Privacy Policy
This document also serves as our Consumer Health Data Privacy Policy under the Washington My Health My Data Act.
Effective Date: April 1, 2026 • Last Updated: July 5, 2026
Privacy at a Glance
This is a plain-language summary. The full policy below is the legally binding document.
- ✓We only collect health and insurance data you authorize. You connect your insurance plan yourself. We never pull your health or claims data without your explicit consent. (We do keep basic security records, like sign-in times and IP address, to protect your account - see Section 3.)
- ✓We use your data to help you, and nothing else. We analyze your benefits and claims to answer your questions. We never use your health data for advertising.
- ✓We never sell your data. Not to insurers, marketers, data brokers, or anyone else.
- ✓AI chat history is short-lived. Your chats are saved to your account in encrypted form, but only while you are logged in. You are automatically logged out 14 days after you log in, and your chat history is cleared on logout. You can also delete individual chat sessions yourself at any time.
- ✓You can delete everything, anytime. Close your account in settings and we remove all your personal data and health information right away. We delete any encrypted backup copies within 30 days. A de-identified record with no personal information is retained solely for audit and legal compliance purposes.
- ✓We give you 30 days’ notice before any material change. You can accept the new terms or close your account. The choice is yours.
- ✓Your data stays in the US. All personal data is stored on AWS infrastructure in the United States under a signed HIPAA Business Associate Agreement. Traffic is delivered via AWS CloudFront. No personal data is stored at edge locations.
- ✓We never use your data to train AI. Our AI features use Anthropic’s Claude models through AWS. We use your chats, uploads, and the AI’s answers only to answer you - never to train AI models. AI can make mistakes, so always check important decisions with your insurer or doctor. See Section 17.
- ✓Questions? Email julia@mhico.ai. We respond within 5 business days.
1. Introduction and CARIN Alliance Commitment
MHICO Inc. (“MHICO,” “we,” “us,” or “our”), is committed to protecting your privacy and your personal data. This Privacy Policy explains how we collect, use, share, store, and protect your data. It covers our website at mhico.ai, our AI tools, and all related services (the “Platform”).
MHICO has signed the CARIN Alliance Code of Conduct. This is a set of privacy rules for apps that handle health data. We also operate as a Consumer-Facing Application (CFA) under the CARIN Alliance Trust Framework. We attested to the CARIN Code of Conduct on May 4, 2026, shortly after the Platform launched on April 1, 2026. You can see our listing at myhealthapplication.com/app/mhico. This Privacy Policy was written using the ONC (Office of the National Coordinator for Health Information Technology) Model Privacy Notice as a guide. It covers all the topics that the Code requires: (1) what data we collect; (2) how we get your consent; (3) how we use your data; (4) who we share it with; (5) your rights; (6) how we keep it secure; (7) how long we keep it; and (8) how we handle anonymous data.
Throughout this policy, references to “MHICO” apply to MHICO Inc. in both its role as the organization and as the application developer, as required by the CARIN Alliance Code of Conduct.
This Privacy Policy applies to all users of the Platform, including individual consumers and authorized caregivers. By using the Platform, you consent to the practices described in this policy.
MHICO is not a covered entity or business associate under HIPAA, the Health Insurance Portability and Accountability Act (like a hospital or health insurer). We are a consumer app that helps you use your legal right to access your own health data. Even though HIPAA does not regulate us directly, we manage your health information - including data that would be treated as protected health information (PHI) in a HIPAA setting - so we require the necessary vendors - those that store or process your health information for us, principally AWS - to sign HIPAA Business Associate Agreements. This keeps your health data protected to the HIPAA standard throughout our service, even where HIPAA does not apply to us directly. We operate primarily under the Federal Trade Commission (FTC). We must follow FTC Act Section 5(a) and the FTC Health Breach Notification Rule (16 CFR Part 318). This policy meets or exceeds the consumer protections those laws require.
2. Definitions
The following terms are used throughout this Privacy Policy, consistent with the CARIN Code of Conduct:
- Personal Data
- Any information that can identify you, directly or indirectly. This includes your name, ID number, location, online identifier, or details about your physical, mental, genetic, economic, cultural, or social identity.
- Health Data
- Personal data about your physical or mental health, including information about health care services you received.
- De-Identified Data
- Data that cannot reasonably be linked back to you. We make data anonymous by removing your name and other identifying details, then: (A) we take reasonable measures to ensure the data cannot be linked to any individual; (B) we publicly commit not to try to re-identify anyone; and (C) we require by contract that anyone who receives the data does the same. We also call this "anonymous data" in this policy.
- Consumer-Directed Exchange
- When you use your legal right under HIPAA to request your health records from an insurer or provider. You choose which app receives them.
- FHIR and Patient Access API
- FHIR (Fast Healthcare Interoperability Resources) is the modern standard health plans use to share health records electronically. A Patient Access API is the secure online connection - required of most health plans by federal rule - that lets you retrieve your own claims and coverage data and direct it to an app like MHICO.
- Use
- How we work with your data inside MHICO, including reading, analyzing, or processing it.
- Disclosure
- Sharing, transferring, or providing access to your data to anyone outside of MHICO in any way.
- Consent
- Your clear agreement - like checking a box - that lets us use or share your data. Before asking, we always explain what we plan to do, why we need it, and the possible effects.
- Targeted Advertising
- Showing you ads chosen based on your personal or health data, tracked over time and across other websites and apps. We never do this.
- Material Change
- A policy change that affects how we use or share your data in a new way. It might add new types of data processing, or be something a reasonable user would not expect - including changes that could hurt you. We give you 30 days' notice before any material change takes effect.
3. Collection of Personal Data and De-Identified Information
This section describes what data we collect, where it comes from, and how we collect it. We only collect data you have agreed to share, consistent with the CARIN Principle of Collection Limitation.
3.1 Categories of Personal Data Collected
| Category | Specific Data Elements | Source / Method |
|---|---|---|
| Account & Identity Data | Name, email, username, password/credentials, mobile phone number (optional; only collected if you enable SMS two-factor authentication) | Provided directly by you during registration and account setup |
| Household & Benefits Data | Household size, dependents, employer name, plan type, and enrollment status. In the Open Enrollment plan finder you also enter your exact age and income (not a range) so we can price plans and estimate your subsidy. For an employer or COBRA comparison, you also enter the plan premiums, deductibles, and out-of-pocket maximums you are weighing. | Provided directly by you through onboarding and plan comparison tools. The age, income, household, employer, and plan details you type into the Open Enrollment plan finder are used only to run that comparison and are not saved to your account. |
| Insurance Card Data | Member ID, group number, payer name, plan identifiers (extracted via AI image analysis) | Provided by you via insurance card image upload in the AI chat interface or the plan setup page; analyzed by Claude via AWS Bedrock (covered under the HIPAA BAA with AWS). The image is processed entirely in memory and never written to disk or stored in any database. |
| Claims Data (Health Data) | Explanation of Benefits (EOB) data including dates of service, billed/allowed/paid amounts, patient responsibility amounts, provider names, and service descriptions. ICD-10 diagnosis codes, certain HCPCS/CPT procedure codes, and FHIR meta.security labels are transiently read during import solely to detect whether a claim falls into a federally protected health category (such as substance use disorder treatment under 42 CFR Part 2, mental health, HIV/AIDS, STIs, reproductive health, genetic information, or domestic violence). These codes and labels are never stored. Member identifiers are not stored. If a sensitivity category is detected and the user has not consented to that category, the claim is not imported at all. See Section 3.6. | Retrieved from ExplanationOfBenefit and Coverage FHIR resources via commercial health plan Patient Access APIs or Medicare via consumer-directed exchange (FHIR R4) |
| Coverage Data (Health Data) | Plan type, deductibles, copays, coinsurance, out-of-pocket (OOP) maximum, coverage periods, network details, EOBs | Retrieved from commercial health plan Patient Access APIs or Medicare; entered manually via the plan setup form; or extracted by the AI assistant from an uploaded document (insurance card, Summary of Benefits and Coverage (SBC), or EOB) and saved to your profile only after your explicit in-conversation consent |
| Third-Party Integration Data | Health data received from connected third-party services | Retrieved from third-party APIs as authorized by you |
| Device & Usage Data | IP address, login timestamps, authentication method (password or Google) | Recorded automatically at each login for security and audit purposes |
| Ad Click Tracking Data | Google Click Identifier (GCLID) or Reddit Click Identifier (rdt_cid), which are non-personal identifiers appended to your landing page URL when you arrive via a Google or Reddit advertisement respectively. Contain no health information and do not identify you independently. | Captured automatically from the URL if you arrive via a Google or Reddit advertisement; stored in your browser session and, if you create an account in that session, associated with your account solely for conversion measurement. Not collected on any other page visit. |
| AI Chat Messages | Messages you send to the MHICO AI assistant, organized into named chat sessions that you can browse and delete from the sidebar. Each session retains up to 40 entries; once a session is about to reach that limit, the oldest 20 entries are compacted into a summary to free space while preserving conversational context. | Stored in dedicated ChatSession and ChatMessage database tables on MHICO’s infrastructure (subject to the same AES-256 encryption and access controls as all other personal data). Chat history is tied to your login session. You are automatically logged out 14 days after you log in, and your chat history is cleared on logout. You can also delete individual sessions at any time from the chat sidebar. |
| Chat Attachment Uploads (Health Data) | Files you upload in the AI chat interface, including PDFs, images (JPEG, PNG, GIF, WebP, HEIC/HEIF), and plain text files. These may include EOBs, medical bills, insurance cards, or other health-related documents. | Provided by you via file upload in the AI chat interface. Processed entirely in memory and never written to disk or stored in any database. Transmitted to AWS Bedrock (covered under the HIPAA BAA with AWS) solely to generate a response to your query. File data is automatically discarded when the request completes, typically within seconds of upload. No deletion action is required or possible because no file data is ever retained. |
| Claim Document Uploads (Health Data) | Billing and claim information extracted from EOBs, medical bills, or other documents you upload on the Claims page (PDFs, images, or plain text files). Extraction is limited to billing-relevant fields: service descriptions, dates, financial amounts, provider details, denial and adjustment codes, and explanatory notes. Personal identifiers, including member IDs, subscriber IDs, group numbers, and dates of birth, are never extracted or stored. The original file is never stored. | Provided by you via file upload on the Claims page. The file is processed in memory and passed to Claude via AWS Bedrock (covered under the HIPAA BAA with AWS) to extract billing and claim information. Personal identifiers are excluded by the extraction prompt. The extracted billing information is stored in your claim record and used for AI-powered claim analysis. It is deleted when you delete the claim or close your account. |
| AI Chat Session Metadata | A record that a chat session occurred, including whether attachments were present, whether any AI tools were invoked (e.g., plan comparison, claims analysis), and whether an error occurred. Does not include message content. | Recorded automatically for your Activity Log and for security and audit purposes. Retained for ninety (90) days, then automatically purged. Deleted immediately upon account closure. |
| Email Deliverability Data | Email address (recorded only when a delivery failure (bounce) or spam complaint is reported by our email delivery provider). Used solely to suppress future sends to that address and prevent re-sending to addresses that have opted out or cannot receive email. | Recorded automatically by Twilio SendGrid via webhook when a bounce or complaint event is received. Retained for the duration of your account. Deleted upon account closure or anonymization. |
| Survey Data | An anonymous satisfaction rating (1–10) submitted via the in-app survey (not linked to your account); and a record that you have completed the survey (linked to your account solely to prevent the survey from appearing again). | Collected when you voluntarily submit the in-app satisfaction survey. The rating is stored with no account association. The completion record is deleted when you close your account. |
3.2 Collection of De-Identified Information. We may create anonymous data. We do this by removing your name and other identifying details. We use reasonable measures to make sure the data cannot be linked back to anyone. The result is group-level data such as aggregate utilization statistics, plan cost benchmarks, and claims pattern analytics. We only do this with data you originally agreed to share with us.
3.3 Consumer-Directed Exchange via Patient Access APIs. When you connect a health plan, you are using your legal right to access your own health records. For insurers, this is your right of access under HIPAA, where it applies. For Medicare, it is the access right under its own federal rules. We act on your behalf, and at your direction, to retrieve that information. We support the following data sources:
- •Commercial health plan Patient Access APIs, including but not limited to Anthem/Elevance Health, UnitedHealthcare, Aetna, Cigna, Humana, and other participating payers (subject to registration approval). Uses HL7 FHIR R4 standards, SMART on FHIR protocols, and OAuth 2.0. This aligns with the CARIN Blue Button Implementation Guide (STU1 or later).
- •Medicare. This is the Centers for Medicare & Medicaid Services (CMS) Blue Button API. It gives Medicare beneficiaries access to their Part A, Part B, and Part D claims data. Uses OAuth 2.0 and HL7 FHIR R4 standards. Available to Medicare beneficiaries who authorize access through their MyMedicare.gov account.
MHICO requests only Coverage and ExplanationOfBenefit FHIR data. We do not request your name, address, or date of birth through FHIR connections. We receive only the data your insurer allows your account to access. An import covers only your own records. It should include only your own claims and coverage - not data about another person on your plan. Data may go back up to five years, depending on the source. AI personalization. Once imported, your coverage details and recent claims are shared with the MHICO AI assistant to personalize its answers. For example, the AI uses your actual deductible, copays, and claim history when you ask cost or coverage questions. This data is sent to AWS Bedrock (covered under MHICO’s HIPAA BAA with AWS) only for this purpose. Only display-level details are used - service descriptions, financial amounts, provider names, and dates. Diagnostic codes, procedure codes, and internal identifiers are never included. You can turn this off by removing your insurer on the Link Insurer page.
3.4 One-Time vs. Persistent Collection. We tell you whether data is collected once or on an ongoing basis. When you link a health plan, your insurer issues a short-lived access key (called an access token) that typically expires within an hour. When you log out, this key is cleared. Some insurers also issue a longer-lived refresh token, valid up to 90 days, so you do not need to re-authorize every time you sync. When all tokens expire, we will prompt you to reconnect. You can remove the connection at any time in Settings or through your insurer’s website.
3.5 Collection Limitations. We only collect data you have agreed to share. We never collect more than you authorize. All data is collected by lawful and fair means, with your knowledge and consent. We do not collect genetic data, biometric data (like fingerprints), or government ID numbers (like Social Security numbers). One exception: if you turn on the genetic information category in Settings, we may import claims related to genetic counseling or testing from your insurer. Even then, we only store the service description - never the actual genetic or diagnosis codes. See Section 3.6. You may only give us data that is your own, or data you have permission or the legal right to use. Do not upload another person's documents - such as bills, Explanations of Benefits, or insurance cards - unless you are allowed to act for them (for example, as their parent, legal guardian, or authorized representative).
3.6 Sensitive Health Data Categories and Per-Category Consent. Some claim types have extra legal protection under federal law. These include: substance use and addiction treatment, mental and behavioral health, HIV/AIDS, sexually transmitted infections, reproductive health, genetic information, and domestic violence.
By default, MHICO does not import or store claims in any of these categories. When we import your data, we briefly check whether a claim belongs to one of them. We look at security labels, code ranges, and drug name patterns. We never store those codes. If a claim is in a protected category and you have not turned that category on, we skip it and never save it. This automatic check runs only on claims we pull directly from your linked insurer - not on claims you add yourself (see below).
These category controls cover only your own health data. An import covers only your own records, so the categories you turn on or off are always your own. You never handle another person's sensitive data. If your insurer ever sends a protected-category claim that belongs to someone else (for example, a dependent on your plan), we reject it during import and never store it - no matter how your categories are set.
To allow claims in a category, go to Settings → Sensitive health data and turn on the ones you want. Once turned on, we will import and store those claims. The stored description may include procedure names, drug names, or test names. We never store diagnosis codes.
If you later turn off a category, all stored claims in that category are permanently and immediately deleted. This cannot be undone. Each category is controlled separately.
Claims you add yourself are handled differently. This covers claims you enter by hand and claims you import from a file you download from your insurer, such as a CSV, Excel, or PDF claims summary you save from your insurer's portal. We do not screen these for protected categories, and they are not affected when you turn categories on or off. Because you choose the file, it may include protected-category items, like a prescription name. We store what the file contains as-is, so only import files you are comfortable saving. To read a file you import, we send its contents to our AI model (AWS Bedrock, covered by our HIPAA BAA with AWS), which pulls the claims out of it. The model is used only to parse the file you uploaded. If you merge one of these with a sensitive imported claim, the merged record is treated as one you added yourself - turning off that category later will not delete it. To remove a record, delete that individual claim or close your account.
4. Consent
We ask for your permission - your informed, proactive consent - before collecting, using, or sharing your data. We do not share your data by default.
4.1 Initial Consent. Before we collect any data, we show you exactly what we will collect, how we will use it, and who we may share it with. You must say yes before we proceed.
4.2 Consent for Health Plan Data Access. When you connect your health plan, your insurer shows you exactly what data MHICO will access. You approve it through your insurer’s own login screen.
4.3 Separate Marketing Consent. Before using your data for marketing, MHICO will explain what we plan to do and ask for your permission. You must actively say yes. Marketing consent is never assumed. Agreeing to use the platform does not count as agreeing to marketing. Saying no does not affect any core features. Marketing consent covers only your own data, not your family members' data. We will not use your data to market to your family without their own separate permission.
4.4 Consent for Third-Party Disclosure. Before sharing your data with anyone outside our contracted service providers or legal requirements, we will explain the purpose and ask for your permission. We always ask before sharing, not after. You can always choose which recipients your data goes to.
4.5 Policy Change Notification and Re-Affirmation of Consent. When we make a material change, we email all users with existing accounts and post a notice at least 30 days before it takes effect. We explain what changed and how it affects your data. The next time you log in after the change takes effect, you will see a summary screen. You cannot access platform features until you respond. You must accept the updated terms to keep using MHICO, or you can decline. If you decline, your account data is immediately anonymized and you are logged out - the same process as closing your account.
4.6 What Happens When Consent Is Re-Affirmed. If you accept a material change, we will continue to collect and use your data under the updated policy. All past and future data will follow the new terms. We record your acceptance with a timestamp.
4.7 What Happens When Consent Is Withdrawn. If you withdraw consent, we will: (a) stop collecting your data right away; (b) stop using your data for AI analysis, plan comparisons, and claims; (c) stop sharing your data with others, except as required by law; (d) delete your data on request (see Section 8.2); (e) ask our service providers to delete your data where we can - AWS covers this under our HIPAA agreement, and our other providers, including but not limited to Google, Brave Search, Reddit, and Twilio (SendGrid and Verify), handle only limited, non-health data under their own policies; (f) keep any anonymous data already created before you withdrew - that data can no longer be linked back to you - but we will not create new anonymous data from your information; and (g) if you withdraw an optional consent (such as marketing or data sharing), you keep full access to core features and lose only the optional feature that consent supported; if you withdraw a consent that our core services depend on, you can no longer use the platform, and we close and anonymize your account - the same process described in Section 4.5 and Section 8.2.
4.8 Age Requirement. This platform is only for adults. You must be at least 18 to create an account. We do not knowingly collect personal data from anyone under 18. If we discover an account was created by someone under 18, we will close and anonymize it immediately.
4.9 Easily Changing Consent Options. You can change your consent settings at any time. Go to Settings → Privacy & Consent to adjust each option. You can also email julia@mhico.ai. Changes take effect right away. Withdrawing consent does not make past processing unlawful. There are no fees or penalties for changing your preferences. Some features may stop working if you withdraw the consent they depend on.
5. Use of Personal Data and De-Identified Information
This section describes how we are allowed to use your data. We do not use your data for any purpose not listed here or not consented to by you. This aligns with the CARIN Principle of Use Limitation.
5.1 Permitted Uses of Personal Data: Core Services (Conditions for Use)
The following uses are conditions for use of the Platform and are necessary for MHICO to provide its core services:
- (a)To provide health insurance plan comparisons, recommendations, and cost analyses tailored to your coverage and utilization;
- (b)To analyze your claims data and generate insights about your utilization patterns, spending, and cost optimization opportunities;
- (c)To assist with claims denial disputes and appeals by analyzing denial patterns, applicable regulations, and your specific claim data;
- (d)To answer your health insurance questions using AI, automatically personalizing responses with your coverage details and recent claims from linked insurers (see Section 3.3);
- (e)To perform provider directory and drug formulary lookups using FHIR-based payer APIs, to verify in-network status and check drug coverage, tier, and prior-authorization rules;
- (f)To communicate with you about your account, connected data sources, and Platform functionality; and
- (g)To comply with legal obligations and respond to lawful requests.
