditions that apply through this Policy to the Data Recipient with respect to such information.
  5. Data Recipient agrees not to identify the information contained in the Limited Data Set or contact the Individuals.
  6. Data Recipient agrees that the Covered Entity will provide only data that excludes the following identifiers specified in 45 C.F.R. 164.514(e)(2) of an Individual or of relatives, employers or household members of the Individual: (i) names; (ii) postal address information, other than town or city, State, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) Social Security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) Web universal resource identifiers (URLs); (xiv) Internet protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images. Data Recipient shall not have access to any master code enabling identification of the Individuals.
  7. Data Recipient certifies that all investigators or employees of the Data Recipient who will receive information under this Agreement have successfully completed HIPAA training; that they are familiar with and understand the privacy protections set forth herein; and that they shall at all times comply with reasonable instructions for compliance with the Covered Entity’s Information Security Policy with respect to the maintenance, transmittal, Use or Disclosure of any portion of the Limited Data Set.
  8. In Using and Disclosing a Limited Data Set, Data Recipient shall Use and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the Use and Disclosure.


The provisions of this Agreement shall be effective as of the Effective Date and shall terminate when all of the Limited Data Set provided by Covered Entity to Data Recipient is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the Limited Data Set, protections are extended to such information, in accordance with the termination provisions in this Section. In the event that the Data Recipient determines that returning or destroying the Limited Data Set is infeasible, the Data Recipient shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction is infeasible, Data Recipient shall extend the protections of this Data Use Agreement and limit further uses of and disclosures of the Limited Data Set to those purposes that make the return or destruction infeasible, for so long as Data Recipient maintains any portion of the Limited Data Set.


If Covered Entity determines that Data Recipient breached any provision of this Agreement, Covered Entity shall have the right to either (a) immediately terminate this Agreement and any additional agreements with Data Recipient without providing Data Recipient an opportunity to cure the breach, or (b) provide Data Recipient with a written notice of breach and terminate this Agreement if Data Recipient does not cure the breach within thirty (30) calendar days of receiving such notice. To the extent neither cure of such breach nor termination of the Agreement is feasible, Covered Entity shall discontinue disclosure of the Limited Data Set to Data Recipient and report the problem to the Secretary of the United States Department of Health and Human Services.


The Covered Entity shall retain ownership of all data transferred under this Policy.


  1. The parties agree to take such action as is necessary to promptly amend this Policy from time to time as is necessary for the Covered Entity to comply with the requirements of the Privacy Rule and HIPAA. Notwithstanding the foregoing, the parties agree that this Policy shall be automatically amended upon written notice of the amendment by Covered Entity to Data Recipient, if Covered Entity determines that such amendment becomes required in order for Covered Entity to comply with the Privacy Rule, the HITECH Act or any other applicable law.
  2. The respective rights and obligations of Data Recipient shall survive termination of this Policy.
  3. Any ambiguity in this Policy shall be resolved to permit the Covered Entity to comply with the Privacy Rule.
  4. There are no intended third-party beneficiaries to this Policy. Without in any way limiting the foregoing, it is the parties’ specific intent that nothing contained in this Policy gives rise to any right or cause of action, contractual or otherwise, in or on behalf of the individuals whose PHI is Used or Disclosed pursuant to this Policy.
  5. No provision of this Policy may be waived except by an agreement in writing signed by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any other term or provision.
  6. The persons signing below have the right and authority to execute this Policy and no further approvals are necessary to create a binding agreement.
  7. In the event of any conflict between the terms and conditions stated within this Policy and those contained within any other agreement or understanding between the parties, written, oral or implied, the terms of this Policy shall govern.