Built for university DPT programs from day one. Here is how we protect your students' records and what that means for your institution.
Wealth in Motion PT LLC dba The Home Health Pro acts as a "school official" under FERPA when we process student records on behalf of your DPT program. The exception we operate under is 34 CFR § 99.31(a)(1)(i)(B). Your institution is the controller of those records. We operate under your direction.
That designation requires us to satisfy four conditions, all codified into our Data Processing Agreement:
We are bound by the same obligations as your own faculty and staff when handling education records. We do not sell, share, or use student data for any purpose outside of providing the platform to your program. We do not use student records or submissions to train third-party AI models.
We store only the minimum information required to run the curriculum:
We do not store Social Security numbers, government identification numbers, dates of birth, home addresses, health or medical records, financial account numbers, or any other sensitive identifiers beyond what is listed above.
All subprocessors that process student data operate in the United States and are bound by written agreements requiring them to safeguard the data consistent with our FERPA obligations. The full, dated, versioned list with change log is published at our subprocessors page.
We notify program directors at least thirty days before adding a new subprocessor that touches student records, where operationally possible. Your institution may object to a new subprocessor under the procedure in our DPA.
We commit to notifying your institution's primary contact within 72 hours of confirming any breach involving student data. This SLA matches the GDPR standard, the Illinois SOPPA expectation, and the expectation of university procurement and IT security offices.
Notification will include: nature of the incident, categories of data affected, estimated number of student records involved, steps taken to contain the breach, and recommended actions for your institution.
On contract termination, all student records are deleted from production systems within thirty days of your institution's written request. Database backups containing student data age out within ninety days of creation. We do not retain student data beyond the minimum required to fulfill our contractual obligations and comply with applicable law.
Your institution may request earlier deletion of an individual student's records at any time. Audit log entries reflecting prior access to deleted records are retained for at least one year for compliance purposes.
Your institution may request an audit of our data handling practices once per contract year with thirty days notice. Audits may be conducted via questionnaire (we maintain a pre-filled HECVAT response), documentation review, or third-party assessment at your election and your cost. We will also provide an export of audit-log entries scoped to your organization on request.
Several states have student-data privacy laws that apply in addition to FERPA. We are prepared to sign exhibits or addressing these requirements where your institution is located in a covered state. Available exhibits include:
We are also able to sign the National Data Privacy Agreement (NDPA) maintained by the Student Data Privacy Consortium and apply state-specific exhibits in lieu of negotiating a bespoke DPA. Email us to arrange.
For FERPA inquiries, data processing agreements, or student record deletion requests, contact our privacy team at privacy@thehomehealthpro.com.
Last updated: May 6, 2026