5.2 Permitted Uses of Personal Data: Optional (At Your Election)
The following uses are optional and require your separate consent. You may decline without affecting access to core Platform features:
- (a)To send educational content, plan optimization alerts, open enrollment reminders, and communications beyond core account notifications;
- (b)To share plan comparison results or reports with a third party you designate (e.g., benefits administrator, family member, broker);
- (c)To participate in anonymized benchmarking or aggregate research; and
- (d)For any other purpose described at the time of collection and consented to by you.
5.3 Permitted Uses of De-Identified Information. We may use anonymous data only to: (a) improve the platform and AI; (b) create aggregate analytics and benchmarks (e.g., average plan costs by region, common denial patterns by procedure type); and (c) research health insurance trends. We do not use anonymous data for anything else. If we ever want to, we will ask the person the data came from, if we can reach them. We do not use anonymous data for advertising, marketing, underwriting, or discrimination.
5.4 Prohibited Uses
No Targeted Advertising. MHICO does not use personal data, health data, or de-identified information for targeted advertising.
No Automated Decision-Making With Legal Effects. MHICO does not use automated decision-making to give or deny financial services, insurance, employment, healthcare, housing, or access to basic necessities.
No Unauthorized Uses. We prohibit all other uses of your data except those described in Sections 5.1, 5.2, and 5.3, or those for which you have given your informed, proactive consent.
6. Disclosure of Personal Data and De-Identified Information
This section describes when and with whom we share your data, and when we need your permission to do so. We adhere to the CARIN Principle of Disclosure Limitation.
6.1 Disclosures That Require Your Permission
Before making any of the following disclosures, we always ask for your permission first:
- (a)Disclosure of your personal data to any user-designated recipient (e.g., employer benefits administrator, family member, insurance broker, financial advisor) for purposes you specify;
- (b)Sharing your data with any third party for marketing. We get your separate, informed, proactive opt-in consent specifically to market goods or services to you. This is independent of all other consent;
- (c)Disclosure of your personal data to third parties for research or studies (beyond de-identified information); and
- (d)Any other disclosure not described in Section 6.2 below.
6.2 Disclosures Permitted Without Informed, Proactive Consent
The following disclosures do not need your separate consent, but only under these specific conditions:
- (a) Contracted Service Providers. We share personal data with service providers who help run the Platform - like cloud hosting, AI, and analytics. They are bound by contracts that mirror our commitments to you. They can only use your data in ways this policy allows.
- (b) Legal Requirements. We may share data when required by law, legal process, or a government request, or to protect the safety of our users or the public. We share only what is legally required.
- (c) Business Transfers. In the event of a merger, acquisition, sale of assets, reorganization, or bankruptcy (see Section 6.6 for detailed data handling in these events).
6.3 Categories of Third-Party Recipients
| Recipient Category | Purpose | Consent Required? |
|---|---|---|
| Cloud Infrastructure, CDN & AI Services (Amazon Web Services) | Data storage and hosting on AWS EC2 and EBS; AI-powered analysis via AWS Bedrock (Anthropic Claude models); content delivery and TLS (Transport Layer Security) termination via AWS CloudFront; DNS resolution via AWS Route 53. Any data you upload (documents, images, health information) may be processed by AWS Bedrock to generate responses. Data sent to AWS Bedrock is used only to answer you. It is not used to train the Claude AI models (see Section 17). Personal data is stored in the United States; CloudFront edge locations are used solely for traffic routing and TLS and do not store personal data. | No (contracted service provider; all AWS services are covered under a single signed HIPAA Business Associate Agreement (BAA) with AWS) |
| Google (Sign in with Google) | Optional OAuth-based authentication; Google receives your authentication request and returns your name and email to MHICO. Only used if you choose “Sign in with Google.” Your Google password is never shared with MHICO. | No (authentication service; data flows only when you actively choose Google Sign-In; governed by Google’s Privacy Policy) |
| Google (Google Ads) | Conversion measurement: if you arrived at MHICO via a Google advertisement and created an account in that session, we transmit the Google Click Identifier (GCLID) and a signup timestamp to Google via Google’s server-side Conversion API. No health information or personal data beyond the click identifier is transmitted. This allows MHICO to measure whether an ad led to a signup without sharing any health data with Google. No Google tracking pixels or JavaScript tags are loaded on any MHICO page. | No (conversion measurement only; no health data transmitted; governed by Google’s Privacy Policy) |
| Reddit (Reddit Ads) | Conversion measurement: if you arrived at MHICO via a Reddit advertisement and created an account in that session, we transmit the Reddit Click Identifier (rdt_cid) and a signup timestamp to Reddit via Reddit’s server-side Conversions API. No health information or personal data beyond the click identifier is transmitted. This allows MHICO to measure whether an ad led to a signup without sharing any health data with Reddit. No Reddit tracking pixels or JavaScript tags are loaded on any MHICO page. | No (conversion measurement only; no health data transmitted; governed by Reddit’s Privacy Policy) |
| Twilio (SendGrid & Verify) | Transactional email delivery via SendGrid SMTP for account notifications and email verification codes. SMS one-time password delivery via Twilio Verify for users who enable SMS two-factor authentication. Your email address is shared with SendGrid to deliver emails (subject to Twilio’s Privacy Policy). If you enable SMS MFA, your mobile phone number is shared with Twilio Verify only to send verification codes. It is not used for any other purpose (subject to Twilio’s Privacy Policy). | No (contracted service provider; data transmitted only when delivering account emails or MFA codes) |
| Brave Search | Web search service used by the AI assistant to retrieve publicly available information (e.g., plan details, formulary data, CMS guidance, insurer policies). MHICO applies two layers of control to keep your data out of search queries. First, the AI is instructed - at the system-prompt and tool-schema level - never to include personal or health information in search queries. Second, a technical filter automatically scrubs structured PII patterns (such as SSNs, phone numbers, email addresses, dates of birth, and member IDs) from every query before it is sent. If a pattern match is detected and scrubbed, the event is logged for security review. | No (contracted service provider; queries are sanitized by technical controls before transmission; Brave does not receive your health data or personal data) |
| Commercial health plan Patient Access APIs (e.g., Aetna, Anthem, UnitedHealthcare, Cigna) | MHICO connects directly to each commercial health plan’s FHIR-based Patient Access API. No intermediary handles your data for these connections. Data flows at your direction via OAuth 2.0 authorization code flow. | No (direct connection to each payer; data flows at your direction via OAuth 2.0) |
| Centers for Medicare & Medicaid Services (CMS) | MHICO connects directly to CMS to retrieve Medicare Part A, Part B, and Part D claims data on behalf of Medicare beneficiaries who authorize access. Authorization is performed through your MyMedicare.gov account via OAuth 2.0. CMS does not receive your other personal data from MHICO. | No (direct federal government API; not a contracted service provider; data flows at your direction via OAuth 2.0; governed by CMS Blue Button API Terms of Service) |
| CMS Marketplace API (HealthCare.gov) | MHICO uses the public CMS Marketplace API in three ways. (1) Plan benefit lookup: when you link an insurer and your plan is an ACA Marketplace (Qualified Health Plan) plan, MHICO looks up that plan’s publicly published cost-sharing details (deductibles, out-of-pocket maximums, copays) using only the plan’s public HIOS identifier and the plan year - no personal data or health information is sent. (2) Plan search and subsidy estimate: when you use the Open Enrollment plan finder, MHICO sends your ZIP code, age, income, and household details to find available plans and estimate your subsidy. (3) Coverage matching (opt-in): if you choose to check which marketplace plans cover your specific medications or doctors - by ticking the consent box in the plan finder, or confirming in the AI chat - MHICO sends the medication and doctor names you provide to the CMS Marketplace API so it can report which plans cover them. Medications and doctor names are sent only when you actively turn this on; if you do not opt in, none are sent. | Plan benefit lookup: No (public plan identifier only). Plan search: No (sent at your direction when you run a search). Coverage matching: Yes - your explicit opt-in is required before any medication or doctor names are sent. Governed by CMS Marketplace API Terms of Service. |
| User-Designated Recipients | Plan comparisons, reports shared at your direction | Yes, express consent required |
| Legal / Regulatory Authorities | Compliance with law, legal process, government request | No (required by law; minimized to what is legally necessary) |
6.4 Contractual Obligations for All Third-Party Service Providers. All service providers and contractors who receive your data are bound by contracts - either a data processing agreement or their own published privacy terms. These contracts include: (a) limits on how they can use your data to the purposes in this policy; (b) a ban on uses or sharing that conflict with our commitments; (c) security at least as strong as ours; (d) a ban on re-identifying anonymous data; (e) a duty to notify us and you of data breaches; and (f) a duty to delete your data when you ask or when our relationship ends.
6.5 No Sale of Personal Data or De-Identified Information. We do not sell your data, trade it for anything of value, or share it with data brokers. Ever.
6.6 Change of Ownership or Cessation of Business (Business Transfer). Your data may move to another company if MHICO is sold, merged, restructured, financed, or taken over, if we go bankrupt, or if we shut down. If that happens, we will:
- (a)Tell you ahead of time. We email you and post a notice on the Platform at least 30 days before we move any personal data, when that is possible. Sometimes 30 days’ notice is not possible, such as in a court-run bankruptcy. Then we give you as much notice as we can. If we cannot give notice first, we tell you right after - and always before the new company uses your data in any way this policy does not already allow;
- (b)Tell you who the new company (the “successor”) is and what they plan to do with your data;
- (c)Require the successor, by contract, to protect your data at least as well as this policy did when the transfer happened;
- (d)Let you download your data, ask us to delete it, or close your account before the transfer takes effect;
- (e)If we shut down and no one takes over, securely delete all personal data within 60 days and tell affected users; and
- (f)Only hand over de-identified data to a successor that agrees in writing to keep it de-identified and never try to re-identify it.
A business transfer never removes the protections in this policy or the choices above. If the new company ever wants to use your data in a way this policy does not already allow, we or they will first tell you and ask for your consent, as a material change (see Section 4.5).
6.7 Disclosure of De-Identified Information. We may share anonymous data with third parties for research, analytics, or industry benchmarking. All recipients must: (a) keep the data anonymous; (b) not try to re-identify individuals; and (c) take steps to ensure no one can be identified from the data. We never share anonymous data for advertising, marketing, underwriting, or discrimination.
6.8 Impact on Others
When you connect a health plan, MHICO asks for only your own records. We receive only the data your insurer allows your account to access. An insurer that is set up correctly returns only your data, so an import should not include claims or coverage for anyone else on your plan. In rare cases, an insurer may still send data about another person on the plan - such as a spouse or child. We do not ask for this, and we cannot control what an insurer’s system sends. If it happens, the rules below apply.
- (a) Minor Dependents (Under 18). MHICO does not offer a way to import a minor’s health data, and you may only handle your own data on the Platform. If your insurer sends a minor dependent’s data anyway, any protected-category claim - such as substance use, mental and behavioral health, reproductive health, or a sexually transmitted infection - is rejected during import and never stored. Any other data sent by mistake is protected just as this policy describes.
- (b) Adult Dependents (Ages 18–26). You may only handle your own data. In the rare case an insurer sends an adult dependent’s data, the same protections in this policy apply. Adult dependents who want their data in MHICO should connect on their own, using their own login. They can also ask their insurer to limit what the account holder can see.
- (c) Spouse or Domestic Partner. The same rules from part (b) apply. A spouse or domestic partner who wants their data in MHICO should connect on their own, using their own login.
- (d) Disclosure Before Connection. Before you connect a health plan, we warn you that, in rare cases, an insurer’s data may still include health information about a family member - like diagnoses, procedures, and prescriptions. We ask you to think about how this may affect them before you connect.
- (e) Equal Protection. Any dependent or family member data that we receive by mistake through Patient Access APIs gets the same security, use limits, sharing limits, retention rules, and deletion rights described in this policy.
7. Individual Access Rights
Consistent with the CARIN Principle of Individual Participation:
7.1 Right to Access. You can request a copy of all the data we have about you, subject to what is technically possible and what the law allows. Go to Settings → My Data or email julia@mhico.ai. We will send it in a standard format within 30 days.
7.2 Right to Correction. If your data is wrong, let us know. If the error came from your insurer or another outside source, we will help you understand how to ask them to fix it. If the error is ours, we will fix it.
7.3 Right to Portability. You can ask for your personal data in a standard, machine-readable format.
7.4 Right to Annotation. If data we hold is inaccurate or incomplete, you may add a note to it. We will pass that note along to anyone you have authorized to see your data.
7.5 Right to Revoke Data Access. You may revoke MHICO’s access to health plan data at any time through Platform settings or your health plan’s member portal.
7.6 Right to Delete. You can ask us to delete all your personal data and health information at any time. Go to Settings → Close Account, or email julia@mhico.ai. Section 8.2 explains what gets deleted right away, what may take up to 30 days (backups), and the rare situations where we cannot delete immediately.
7.7 Complaint Process. Email julia@mhico.ai with any complaints. We will respond within 5 business days and give you a full answer within 30 days.
