Privacy Policy

PRO-ED, Inc. (“PRO-ED”) engages in research and publishes standardized tests, books, curricular and therapy materials, including online software, and professional journals to assist professionals, caregivers and students (the “Products and Services”). PRO-ED markets and sells such Products and Services to educational institutions, agencies and professionals, including psychologists, counselors, speech-language pathologists, occupational and physical therapists, and special education /rehabilitation providers, as well as health and behavioral health care providers unrelated to educational institutions who purchase such Products and Services. PROED in the development of these Products and Services, engages in data collection and research that may involve Submitted Data (defined below) related to the test examinees. Likewise, PROED Products are published in print and/or electronic formats and may involve Submitted Data that is maintained and managed on databases. We are committed to protecting the privacy and security of information received from persons involved in our research and End Users using our Products and Services that is protected by state and Federal law.

PURPOSE. The purpose of this Policy is to describe PRO-ED’s collection, access, use, maintenance and disclosure of Submitted Data from End Users of our Products and Services through our website(s) or for Submitted Date given to PRO-ED for our Product and Service Development (defined below) for which You have signed, or obtained on behalf of the person submitting the data, an authorization. “You" and "Your" refers to you as an End User as defined below. Use of the Product and Services requires your submission of Submitted Data and PROED’s passive collection of technical and other information in connection with Your use of the Products and Services on our Website. This Privacy Policy applies to Your use of the Products and Services and or related services and this website, regardless of whether You access them using Your personal computers, mobile devices or by other means.

POLICY. When You use PRO-ED’s Products and Services or are involved in PRO-ED Products and Service Development You may provide us Personally Identifiable Information (“PII”) that is protected by FERPA or Protected Health Information (“PHI”) that is protected under HIPAA, (collectively referred to as “Submitted Data” ). To the extent that Your Submitted Data includes PHI, it is the policy of PRO ED to comply with the Health Information Insurance Protection and Advocacy Act of 1996, “HIPAA” Privacy Rule, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (collectively referred to herein as “HIPAA”). With respect to the Security of Your Submitted Data, including both PII and PHI, PRO-ED. complies with the greater protections under the HIPAA Security Standards.

  1. DEFINITIONS.
    1. De-Identified Information.
      1. FERPA. - "De-Identified Information" means information that meets each of the following criteria:
        1. the information does not identify a particular natural person;
        2. does not identify, by network Internet Protocol address, raw hardware serial number, or raw MAC address, a particular device or computer associated with or used by a person;
        3. does not identify the school or natural person at issue by name or address; and
        4. is not reasonably linkable to a particular natural person or school because of technical, legal, or other controls.
      2. HIPAA. – “De-Identified Information” means health information that is not individually identifiable information and does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Individually identifiable information includes the following 18 identifiers of the individual or of relatives, employers, or household members of the individual:
        1. Names
        2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
          1. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
          2. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
        3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
        4. Telephone numbers
        5. Fax numbers
        6. Email addresses
        7. Social security numbers
        8. Medical record numbers
        9. Health plan beneficiary numbers
        10. Account numbers
        11. Certificate/license numbers
        12. Vehicle identifiers and serial numbers, including license plate numbers
        13. Device identifiers and serial numbers
        14. Web Universal Resource Locators (URLs)
        15. Internet Protocol (IP) addresses
        16. Biometric identifiers, including finger and voice prints
        17. Full-face photographs and any comparable images numbers
        18. Any other unique identifying number, characteristic, or code (ii) if the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
    2. End User. means
      1. Person or entity, including but not limited, to schools, school counselors, educational diagnosticians, school and clinical psychologists, occupational therapists, physical therapists, rehab counselors, and health and behavioral health providers that is using any Products and Services, and
      2. Persons that are being administered certain Products and Services or other testing instruments as test examinees (or the legal representative of a test examinee who is a minor) for the purpose of Product and Service Development.
    3. FERPA. means the Family Educational Rights and Privacy Act, 20 USC §1232g and the implementing regulations.
    4. HIPAA. means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d et seq., as amended by the Health Information Technology for Economic and Clinical Health at 45 CFR SUBPARTS C & E
    5. Personally Identifiable Information under. FERPA means the student’s name, the name of the student’s parents or other family members, a personal identifier information that identifies a particular person such as social security number, student number, or biometric record, date of birth, place of birth, mother’s maiden name, other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances to, to identify the student, or information requested by a person who the educational agency/institution reasonably believes knows the identity student to whom the education record relates.
    6. Product and Services. shall have the meaning noted in the introductory paragraph.
    7. Product and Service Development. means activities engaged in by PRO-ED for the purpose creating new or revised Products and Services, including but not limited to, the development of predictive tests and educational materials and related studies involving item analysis, reliability and validity analysis and the creation of standardization data.
