Privacy & Security Tips

You can update your data consent preferences at any time, independently for core platform features and optional marketing communications. Changing your consent does not affect your access to MHICO’s core features.

• ›Go to Settings → Privacy & Consent to view your current preferences.
• ›Toggle marketing consent on or off independently of your core account consent.
• ›Changes take effect immediately. You can also contact julia@mhico.ai to update preferences by email.

When you link a health plan, MHICO retrieves your claims and coverage data using a time-limited OAuth token issued by your insurer. These tokens typically expire within hours — when one expires, MHICO will show a Reconnect prompt on the Link Insurer page. Reconnecting re-authorizes access and does not affect your already-imported data. You can also revoke access entirely at any time.

• ›Go to Settings → Linked Insurer and click Unlink next to any health plan. This immediately revokes MHICO’s access and deletes the stored token.
• ›You can also revoke access directly through your health plan’s member portal. Look for an “authorized apps” or “linked apps” section. For Medicare connections, manage access at MyMedicare.gov. For Veterans Affairs connections, manage access at VA.gov.
• ›Revoking access stops future data retrieval but does not automatically delete claims data already imported. Use the data deletion option below to remove it.

Note: if your plan covers family members, the data retrieved through your token may include dependent health information. Family members who want independent control of their data should link their own account or contact their health plan directly.

When you link an insurer, your coverage details and recent claims are automatically used to personalize AI responses. This means Ask Mhico can apply your actual deductible, copays, and claim history when you ask questions — instead of giving generic guidance.

• ›What the AI sees: service descriptions, financial amounts (billed, allowed, what you owe), provider names, and dates of service. Diagnostic codes, procedure codes, and internal IDs are never sent to the AI.
• ›Where it goes: your health context is processed by the AI via AWS Bedrock (covered under MHICO’s HIPAA BAA with AWS). It is not logged, stored, or shared beyond generating your response.
• ›Opt out: unlink your insurer on the Link Insurer page. The AI will revert to generic guidance without your personal plan and claims data.

Note: AI personalization uses only data already stored in your MHICO account. It does not trigger new data retrieval from your insurer on each chat message. If you share plan details in chat (for example by uploading your insurance card), the assistant may offer to save them to your profile — you will always be asked for explicit confirmation before anything is saved.

You have the right to remove all your personal data and close your account at any time. This is irreversible.

• ›Go to Settings → Danger Zone → Close Account. All your personal data and health information (profile, plan, claims, chat history) will be immediately and permanently removed. A de-identified record with no personal information is retained solely for audit and legal compliance purposes.
• ›You can first export a copy of your data via Settings → Export My Data before closing your account.
• ›Alternatively, email julia@mhico.ai with a deletion request and we will process it within 30 days.

See Section 8 of our Privacy Policy for the limited circumstances where immediate deletion may not be feasible (e.g. legal holds, backup cycles).

Attackers sometimes impersonate health insurance companies or apps like MHICO to steal your credentials or health data. Here’s what to watch for:

• ›MHICO will never ask for your health plan password. We connect via OAuth: you log in directly on your health plan’s website, not through us.
• ›Check the URL before entering credentials. MHICO’s domain is mhico.ai. Health plan login pages should be on your insurer’s own domain.
• ›Be suspicious of unsolicited emails claiming your plan data needs to be re-authorized urgently. Log in to your account directly rather than clicking email links.
• ›MHICO emails come from @mhico.ai addresses only. If you receive a suspicious email, forward it to julia@mhico.ai.

• ›Set up two-factor authentication (2FA). MHICO supports three methods: an authenticator app (TOTP), email OTP (a code sent to your email), or SMS OTP (a code sent to your phone). Go to Settings → Security to enable your preferred method. You can enable more than one. 2FA is required to use the AI chat assistant, and MHICO will re-verify your code before sensitive actions like exporting your data or closing your account. Set it up before you need it.
• ›Save your recovery codes. When you enable the authenticator app, MHICO generates one-time recovery codes that let you regain access if you lose your device. Store them somewhere safe: a password manager, printed copy, or secure cloud storage. Recovery codes apply to the authenticator app only; if you use email or SMS MFA, a new code is always sent on demand.
• ›Use “Continue with Google” if you prefer — Google accounts are managed with enterprise-grade security and your Google password is never shared with MHICO. Note that MHICO’s own 2FA (above) is still required regardless of how you sign in.
• ›If you use a password, make it unique to MHICO and use a password manager to generate and store it securely. Don’t reuse passwords across services.
• ›Review your login history in Settings → Activity Log to spot any unrecognized sign-ins. Accessing the Activity Log requires re-authentication with your 2FA method if 2FA is enabled.
• ›If you believe your account has been compromised, contact julia@mhico.ai immediately.

For more information on your health data rights and privacy protections:

• ›CMS.gov — Patient Access API
• ›CMS Blue Button 2.0 — Medicare data access for beneficiaries
• ›VA.gov — Access your VA health records
• ›CARIN Alliance — Consumer health data rights
• ›FTC — Health Breach Notification Rule guidance
• ›HHS — Your HIPAA right of access