8. Data Retention and Deletion
8.1 Retention Periods. Here is how long we keep each type of data:
- •Account data: kept while your account is active. Deleted right away when you close it (Section 8.2). For inactive accounts, see Section 8.4. Backup copies may remain up to 30 days (Section 8.3(c)).
- •Health data from your insurer: kept while your account is active; deleted when you close it. Claims are the one exception - see the claims and appeals entry below.
- •Insurance plan data: same as health data above.
- •Claims and appeals: while your account is open, resolved claims are kept up to 3 years from the date of service, then automatically deleted; claims that are not yet resolved are kept until they are resolved. When you close your account, all claims and appeals are deleted right away, no matter their age or status (Section 8.2).
- •Insurer connection records: removed after 90 days with no sync activity. Your insurer’s access tokens expire within minutes to an hour and are also cleared when you log out. Clearing a token does not delete your connection record or any already-imported data. Refresh tokens (when issued) are valid for up to 90 days. When all tokens expire, we ask you to reconnect.
- •Anonymous data: may be kept indefinitely for research and improvement.
- •Legal records: as long as the law requires.
- •AI chat messages: tied to your login session. You are automatically logged out 14 days after you log in, and your chat history is cleared on logout. You can also delete individual sessions from the chat sidebar at any time.
- •AI chat session metadata (a record that a session occurred, which tools were used, and whether attachments were present - not message content): 90 days.
- •Login records: 90 days.
- •Account activity logs (data syncs, consent changes, payer connections, MFA changes, and other account-level events): 365 days.
- •Ad click identifiers (a Google or Reddit click ID, captured only if you arrive via one of those ads and create an account in that session): kept while your account is active; deleted when you close it.
- •Email deliverability records (your email address, recorded only after a bounce or spam complaint so we can stop sending to it): kept for the life of your account; deleted when you close it.
- •Survey responses: the satisfaction rating is anonymous and never linked to your account, so it may be kept indefinitely; the separate record that you completed the survey is deleted when you close your account.
- •Security logs (used only for security, compliance, and incident response): web server logs - 10 days on server, 90 days in CloudWatch; application logs - 90 days; network traffic logs - 90 days; API audit trails (AWS CloudTrail) - 365 days; firewall (WAF) logs - 14 days, stored in the US.
8.2 Right to Close Account and Delete Data. You can close your account and delete all your data at any time. Go to Settings → Close Account, or email julia@mhico.ai. Once we confirm your request, we will immediately: (a) cut off your account access and all insurer connections; (b) permanently delete all your personal data and health information, including your name, email, plan data, claims history, payer connections, login history, AI chat records, 2FA credentials, any stored phone number, ad click identifiers, and any email suppression record associated with your address; (c) replace your identifying information with an anonymous token for audit and legal purposes only, with no personal information attached; and (d) ask our service providers to delete your data where we have the right to do so. For AWS, this is covered under our signed HIPAA BAA. For our other service providers, including but not limited to Google, Brave Search, Reddit, and Twilio (SendGrid and Verify), the data shared is limited, non-health data governed by their own privacy policies and deletion practices. We delete any encrypted backup copies of your data within 30 days (see Section 8.3(c)).
8.3 Situations When Data Deletion May Not Be Feasible
There are a few situations where we may not be able to delete your data right away:
- (a)Legal hold: If we are involved in a lawsuit or government investigation that requires us to keep records, deletion waits until that is resolved.
- (b)Legal retention rules: Some federal or state laws require us to keep certain records for a set period.
- (c)Backup systems: Data in encrypted backups may not be deleted individually until the backup cycle ends, within 30 days.
- (d)Anonymous data: Data that was already made anonymous before your request cannot be deleted, because it can no longer be linked to you. We will not create new anonymous data from your information after your request.
- (e)Data you shared with others: We will ask our service providers to delete your data, but we cannot guarantee deletion by people you chose to share data with directly, like a benefits administrator.
In any of these cases, we will: (i) tell you the reason and how long it will take; (ii) limit use of the data to only the legally required purpose; and (iii) delete it as soon as the requirement expires.
8.4 Dormant Accounts. If your account has not been used for 12 months, we will email you. You will have 30 days to log in and keep it active. If you do not log in, your account will be deactivated. During that time, your data stays on our servers but is frozen - you cannot log in, your insurers will not sync, and the AI will not use your data. We do not share your data with anyone new, and our staff can only access it for security and legal reasons. Accounts that remain inactive for a total of 2 years from the last login will be deleted as described in Section 8.2.
9. De-Identified Data Practices
This section summarizes how we handle anonymous data.
9.1 Collection. Anonymous data comes from personal data and health data we collected with your consent (Section 3.2). We remove identifying details using reasonable steps to make sure the data cannot be linked back to anyone.
9.2 Use. De-identified information may be used only for Platform improvement, aggregate analytics and benchmarking, and research (Section 5.3). It is not used for targeted advertising, marketing, underwriting, or discrimination.
9.3 Disclosure. De-identified information may be disclosed to third parties for research, analytics, or benchmarking. All recipients are contractually prohibited from re-identification (Section 6.7).
9.4 Prohibition on Re-Identification. We have internal rules and require all third parties to sign contracts that ban re-identifying anonymous data.
10. Data Security
MHICO protects your data with strong security measures, including encryption, access controls, and audit logs. Specifically, we use:
- (a)AES-256 encryption for all personal data and health data at rest. If you enable SMS 2FA, your phone number is encrypted separately using AES-256-GCM with its own dedicated key;
- (b)TLS 1.2 or higher encryption for all data in transit;
- (c)Role-based access controls limiting data access to authorized personnel on a need-to-know basis;
- (d)Complete audit logs of your account activity. This includes login history, 2FA setup and verification, AI chat sessions, and insurance data syncs. You can view these at any time in the Activity Log in your account settings;
- (e)Secure cloud hosting and AI services on Amazon Web Services (AWS), covered by a signed HIPAA Business Associate Agreement (BAA). AWS holds SOC 2 Type II certification for its infrastructure. Our own security controls follow SOC 2 principles, though we have not yet received independent SOC 2 certification. AI features run via AWS Bedrock;
- (f)Continuous security monitoring. This includes server logs (10 to 90 days), application logs (90 days), API audit trails via AWS CloudTrail (365 days), network traffic logs (90 days), firewall logs (14 days), and Amazon GuardDuty for threat detection. These logs are used only for security and incident response;
- (g)Signed contracts with all third-party service providers, including a HIPAA BAA with AWS. All providers must meet security standards at least as strong as ours;
- (h)Periodic security evaluations and vulnerability assessments; and
- (i)Training for all personnel with access to personal data on data security practices.
