How IEP Pilot Handles Student Data: Our Approach to Privacy and Responsible AI in Special Education

Special education documents occupy a unique position in student records law. An IEP is an education record under FERPA (20 U.S.C. § 1232g). It may also contain health-related information — medication records, diagnostic findings, developmental history — that intersects with HIPAA's protections for health information in certain contexts. For students under 13, COPPA's requirements apply to any collection of personal information through digital services.

The combination of these frameworks means that any technology tool used to process IEP documents, psychoeducational evaluations, or related assessment reports is operating in a regulated environment. The question providers and districts should be asking of any AI tool in this space is not only "does it work well?" but "how does it handle the data, and what protections are in place?"

At IEP Pilot, built by Expatiate Communications — a firm that has managed special education programs for LEAs — we designed our approach to data handling from the ground up with these frameworks in mind. This post describes that approach plainly, without obscuring what we do or what we are still working toward.

When a provider uploads a PDF to IEP Pilot, the document is transmitted over an encrypted connection and processed for the purpose of generating IEP content. IEP Pilot does not store uploaded documents after the analysis session is complete. Documents are processed, the relevant content is extracted for generation purposes, and the document is not retained in IEP Pilot's systems.

We strongly recommend that providers remove or redact full student names, Social Security numbers, and other direct identifiers from documents before uploading. IEP Pilot does not require student names to generate goals, PLAAFP statements, or service recommendations — the functionally relevant information is the assessment data and disability profile, not the student's identity.

For providers who prefer not to upload documents at all, IEP Pilot's guided question flow allows complete workflows without any file transfer. Providers enter the relevant clinical and educational data through structured prompts, and IEP Pilot generates the same output categories from that input.

IEP Pilot uses multi-model large language model technology to analyze documents and generate IEP content. Our relationships with AI providers are governed by data processing agreements that restrict how data submitted through IEP Pilot can be used. Under these agreements, content submitted through IEP Pilot is not used to train AI models.

This matters because the default data handling practices of general-purpose AI tools may not include this restriction. A provider who submits a student's psychoeducational evaluation to a general-purpose AI assistant without a specific enterprise agreement may be contributing that content to training datasets. IEP Pilot's provider agreements are specifically designed to prevent that use.

We do not use IEP content for any purpose other than generating the requested output for the provider who submitted it. We do not sell, share, or license IEP content or generation outputs to third parties. We do not analyze patterns across student data to build products or generate insights beyond the individual provider's session.

Data minimization is a principle in privacy law and good data governance: collect and retain only what is necessary for the stated purpose. IEP Pilot applies this principle to how document content is handled in the generation pipeline. Before content from an uploaded document is processed through AI models, our pipeline applies handling procedures designed to reduce the exposure of direct student identifiers in the AI processing context.

The goal is that the AI models generate IEP content based on the clinical and educational substance of the document — the assessment findings, the disability profile, the performance data — rather than on identifying information about the specific student. The output IEP Pilot generates references that substance, not the student's identity.

These technical measures are complementary to — not a substitute for — providers' own best practices of removing student identifiers before uploading documents where possible.

We recognize that providers and districts who use IEP Pilot are extending a degree of trust to a technology system when they upload sensitive student records. We take that trust seriously. Our data handling practices are documented in our Privacy Policy. We maintain data processing agreements with our AI provider partners that restrict data use. We do not retain uploaded documents beyond the active session.

We are actively engaged in the process of pursuing formal security and privacy certifications relevant to educational technology operating in this space. That work takes time to do correctly. We describe our current practices accurately and do not claim standards we have not yet achieved.

If you are a district technology coordinator or privacy officer evaluating IEP Pilot for organizational use, we welcome the conversation. Expatiate Communications has worked directly with LEAs on data governance, compliance, and special education program management. We understand the questions you are asking because we have been on the district side of those questions.