Get ESA Letter

Consumer Health Data Privacy and Security Policy

Consumer Health Data Privacy & Security Policy

Effective Date: 04/28/2025

Last Updated: 06/08/2025

CertifyESA (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of Consumer Health Data (CHD) collected through our Emotional Support Animal (ESA) and Psychiatric Service Dog (PSD) letter assessment services. Our services are provided by licensed professionals via phone assessments.
This Consumer Health Data Privacy and Security Policy (“Policy”) outlines how we collect, use, disclose, protect, and store consumer health information in compliance with applicable privacy laws, including but not limited to HIPAA (Health Insurance Portability and Accountability Act), state-specific Consumer Health Data Privacy Acts, and emerging regulations.
2. Scope
This Policy applies to all Consumer Health Data collected, processed, and stored by CertifyESA in connection with our ESA/PSD services, whether online, offline, via telephone assessments, or through third-party service providers.

Key Definitions:

  • Consumer Health Data: Any information that identifies or can reasonably be linked to a consumer and that relates to the consumer’s past, present, or future physical or mental health status.
  • Licensed Professional: A credentialed healthcare provider authorized to conduct assessments and issue ESA/PSD letters.
  • Phone Assessment: A telephonic interview conducted by a Licensed Professional to evaluate a consumer’s eligibility for an ESA or PSD letter.
3. Information We Collect

We collect the following categories of Consumer Health Data:

  • Personal Identifiers: Full name, address, email address, phone number, date of birth.
  • Mental Health Information: Diagnoses, symptoms, medical history, treatment history, medications, and information related to emotional or psychiatric conditions.
  • Service Information: Details related to requested ESA/PSD services, including housing or travel needs.
  • Assessment Records: Notes and evaluations generated during phone assessments.
  • Payment Information: Billing address, card details (processed through secure third-party payment processors; we do not store full card details).
4. How We Collect Information

We collect Consumer Health Data:

  • Directly from consumers during intake forms, consent forms, and phone assessments.
  • Indirectly through our website interactions (e.g., appointment scheduling, secure messaging).
  • From licensed professionals conducting the assessments.
5. How We Use Consumer Health Data

We use Consumer Health Data for the following purposes:

  • Conducting assessments and determining eligibility for ESA/PSD letters.
  • Issuing ESA/PSD letters.
  • Communicating with consumers regarding appointments, assessments, and letters.
  • Maintaining medical and professional records.
  • Ensuring compliance with applicable laws, regulations, and standards.
  • Processing payments and managing billing.
  • Improving our services through de-identified, aggregated data analysis.
6. Consent

Before collecting Consumer Health Data, we obtain the consumer’s informed consent through written and verbal agreements. Consent is:

  • Explicitly obtained via signed consent forms.
  • Documented during the phone assessment.
  • Revocable at any time by the consumer, subject to legal or regulatory requirements.
7. Disclosure of Consumer Health Data

We do not sell or rent Consumer Health Data. Disclosure of data is limited to the following circumstances:

  • Licensed Professionals: To perform assessments and issue letters.
  • Service Providers: Secure third-party vendors providing IT, payment processing, and communication services.
  • Legal Compliance: When required by law (e.g., court orders, subpoenas, mandatory reporting).
  • Consumer Consent: When consumers explicitly authorize disclosures (e.g., for housing or airline verification).
8. Data Security Measures

We implement rigorous technical, administrative, and physical safeguards to protect Consumer Health Data, including:

  • Encryption: All data in transit (phone assessments, online forms) and at rest (servers, cloud storage) is encrypted.
  • Access Controls: Only authorized personnel access Consumer Health Data.
  • Secure Storage: Data is stored in HIPAA-compliant servers with regular security audits.
  • Authentication Protocols: Multi-factor authentication for system access.
  • Staff Training: Mandatory privacy and security training for all employees and licensed professionals.
  • Incident Response Plan: In place to address and mitigate data breaches or unauthorized access.
9. Data Retention and Disposal

