Plain-English summary
When you complete a clinical assessment with NSAR, the information you share is Protected Health Information (PHI) under HIPAA. This notice explains, in plain language, what that means for you.
- Your information is private. Only the licensed clinician assigned to your case and a small set of NSAR operations staff can read your intake. Everyone who accesses your record is logged.
- You have rights. You can request a copy of your records, ask for corrections, get a list of who has accessed your records, and request restrictions on how your information is used.
- Your letter does not disclose your diagnosis. The letter the clinician issues for housing, travel, or other purposes states that you have a qualifying condition — it does not tell your landlord or airline what that condition is.
- We don't sell your information. We do not sell PHI for marketing or any other purpose.
The remainder of this notice contains the specific HIPAA disclosures required by 45 CFR § 164.520.
Uses + disclosures of your PHI
We may use and disclose your PHI for the following purposes without your separate authorization:
For treatment. Your assigned clinician uses your intake to evaluate whether you qualify for the letter you've requested and to issue that letter. We may share your PHI with another licensed clinician for consultation if your assigned clinician determines it's appropriate to your care.
For payment. We use information about your purchases to bill you, process payments through Stripe, and process refunds. Your clinical intake is not shared with payment processors.
For health-care operations. We use de-identified information to evaluate the quality of clinical services, train new clinicians, and improve the platform. Internal operational use of identified information is limited to staff with a specific need (support, compliance, audit).
As required by law. We will disclose PHI when required by federal, state, or local law — for example, in response to a valid subpoena, court order, public-health reporting requirement, or law-enforcement request that meets HIPAA's standards.
To business associates. Vendors that help us operate the Services and may handle PHI in the course of their work — cloud database, email delivery, error tracking — sign a Business Associate Agreement (BAA) requiring them to apply the same protections we do.
For other purposes we will obtain your written authorization before using or disclosing your PHI. You may revoke any authorization in writing at any time.
Marketing + sale of PHI. We do not use or disclose PHI for marketing, and we do not sell PHI to anyone.
Your rights
You have the right to:
Inspect and copy your PHI. You can view your intake answers in your account at any time. To request a paper or electronic copy of your full record, email privacy@nsarco.com. We will provide it within 30 days. We may charge a reasonable cost-based fee.
Request amendment. If you believe your record contains an error, email privacy@nsarco.com with a description of the correction. We will respond within 60 days. We may deny the request if the information was not created by us, is accurate as recorded, or falls into other categories permitted under HIPAA.
Receive an accounting of disclosures. You may request a list of disclosures of your PHI we have made for purposes other than treatment, payment, or health-care operations during the prior six years. The first accounting in any 12-month period is free; additional accountings may carry a reasonable cost-based fee.
Request restrictions. You may ask us to limit how we use or disclose your PHI for treatment, payment, or operations. We will consider all requests but are not required to agree, except where HIPAA specifically requires it (for example, when you pay for a service in full out-of-pocket and ask us not to disclose the related PHI to a health plan).
Request confidential communications. You may ask us to communicate with you about your PHI in a particular way (for example, by email rather than mail) or at a particular location. We will accommodate reasonable requests.
Receive a paper copy of this notice at any time, even if you initially received it electronically. Email privacy@nsarco.com.
Be notified of breaches. If a breach of your unsecured PHI occurs, we will notify you in writing within 60 days as required by the HIPAA Breach Notification Rule.
Our duties
We are required by law to:
- Maintain the privacy and security of your PHI.
- Provide you with this notice of our legal duties and privacy practices.
- Follow the terms of the notice currently in effect.
- Notify you if a breach of your unsecured PHI occurs.
We reserve the right to change the terms of this notice. The revised notice will apply to all PHI we maintain. We will post the revised notice on our website and make a paper copy available on request. The current effective date is at the bottom of this page.
How to complain
If you believe your privacy rights have been violated, you may complain to NSAR or to the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.
To complain to NSAR: email our Privacy Officer at privacy@nsarco.com.
To complain to HHS: file a complaint at hhs.gov/hipaa/filing-a-complaint, by mail to the Office for Civil Rights at the U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F HHH Building, Washington, D.C. 20201, or by phone at 1-800-368-1019.
Privacy Officer
NSAR has designated a Privacy Officer responsible for the development, implementation, and oversight of our HIPAA privacy practices. To contact the Privacy Officer, email privacy@nsarco.com or write to:
Privacy Officer
National Service Animal Registry, LLC
PO Box 2901
Cleveland, TN 37320
Effective date + revisions
This notice is effective as of the “Last updated” date at the top of this page.
This is the initial published version. Prior drafts were not made publicly available. When this notice is revised, prior published versions will be available on request from privacy@nsarco.com.
For the broader privacy framework, including how we handle non-PHI personal information, see our Privacy Policy.