    8. Protected Health Information. (PHI) under HIPAA means individually identifiable health information transmitted or maintained by a covered entity or its business associates in electronic or any other form or medium. Individually identifiable information is information that is a subset of health information, including demographic information collected from an individual, and:
      1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
      2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
        1. That identified the individual; or
        2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. The 18 identifiers in 1.1 B above are considered PHI.
    9. Relevant Information Security Standards. means the higher information security standards required under either
      1. FERPA, or
      2. The HIPAA Security Standards for Protection of Electronic PHI at 45 CFR Subpart C.
    10. Submitted Data. means any information that You provide to PRO-ED in connection with Your use of the Products and Services or for Product and Service Development including but not limited to, information about examinees. "Submitted Data" includes Your PII and PHI, but expressly excludes De-Identified Information.
    11. Output Report. means those Product specific reports as well as other materials and outputs generated by the Product based on You Submitted Data, including but not limited to basic scoring and interpretive reports related to test products.
  2. PRIVACY PRACTICES.
    This section describes how PRO-ED will use and disclose Your PII and PHI.
    1. Use and Disclosure of Personally Identifiable under FERPA.
      PRO-ED uses Your PII for the following purposes:
      1. To collect Your Submitted Data and use Your PII to provide You the Products and Services You request or for Product and Service Development pursuant to Your consent under separate agreement or as required by law;
      2. To operate and manage our processes and services in order to maximize Your benefit and use of our Products and Services;
      3. To track usage of our website so that we can improve the functionality of our and Services and continue to develop additional products and services. PRO-ED may also send emails and other correspondence to You about our Products and Services, our website and other information that may be of interest to You, as well as customer satisfaction surveys and requests for Feedback about our Products and Services. You may opt out from receiving certain communications by following the instructions provided at the bottom of the communication. However, You will not be able to opt out of formal notices about the operation of our website, legal and other related notices concerning our Products and Services, website and Your relationship with PRO-ED;
      4. To amend Your or Your (as applicable) student’s education records at the request of You, Your parent or an educational agency/institution; and
      5. To de-identify Your PII in accordance with FERPA and Your PHI in accordance with HIPAA for the purpose of:
        1. Quality improvement purposes.
        2. PRO-ED Product and Service Development
      6. Use of PRO-ED’s Products and Services or involvement in activities related to Product and Service Development require that students or parents (as applicable) provide us a FERPA compliant consent form prior to providing us Submitted Data that includes PII. PRO-ED will only use Your PII as permitted in the consent, unless otherwise required by law in accordance with 34 C.F.R. Part 99.
    2. Disclosure of Your PII under FERPA.
      1. FERPA generally prohibits anyone outside of an educational agency or institution from having access to PII in a student’s education records and prohibits such agencies/institutions from disclosing any PII from those records without the student’s consent if the student is 18 or over, or the parent’s consent if the student is under 18. PRO-ED will only use or disclose Your PII as permitted in the consent, unless otherwise required by law in accordance with 34 CRF Part 99.
      2. End Users who are education agencies or institutions enter into Services Agreements with PRO-ED to outsource services and functions that would otherwise be performed by their employees. This exception under FERPA allows disclosure to us without prior consent of the student/parent for the purposes of performing a study to develop, validating or administering predictive tests or to improve instruction (referred to in FERPA as the “Study” exception) 2will comply with the limitations set forth in 34 CFR § 99.33 of FERPA and will:
        1. Not disclose PII to any other party without the prior consent of the eligible student/parent;
        2. Use the information only for the purposes for which the disclosure is made to PRO-ED;
        3. Disclose PII to school officials, including teachers, within the agency/institution whom the agency/institution has determined have legitimate educational interests;
        4. Conduct the study in a manner that does not permit personal identification of parents and students by anyone at PRO-ED who does not have a legitimate need for such information to conduct the study;
        5. Provide notification to the agency/institution that PRO-ED has received a court order or lawfully issued subpoena for PII to allow the agency/institution to object to disclosure of the PII;
        6. Disclose PII to subcontractors who act as our agent and who provide us with services related to the provision or operation of the Products and Services. These services may include, among other things, helping us to provide Products and Services that You request, to create or maintain our databases, to process orders and transactions, and for other similar purposes. Any party with whom we share Your PII is required either contractually or by law to keep Your PII confidential, to use Your PII only for the services to be performed, and not to use or disclose such information in a manner that would violate the Services Agreement that we have with You or an educational agency or institution; and
        7. To government and regulatory agencies to comply with a court order or asotherwise required by applicable law.
    3. Use and Disclosure of Your PHI under HIPAA.
      1. End Users who are health and behavioral health care providers, and are not affiliated with educational agencies or institutions, purchase Products and Services and enter service or license agreements (for use of the Products and Services) and Business Associate Agreements with PRO-ED to perform services on their behalf such as testing and test scoring and administration of educational materials.