10.1 Authentication. MHICO uses provider portal credentials that follow SMART on FHIR standards. When you connect a health plan, you log in directly on your insurer’s website. Your insurer may require its own identity checks and multi-factor authentication. Email verification is required before your account is activated. We support two types of two-factor authentication (2FA): an authenticator app (TOTP, a time-based one-time password) and an SMS code sent to your phone via Twilio Verify. Authenticator apps are the stronger option; the federal digital identity guidelines (NIST 800-63B) treat SMS as a weaker, ‘restricted’ method, so we recommend an authenticator app where possible. 2FA is required to use the AI chat assistant. You can create an account without 2FA, but you will be prompted to set it up before using AI features. Phone numbers for SMS 2FA are encrypted with AES-256-GCM using a separate key. Your insurer’s access tokens typically expire within minutes to an hour and are cleared when you log out. If your insurer issues a refresh token, it is valid for up to 90 days. When all tokens expire, we will prompt you to reconnect. Your already-imported data is not affected. You can remove your insurer connection at any time from the Link Insurer page or through your insurer’s member portal.
10.2 Breach Notification. MHICO follows all breach notification laws that apply to us, including the FTC Health Breach Notification Rule (16 CFR Part 318) and state breach laws. Our service providers must do the same, and AWS must tell us about any breach under our HIPAA Business Associate Agreement. A breach means your unsecured health data or other personal data is exposed. If one ever happens, we will: (a) tell you quickly - without unreasonable delay (no needless waiting), and no later than 60 calendar days after we find the breach; (b) tell the FTC. If the breach affects 500 or more people, we tell the FTC at the same time we notify affected individuals (and in no case later than 60 calendar days after we discover the breach). If it affects fewer than 500 people, we keep a written log and report those breaches to the FTC once a year, within 60 calendar days after the end of the calendar year. If a breach affects 500 or more residents of one state, we also tell major news outlets in that state, in the time the Rule requires; (c) explain, in plain language, when the breach happened (or our best guess), when we found it, what happened, what data was involved, what we are doing about it, and how you can protect yourself; and (d) give you a contact (julia@mhico.ai) for questions. We send this notice by email, plus any other way the law requires. If you think your account or data has been broken into, email julia@mhico.ai right away so we can look into it.
10.3 Prohibition on Re-Identification. MHICO does not allow anyone - including our service providers - to try to re-identify anonymous data. Any attempt violates our contracts. We will end the relationship and may take legal action.
11. Data Provenance
We keep track of where each claim came from and when it arrived. Here is how each type is labeled:
- (a)Claims imported from an insurer include the plan name, a unique record ID from your insurer, and a record of which import brought them in.
- (b)Claims you enter yourself are labeled as manually entered.
- (c)Claims you upload as a document (like a photo or PDF of a bill) are labeled as document-sourced.
- (d)Claims you import from a file you download from your insurer (like a CSV, Excel, or PDF of your claims) are labeled as imported from a file.
- (e)Any notes or corrections you add to a claim are saved and shared with anyone you have authorized to see your data.
All of this information is included when you export your data (see Section 7.3).
12. State-Specific Privacy Rights
12.1 California (CCPA/CPRA). California residents have the right to know what data we collect about you and why. You can ask us to delete your data or correct it if it is wrong. You can opt out of the sale or sharing of your data - MHICO does not sell or share your data. You can ask us to limit how we use sensitive personal information. You have the right to be treated the same whether or not you exercise these rights.
12.2 Virginia (VCDPA). Virginia residents can access a copy of their data, correct errors, and ask for deletion. You can request a portable copy of your data in a format you can reuse. You can opt out of targeted advertising, the sale of your data, and decisions made about you through automated profiling.
12.3 Colorado (CPA). Colorado residents can access a copy of their data, correct errors, and ask for deletion. You can request a portable copy of your data. You can opt out of targeted advertising, the sale of your data, and automated profiling that has legal or similarly significant effects.
12.4 Connecticut (CTDPA). Connecticut residents can access a copy of their data, correct errors, and ask for deletion. You can request a portable copy of your data. You can opt out of the sale of your data and targeted advertising.
12.5 New Jersey (NJ Privacy Act, effective January 15, 2025). New Jersey residents have the right to: know what personal data we collect and why; get a copy of it; fix errors in it; delete it; export it in a standard format; opt out of the sale of personal data, targeted advertising, and automated profiling that affects important decisions (like insurance, employment, or housing); and not be treated differently for exercising any of these rights. We do not sell personal data, use it for targeted advertising, or run automated profiling. Email julia@mhico.ai to make any request. We will respond within the time the law requires.
12.6 Nevada. Nevada law (NRS 603A) lets you opt out of the sale of your covered information. We do not sell it. Nevada also has a consumer health data law (SB 370). It gives you the right to know what health data we collect and share, to see and delete that data, and to take back your consent. We will not sell or share your health data without your permission.
12.7 Washington (My Health My Data Act). If you are a Washington resident, you have the right to know what consumer health data we collect, use, and share, and to learn the categories of third parties and affiliates we share it with. You can ask for a copy of that data, withdraw your consent at any time, and ask us to delete it. We do not sell or share your consumer health data, and we will never do so without your written authorization. This Privacy Policy also serves as our Consumer Health Data Privacy Policy under the Act, and is linked in the footer of every page, including our homepage. Email julia@mhico.ai to make any request.
12.8 Other U.S. States. Many other states now have their own privacy laws. These include Texas, Oregon, Montana, Utah, Iowa, Delaware, Indiana, Tennessee, Minnesota, Maryland, Nebraska, New Hampshire, Kentucky, and Rhode Island, among others. If you live in a state with a privacy law we did not list above, you still have the rights that law gives you. In most states, this means you can see your personal data, fix it, delete it, and get a copy to take with you. You can also opt out of the sale of your data, targeted ads, and profiling. We do not sell your data or use it for targeted ads or automated profiling. To use any of these rights, email julia@mhico.ai.
Contact julia@mhico.ai. We respond within time periods required by applicable state law.
13. Accountability and Governance
13.1 Designated Officer. Julia Mahieu is our designated executive officer responsible for the data protection commitments in this policy and the CARIN Code of Conduct. These commitments are public and can be enforced by the FTC, state attorneys general, or other authorities.
13.2 Workforce Training. Everyone at MHICO with access to personal data is trained on our data practices. Training happens when they start, at least once a year, and whenever we make a significant change to how we handle data.
13.3 FTC Compliance. MHICO is subject to Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce.
13.4 Applicable Law. MHICO and all our service providers comply with all applicable federal and state laws on data protection and privacy.
13.5 Certification and Accreditation Notifications. If we receive any independent certification (such as CARIN Code of Conduct accreditation or SOC 2), we will announce it on the platform and update this policy. We will include the name of the certifying organization, what was certified, and the certification period.
14. Children’s Privacy
This platform is not for anyone under 18. We do not knowingly collect data from minors, and only adults can hold an account. This rule is about who can use the platform - not about a parent's own data. A parent who connects their own plan may receive a child's data from the insurer in rare cases. We handle that data as described in Section 6.8: a child's protected-category claims are rejected and never stored, and any other data we receive by mistake gets the same protections as your own. If we discover an account belongs to someone under 18, we close and anonymize it immediately.