We retain Consumer Health Data only as long as necessary for service provision, legal compliance, and legitimate business purposes. Retention periods are:

  • Minimum of 7 years post-service in compliance with healthcare record-keeping standards.
  • Disposal via secure deletion or destruction (e.g., shredding, secure wiping of electronic data).
10. Consumer Rights

Consumers have the following rights regarding their health data:

  • Access: Request a copy of their Consumer Health Data.
  • Correction: Request corrections to inaccurate or incomplete data.
  • Deletion: Request deletion of Consumer Health Data, subject to legal retention requirements.
  • Portability: Request data transfer to another provider.
  • Restriction: Request limitations on data processing.
  • Withdrawal of Consent: Withdraw consent for data processing at any time.
 

Requests can be made by contacting us at: support@certifyesa.com.
We will respond within legally mandated timeframes, typically within 30 days.

11. International Data Transfers

We primarily operate in the United States. However, if data transfers internationally, we will:

  • Ensure compliance with relevant data protection laws (e.g., GDPR).
  • Implement appropriate safeguards such as Standard Contractual Clauses.
12. Third-Party Links and Integrations

Our website and services may include links to third-party websites or integrations (e.g., telehealth platforms, payment processors). We are not responsible for the privacy practices of third parties. Consumers are encouraged to review the privacy policies of these parties independently.

13. Children's Privacy

Our services are intended for individuals 18 years of age and older. We do not knowingly collect Consumer Health Data from individuals under 18 without parental or guardian consent.

14. Changes to This Policy

We may update this Policy periodically. Changes will be communicated:

  • Via updates to our website.
  • Through direct email notifications if material changes occur.

Consumers are encouraged to review this Policy regularly.

15. Contact Information

For questions, concerns, or complaints regarding this Policy or our practices:

CertifyESA

415-886-5598

support@certifyesa.com

16. Compliance and Enforcement

We regularly audit our privacy practices for compliance with this Policy and applicable laws. Any violation by employees, contractors, or licensed professionals may result in disciplinary action, including termination of contracts or employment.

Consumers may lodge complaints with relevant regulatory authorities if they believe their rights have been violated.

17. Privacy Impact Assessments

CertifyESA conducts Privacy Impact Assessments (PIAs) when:

  • Launching new products or services involving Consumer Health Data.
  • Adopting new technologies or systems.
  • Responding to legal and regulatory changes.

The purpose of PIAs is to identify and mitigate privacy risks.

18. Telephonic Assessment Specific Provisions

Given that assessments are conducted via phone:

  • Verification: Identity is verified before discussing any Consumer Health Data with all callers
19. Special Provisions for Licensed Professionals

Licensed professionals associated with CertifyESA must:

  • Adhere strictly to professional ethical standards regarding confidentiality.
  • Sign confidentiality agreements.
  • Complete mandatory annual training on privacy, security, and HIPAA compliance.
  • Immediately report suspected data breaches or privacy violations.
20. Breach Notification Procedures

In the event of a data breach involving Consumer Health Data:

  • Affected consumers will be notified without unreasonable delay and no later than 60 days after discovery.
  • Regulatory authorities will be informed as required by law.
  • The notification will include the nature of the breach, types of data involved, steps consumers should take, and measures CertifyESA is taking.
21. Policy Acceptance

By using CertifyESA’s services, consumers acknowledge they have read and understood this Consumer Health Data Privacy and Security Policy.

Your trusted resource for accessible Emotional Support Animal Letter consultations, enhancing lives through the profound support of emotional support animals

Policies

Company

Support

Follow us

  • Facebook
  • LinkedIn
  • YouTube
  • Instagram

Copyright © 2025 CertifyESA

Join Us and Save 20% OFF!

subscribe for the email and text updates to unlock a 20% discount:


    7800 customers have signed up in the past 30 days! Don’t miss out!

    By submitting this form, you agree to receive email marketing messages from Pettable at the provided email address.

    Not applicable on Renewals.