      2. As a Business Associate to health and behavioral health providers not affiliated with educational agencies and institutions or End Users engaged with PRO-ED for Product and Service Development, PRO-ED is obligated to comply with the Privacy and Security Standards of HIPAA with respect to use and disclosure of PHI. It is the responsibility of the health or behavioral health care providers to obtain all legally required authorization from clients for the release of their PHI, prior to disclosing such PHI to PRO-ED.
      3. PRO-ED will use and disclose Your PHI:
        1. As permitted in Your authorization and the Business Associate Agreement with your provider;
        2. To collect Your Submitted Data and provide You or Your parent or provider (as applicable) the Products and Services You request;
        3. For the proper management and administration of PRO-ED
        4. For services that would otherwise be provided to You by Your health/behavioral health care provider such as testing and test scoring;
        5. To de-identify and aggregate Your PHI. We will not attempt to re-identify any information in violation of Texas law;
        6. As required or permitted by law;
        7. At the request of Your health/behavioral health provider to provide You access to Your PHI, amend Your PHI, provide You an accounting of our disclosures of Your PHI, and comply with any restrictions on use of Your PHI;
        8. To notify Your provider of any improper use or disclosure of Your PHI, a security incident or a breach of unsecured PHI which compromises Your PHI, to notify You or Your parent (as applicable) of a breach as required by HIPAA, and to notify the Secretary of U.S. Health and Human Services of a breach;
        9. To subcontractors and agentsand who provide us with services related to the provision or operation of the Products and Services. These services may include, among other things, helping us to provide Products or Services that You or Your health or behavioral providers request, to create or maintain our databases, to process orders and transactions, and for other similar purposes. Any party with whom we share Your PHI is required either by a Subcontractor Business Associate Agreement or by law to keep Your PHI confidential, to use your PHI only for the services to be performed, and not to use or disclose such information in a manner that would violate the Business Associate Agreement that we have entered into with Your provider;
        10. To government and regulatory agencies to comply with a court order or as otherwise required by applicable law; and
        11. For Product and Service Development pursuant to Your or Your parents (as applicable) HIPAA complaint Authorization or as permitted or required by law
    4. In accordance with the requirements of HIPAA, PRO-ED will only use and disclose the minimum necessary PHI to provide Your health/behavioral health care provider the Products and Services requested. We will not sell Your PHI or use Your PHI for marketing purposes. When our Business Associate Agreement with Your provider has terminated or expired, we will return or destroy Your PHI; not retain copies of Your PHI or, if we cannot return or destroy Your PHI, extend the protections of the Business Associate Agreement to Your PHI and limit further disclosures.
  3. Information That PRO-ED Collects.
    When You send PRO-ED the Submitted Data, we passively collect “Usage Information” (i.e., information that does not directly identify You, but that may be linkable to Your computer, device, operating system, platform, or software instance via a unique device ID for the purpose of helping us enable the functionality and improving our online Products and Services. For example, we may passively collect randomly assigned unique identifiers and other information contained in Brower Cookies, Flash Cookies, or HTMLS local storage, IP addresses, unique device identifier and device type, log-in and session information, and type and version of Your operating system, Your Brower software’s installed plug-ins and other similar technical information some of which are more fully described below:
    1. Browser Cookies. are small text files stored on Your device which are transmitted to PRO-ED You use our website. We use cookies to help understand how our website is used and to improve content, navigation, and functionality. You can manage placement of cookies on Your device by using the features in most Internet browsers, including adjusting Your browser settings to warn You before a cookie is stored or to block all cookies. It is important that You understand that by disabling or removing cookies, some parts of our Products and Services may be completely disabled or not function properly. Also, when You revisit our Product and Services Your ability to limit cookies is subject to Your browser software's settings and limitations.
    2. Flash Cookies and other Local Shared Objects ("LSOs"). which are used in conjunction with Adobe's Flash Player and similar technology. Flash Cookies and LSOs provide functionality in video and rich content, but are also used for analytics and other purposes similar to Browser Cookies. Flash Cookies and LSOs are not stored in the Browser.
    3. Web Beacons, Web Bugs and clear GIFs. are used in combination with Cookies to help people run websites and to understand the behaviors of their customers. Web Beacons are typically a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a website or in an email. They may be used to collect IP Addresses.
  4. How PRO-ED Safeguards the Confidentiality of Your PII and PHI.
    1. Workplace Safeguards.
      1. All employees who would require access to PII/PHI to perform their job duties are screened prior to employment.
      2. PRO-ED has identified the source of PII/PHI received by End Users, how and for what purposes PRO-ED and its employees access, use, create, maintain, transmit and disclose such information within PRO-ED and externally. End Users are responsible for providing PRO-ED all legally required consent or authorization prior to using our Products and Services.
      3. Employees who have access to PHI or PII are provided training on legal and regulatory safeguard requirements applicable to the use, development, operation, or maintenance of electronic student education records within 60 days of employment and every 2 years. The training covers PRO-ED’s Privacy and Security Policies and Procedures related to privacy and security of PII/PHI.
    2. PRO-ED has identified.
      1. The persons or classes of persons in PRO-ED who need access to PII/PHI to carry out their job duties;
      2. The categories or types of PII/PHI needed;
      3. The conditions appropriate to such access;
      4. Employee access to PII/PHI is solely based on a “need to know” basis and Employee use or disclosure of PII shall be limited to that PII needed to perform job responsibilities and duties;
      5. All PII/PHI in hard copy form is kept in locked files with the number of keys limited to employees whose work requires regular access to the information;
      6. All offices are locked and access is limited to employees only; and
      7. Prior to termination of employment, all employees are required to return all keys to the building, all electronically media containing PRO-ED’s confidentiality information, including PII/PHI, as applicable. The employee passwords are deactivated.
  5. Destruction of PII/PHI.
    PRO-ED protects the privacy and security of all media containing PII/PHI in the maintenance, retention, and eventual destruction/disposal of such media.
    1. Destruction/disposal of PII/PHI will be carried out only after the information has reached its defined retention period in accordance with federal and state law and as defined in PRO-ED’s retention policy (as applicable).
      1. All destruction/disposal of media containing PII/PHI will be done in accordance with federal and state law.
      2. Media containing PII/PHI involved in any current or anticipated investigation, audit, or litigation will not be destroyed. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule will be suspended for such records. When applicable, a qualified protective order will be obtained to limit the use or disclosure of PII/PHI.
      3. Media scheduled for destruction/disposal will be secured against unauthorized or inappropriate access until the destruction/disposal of individual information is complete.
    2. A record of all PII/PHI media destruction/disposal will be made and retained permanently by PRO-ED Records of destruction/disposal will include:
      1. Date of destruction/disposal;
      2. Method of destruction/disposal;
      3. Destruction of the destroyed/disposal record series or medium;
      4. Inclusive dates covered;
      5. A statement that the PII/PHI was destroyed/disposed of in the normal course of business; and
      6. Signatures of the individuals supervising and witnessing the destruction/ disposal.
    3. Media containing PII/PHI should be cleared, purged, or destroyed by the following methods:
      1. Paper, film, or other hard copy media shall be shredded or destroyed such that the PHI cannot be read or otherwise be reconstructed. Redaction is specifically excluded as a means of data destruction.
      2. Electronic media shall be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media sanitization: http://csrc.nist.gov/, such that PHI cannot be retrieved.
    4. The Privacy Officer must categorize the information to be disposed of, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media. Then, using information the Guidelines, decide on the appropriate method for sanitization (cleared, purged, or destroyed). The selected method should be assessed as to cost, environmental impact, etc., and a decision should be made that best mitigates the risks to an unauthorized disclosure of information.
    5. How to Contact Us. If You have questions or concerns regarding this Policy, please contact us at testquestions@proedinc.com. If we need to contact You concerning any event that involves Your information, we may do so by email, telephone, or mail.
    6. Revisions. PRO-ED may change or amend this Privacy Policy at any time. Any changes or amendments are effective immediately upon posting of the changes or amendments on our website. Each time that You use our Website, please check the revision date at the bottom of this Privacy Policy to determine whether there have been any changes or amendments since You last reviewed this Privacy Policy.
    7. Transfer of Ownership. PRO-ED reserves the right to transfer Submitted Data (including, but not limited to, PII/PHI) to a third party in connection with the sale of all or substantially all of the assets of PRO-ED provided the purchaser has agreed to safeguard Your Submitted Data with protections that are the same as or more protective than those set out in this Privacy Policy.
    8. Complete Agreement. This Privacy Policy, the PRO-ED Technical and Data Security Policy, and our Terms of Use constitute the Complete Agreement between You and PRO-ED To the extent the Terms of Use conflict with the Provisions of our Privacy or Technical and Date Security Policy, the terms of this Privacy Policy and the Technical and Data Security Policy shall control.