15. Cookies and Tracking Technologies
MHICO uses cookies only for session management and security - for example, keeping you logged in and preventing cross-site attacks. We do not use analytics cookies, tracking cookies, or cookies for advertising. You can manage cookies in your browser settings, but turning off session cookies will stop you from logging in.
If you arrive at MHICO via a Google or Reddit ad, the URL may include a click identifier (GCLID or rdt_cid). This is stored in your browser session. If you create an account during that session, the identifier is sent to Google or Reddit via their server-side APIs to measure whether the ad led to a signup. No health data is included. We do not load any ad tracking pixels or scripts on any MHICO page.
Do Not Track (DNT). Some browsers let you send a “Do Not Track” (DNT) signal to websites. MHICO respects this signal for one thing: ad click tracking. If your browser sends DNT, we will not record the ad click identifier from your URL, and we will not report your signup to Google or Reddit as a conversion - even if you came from one of their ads. Everything else on the Platform works normally. Your login cookie is not affected by DNT; it is required to keep you signed in.
16. Education and User Awareness
We provide resources to help you understand our data practices and protect your privacy:
- (a)Links to this Privacy Policy and our Consumer Health Data Privacy Policy. These appear in the footer of every page and in your account menu when logged in;
- (b)Guidance in your account settings about connecting your health plan. This includes what data may be included (including family member data) and how to revoke access at any time;
- (c)A “Privacy & Security Tips” page with steps to protect your privacy. It covers how to review consent settings, revoke health plan access, request data deletion, spot phishing attempts, and secure your account;
- (d)Notifications when you connect a new data source or share data with someone, with a reminder that you can revoke access at any time; and
- (e)Links to trusted outside resources: CMS.gov, HealthCare.gov, the CARIN Alliance, the FTC’s health data guidance, and ONC’s HealthIT.gov. These help you make better decisions about your health data.
17. Artificial Intelligence and Large Language Models
Several MHICO features use artificial intelligence (AI). This section explains which AI we use, what data is shared with it, how that data is used, the risks and limits of AI, and what to do if the AI returns a result that looks abnormal or concerning.
17.1 Which AI we use. Our AI features use Anthropic’s Claude. This includes Ask Mhico (the chat assistant), insurance card and document reading, and claims analysis. Claude is a large language model (LLM) - a type of AI trained to understand and write text. We reach Claude through Amazon Bedrock, an AWS service covered by our signed HIPAA Business Associate Agreement (BAA) with AWS. We do not run our own AI models. We do not send your data to any AI provider other than Anthropic’s Claude through AWS.
17.2 Vendor documentation. Claude is built and owned by Anthropic. It is proprietary (privately owned), so Anthropic does not share the model’s source code or the data it was trained on. Here is the documentation that Anthropic and AWS make public:
- •Claude models overview: anthropic.com/claude
- •Anthropic documentation: docs.anthropic.com
- •Anthropic Usage Policy: anthropic.com/legal/aup
- •AWS Bedrock data protection and privacy: docs.aws.amazon.com/bedrock
17.3 What data is shared with the AI, and how it is used. We send data to the AI only to answer your question or do a task you started. Depending on the feature, this may include: (a) the messages you type in the chat; (b) files you upload in chat or in the Open Enrollment plan finder (PDFs, images, or text, such as a benefits summary or plan-comparison page), which we process in memory only and never store (see Section 3.1) - before answering, a quick automated check confirms an uploaded file relates to health or insurance, and we turn away a file that clearly does not; (c) billing details we pull from claim documents you upload on the Claims page; (d) your coverage and recent claims from a linked insurer, used to personalize answers (see Section 3.3); and (e) the medication names you enter for an AI drug-cost analysis in the Open Enrollment plan finder - for a Medicare Part D, employer, or COBRA plan - used only to generate that guidance and not stored afterward. For insurer data, we send only the details you would see on screen: service descriptions, dollar amounts, provider names, and dates. We never send diagnosis codes, procedure codes, or internal ID numbers to the AI. If you have enabled a sensitive health data category (see Section 3.6), service descriptions for claims in that category may include procedure names, drug names, or test names - but diagnosis codes are never sent regardless of your category settings. The AI uses this data only to answer you in that moment. We do not use it for advertising. We do not share it with anyone beyond what is needed to give you an answer.
17.4 Your data is not used to train AI models. Anthropic and AWS do not use your messages, your uploads, or the AI’s answers to train or improve their AI models. They do not share your data with the model maker for that purpose. The AWS Bedrock service terms and our HIPAA BAA with AWS require this. MHICO also does not use your personal data or health data to train any AI model. To improve our own features, we may use only de-identified, grouped data (see Section 5.3) - never data that can identify you. Because no data that identifies you is ever used to train AI, there is nothing you need to opt out of. You can still control what we send to the AI. To turn off personalization, remove your insurer on the Link Insurer page. To send nothing at all, do not use the chat or document features.
17.5 Risks and limitations of AI.
Please keep these in mind whenever you use our AI features:
- (a)Not medical advice, and not a medical device. Claude is a general-purpose AI. The FDA and other health authorities have not cleared, approved, or rated it for medical advice, diagnosis, or treatment. Do not rely on it to make medical decisions.
- (b)It can be wrong. AI can give answers that are inaccurate, incomplete, or out of date (sometimes called “hallucinations”). This can happen with your coverage, costs, or claims. Always check important decisions with your insurer, benefits administrator, or a licensed professional.
- (c)Not legal, tax, or financial advice. See our Terms of Use, Section 6.
- (d)A third party’s model. Anthropic builds and runs Claude. Anthropic and AWS control what it can and cannot do - not MHICO.
17.6 Responsible disclosure of abnormal or concerning results.
Sometimes the AI may point out something unusual - like a possible billing error, a denied claim, or a result you did not expect. Here is who to contact:
- (a)A possible billing or claims error: go over it with your insurer or benefits administrator. The Claims page can create a draft appeal letter for you. Review it before you send it - MHICO never sends appeals for you.
- (b)Anything about your health or a medical result: contact your doctor or healthcare provider. MHICO does not give medical advice and cannot explain medical findings.
- (c)An AI error, a harmful or biased answer, or a privacy concern: email julia@mhico.ai. We respond within 5 business days and give you a full answer within 30 days (see Section 7.7). If you think your account or data has been broken into, contact us right away. We will look into it and, if needed, follow the breach steps in Section 10.2.
- (d)A medical emergency: call 911 or your local emergency number. Do not use MHICO or its AI for emergencies.
18. Changes to This Privacy Policy
See Section 4.5 for how we handle material changes and how you can accept or decline. Minor changes - like formatting or wording fixes that do not affect data practices - may be made at any time. They are shown in the "Last Updated" date.
19. Contact Information
For questions, concerns, or requests related to this Privacy Policy or your personal data: