Psychological Assessment Resources, Inc. (“PAR”) is committed to protecting your privacy and the privacy of your students. We developed this FERPA privacy policy to share with you our information collection practices and your options when visiting pariconnect.com, hereinafter referred to as “PARiConnect.” This privacy policy is an online privacy policy and applies only to information collected from you and related to your students through PARiConnect. This privacy policy does not apply to any information that you furnish to us offline or in any other manner except through this website.
PARiConnect is made available by PAR and provides an online testing platform for selected PAR assessment tools, giving clinicians and practitioners the capability to remotely test students. It additionally allows qualified users to present assessments online while a student is in the practitioner’s office, and it may allow the PAR Customer (who may be a teacher or school official) to use his or her PAR desktop software application to gather responses from remotely located students and run reports based on those responses. These additional stipulations reflect your standing as a covered entity with access to confidential electronic protected health information (“ePHI”) related to data that are stored on PARiConnect.
By providing the PARiConnect platform, PAR is your business associate. PARiConnect Customers capture and enter student data within PARiConnect and may administer and score selected PAR instruments. Customer and student data are encrypted on PARiConnect, and PAR employees do NOT have access to such data. However, it is PAR’s policy to comply fully with FERPA requirements; thus, all PAR employees who incidentally or accidentally have access to Customer student ePHI must comply with this privacy policy. For purposes of this policy and PAR’s use and disclosure procedures, employees include full-time employees, consultants, trainees, agents, and other persons whose work performance is under the direct control of PAR, whether or not they are paid by PAR. The term “employee” includes all these types of workers.
No third-party rights, including, but not limited to, the rights of Customer students or parents, are intended to be created by this policy. PAR reserves the right to amend or change this policy at any time (even retroactively) without notice. To the extent that this policy establishes requirements and obligations above and beyond those required by FERPA, the policy shall be aspiring and shall not be binding. This policy does not address requirements under other federal laws or under state laws.
Privacy officer and contact person
Travis White is the Privacy and Security Officer for PAR, the owner and developer of PARiConnect. The Privacy and Security Officer of PAR is responsible for the development and implementation of policies and procedures relating to privacy for PAR, including, but not limited to, this privacy policy and PAR’s use and disclosure procedures related to any ePHI that PAR employees may come in contact with. The Privacy and Security Officer also serves as the contact person for Customers or parents/students who have questions, concerns, or complaints about the privacy of their ePHI. You may contact this individual at privacyofficer@parinc.com.
Employee training
It is PAR’s policy to train all employees who might have access to ePHI on its privacy policies and procedures. The Privacy and Security Officer is charged with developing training plans and programs so that all employees receive the training necessary and appropriate to permit them to carry out their functions.
Technical and physical safeguards and firewall
PAR will establish on behalf of PARiConnect appropriate technical and physical safeguards to prevent Customer client/patient ePHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Technical safeguards include limiting access to information by creating computer firewalls and by requiring users to have unique, secure user IDs and passwords. Technical standards also include encrypting all Customer student ePHI. Physical safeguards include locking doors and/or filing cabinets, establishing secure methods of access to PAR facilities, and undertaking other measures to secure computer workstations, laptops, mobile devices, and other devices/methods used to access PARiConnect by PAR employees.
Firewalls also help ensure that only authorized parties will have access to Customer ePHI and that Customers will have access to only the minimum amount of student ePHI necessary for assessment administration and/or scoring/interpretation and related administrative functions.
Privacy notice
The Privacy and Security Officer is responsible for developing and maintaining a notice of PARiConnect's privacy practices that describes:
This document constitutes such privacy notice with respect to PARiConnect.
Complaints
Travis White is PARiConnect’s contact person for receiving complaints. The Privacy and Security Officer is responsible for creating a process for individuals to lodge complaints about PARiConnect’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any PARiConnect Customer upon request.
Sanctions for violations of privacy policy
Sanctions for obtaining, using, or disclosing Customer student ePHI in violation of this HIPAA Privacy Policy will be imposed in accordance with PAR’s disciplinary action policy, up to and including termination. The disciplinary policy is described in the PAR employee handbook within the section on performance improvement.
Mitigation of inadvertent disclosures of protected health information
PAR shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of Customer student ePHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee or an outside consultant/contractor, that is not in compliance with this Policy, the employee shall immediately contact the Privacy and Security Officer so that the appropriate steps to mitigate the harm to the individual can be taken.
Documentation
PARiConnect’s HIPAA privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
If a change in law affects the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to ePHI created or received after the effective date of the notice. The date at the top of this document shall indicate the most recent date of this policy revision.
PAR will document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to a PARiConnect Customer student privacy rights.
The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. PAR will maintain such documentation for at least six years.
Access to education records
PAR’s policy will abide by FERPA guidelines, assisting schools in providing parents/students with an opportunity to inspect education-related reports. If the report is misplaced or unavailable, there is a possibility that the test will have to be retaken for the results to be redistributed. By FERPA guidelines, this process will be done expediently, and it is the responsibility of the institution/school to contact PAR well in advance in order to adhere to the 45-day time limit.
Information requested must pertain to an assessment taken by a student. PAR will disclose only the report generated from the assessment, which will contain its results and directory information. No further information will be provided.
Amendment of education records
Parents have the right to request that inaccurate information in a report be changed. Every request received will be considered, and the appropriate steps to alleviate the situation will be taken. Ultimately, the school must contact PAR in order to inform us of the necessity of a correction.
This option can be used only on reports based on assessments given by Customers. PAR is not able to change grades, opinions, or decisions made by the teaching staff of schools.
Requested disclosure of ePHI
PAR, as it relates to PARiConnect, will use and disclose PARiConnect student ePHI only as permitted under FERPA. Reports generated are sent back to the Customer’s given e-mail address. From that time, it is the Customer’s responsibility to comply with FERPA.
If the report is considered part of the student’s education record, the parent/legal guardian of the student may request the report. If the student is age 18 years or older, he or she may request it him- or herself.
Authorized disclosure of ePHI
If the school wishes to disclose the information, it must satisfy all the FERPA requirements for a valid authorization from the parent/legal guardian. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
FERPA-allowed disclosure of ePHI
With written permissions from the parents/legal guardians, under FERPA, schools may release the results to the following entities or for the following purposes: