Terms of Use
Effective Date: April 1, 2026 • Last Updated: July 2, 2026
1. Acceptance of Terms
These Terms of Use ("Terms") are a legal agreement between you and MHICO Inc. (doing business as MHICO, "we," "us," or "our"). They cover your use of mhico.ai and all related services (the "Platform").
By using the Platform, you agree to these Terms, our Privacy Policy, and any other policies listed here. If you do not agree, you must stop using the Platform right away.
We may update these Terms at any time. For material changes, we will email you and post a notice on the platform at least 30 days before the change takes effect. The next time you log in after a material change, you will see a summary screen. You cannot access platform features until you respond. You must accept the updated Terms to continue, or you may decline. If you decline, your account data is immediately anonymized and you are logged out - the same process as closing your account.
2. Description of Services
MHICO is an AI-powered platform that helps you understand, compare, and make the most of your health insurance coverage. The Platform provides:
- (a)AI plan comparison and recommendation tools for employer plans, ACA Marketplace, and Medicare, plus guidance on COBRA;
- (b)Claims analysis, denial dispute assistance, and cost optimization insights;
- (c)Provider directory and drug formulary lookups via FHIR-based APIs;
- (d)Health data access via FHIR (Fast Healthcare Interoperability Resources), letting you import your claims and coverage data from your health plan or Medicare (integrations are rolling out; availability varies by source);
- (e)Educational resources on health insurance concepts, benefits, rights, and data privacy; and
- (f)Employer plan analysis tools to help individuals compare and evaluate employer-sponsored health benefits.
MHICO’s AI features use Anthropic’s Claude models. We reach them through Amazon Bedrock under our HIPAA (Health Insurance Portability and Accountability Act) Business Associate Agreement with AWS. We never use your data to train AI models. See Section 17 of our Privacy Policy to learn which AI we use, what data we share with it, the risks and limits of AI, and how to report a concern.
3. CARIN Alliance Trust Framework and Code of Conduct
MHICO has signed the CARIN Alliance Code of Conduct and operates as a Consumer-Facing Application (CFA) under the CARIN Alliance Trust Framework. Throughout this section and these Terms, “MHICO” refers to MHICO Inc. in both its role as the organization and as the application developer, as required by the Code of Conduct. We attested on May 4, 2026, shortly after the Platform launched on April 1, 2026. Our listing is at myhealthapplication.com/app/mhico. As a CFA that collects health information on your behalf, we commit to the following principles:
3.1 Transparency. We keep a plain-language Privacy Policy covering how we collect, use, share, and delete your data. It follows the ONC (Office of the National Coordinator for Health Information Technology) Model Privacy Notice.
3.2 Consent. We ask for your permission before collecting or sharing your data. We do not share by default. Marketing requires its own separate opt-in. The Platform is only for users 18 and older. When our Privacy Policy changes materially, we email all existing users and show a summary screen on their next login. You must accept the update to continue, or you may decline, which closes your account immediately.
3.3 Use and Disclosure Limitations. All our service providers are bound by contracts that mirror the commitments we make to you. We only use your data as described in our Privacy Policy or with your consent. We do not use your data for targeted advertising.
3.4 Individual Access. You can access your data, change your consent settings, and close your account at any time. Our Privacy Policy explains the rare cases where deletion may not be possible right away.
3.5 Security. MHICO protects your data with AES-256 encryption at rest and TLS 1.2+ in transit. We use role-based access controls and audit logs. All service providers must meet the same standards. We run continuous security monitoring including network traffic logs, API audit trails, and automated threat detection. These logs are kept for defined periods (see our Privacy Policy) and used only for security and incident response.
3.6 Authentication. MHICO uses industry-standard protocols for health plan logins. Before your account becomes active, we verify your email address. We offer two types of two-factor authentication (2FA): an authenticator app (a time-based one-time code, or TOTP) or an SMS text code. Authenticator apps are the stronger option and meet recognized standards for two-factor authentication. SMS codes are also available, but the federal digital identity guidelines (NIST 800-63B) treat SMS as a weaker, ‘restricted’ method because of risks like SIM-swapping (someone taking over your phone number). These guidelines recommend authenticator apps instead. If you currently use SMS 2FA, we encourage you to switch to an authenticator app in your account settings.
3.7 Breach Notification. MHICO and all our service providers follow all applicable breach notification laws, including the FTC Health Breach Notification Rule (16 CFR Part 318).
3.8 Re-Identification Prohibition. MHICO and all our service providers are prohibited from trying to re-identify anonymous data.
3.9 Data Provenance. We track where every claim came from. Claims imported from an insurer carry the source plan name, a unique FHIR record ID, and a reference to the sync that retrieved them. Claims you entered manually are marked as manual. Claims from uploaded documents are marked as document-sourced. All of this is included in your data export.
3.10 Accountability. MHICO complies with all applicable federal and state laws. A named executive is responsible for our data practices. We have a complaint process and train all staff on data privacy.
3.11 Education. We provide resources inside the platform to help you understand our data practices and protect your privacy.
3.12 Change of Ownership. Our Privacy Policy explains what happens to your data if MHICO is sold or shuts down, including advance notice, what the new owner must do, and your right to download or delete your data.
4. Health Data Access via FHIR, Patient Access APIs, and Government Health Data Sources
4.1 Consumer-Directed Data Retrieval. We use standard FHIR and SMART on FHIR protocols to connect to health data. We support two source types: (1) commercial health plan APIs from insurers like Anthem, UnitedHealthcare, Aetna, Cigna, and Humana; and (2) CMS Blue Button API - the Medicare API for Part A, Part B, and Part D data, accessed through MyMedicare.gov. As we add integrations, you can authorize each source through its own login. Supported sources are listed in your account settings.
4.2 Scope of Data Accessed. Through Patient Access APIs, MHICO requests only Coverage and ExplanationOfBenefit data. We do not request your name, address, or date of birth through FHIR. We receive only the data your insurer allows your account to access. An import covers only your own records - it should include only your own claims and coverage, not data about another person on your plan. Imported data includes service descriptions, dates of service, billed and paid amounts, provider names, and your share of costs. During import, we briefly check ICD-10 codes, procedure codes, and FHIR security labels to detect federally protected health categories. These codes are never stored. Certain categories - such as substance use disorder - are blocked by default and only imported after you explicitly consent. See Privacy Policy Section 3.6. Data may go back up to five years.
4.3 Token-Based Access. Access is controlled by OAuth tokens. You can revoke access at any time by removing the data source in the Platform or through your health plan’s member portal.
4.4 CARIN Blue Button Alignment. MHICO’s Patient Access API integrations are designed and being built to align with the CARIN Blue Button Implementation Guide (STU1 or later).
4.5 Payer Links. When you link a health plan, we immediately import a snapshot of your claims and coverage data. This is a one-time sync, not a live connection. We store the link record and your insurer’s encrypted credentials until you remove it or it is purged due to inactivity (see our Privacy Policy). Access tokens from your insurer expire within minutes to an hour and clear when you log out. Clearing a token does not delete your connection record or any already-imported data. If your insurer issues a refresh token, it is valid for up to 90 days and lets you sync again without logging in. When all tokens expire, we ask you to reconnect. Your imported data stays safe. You can see all active links in your account settings. Removing a connection revokes access and deletes the stored tokens.
4.6 AI Personalization Using Linked Health Data. Once you link an insurer, your coverage details and recent claims are shared with the AI to personalize its answers. For example, the AI will use your actual deductible, copays, and claim history instead of giving generic guidance. Only display-level details are shared - service descriptions, amounts, provider names, and dates. Diagnostic codes, procedure codes, and internal identifiers are never sent to the AI. This is processed via AWS Bedrock under our HIPAA BAA with AWS. You can turn off AI personalization at any time by removing your insurer on the Link Insurer page.
5. Scope of Supported Consumers
MHICO supports consumers across all 50 U.S. states, the District of Columbia, and U.S. territories. The Platform serves individuals enrolled in or exploring:
- (a)Commercial employer-sponsored plans;
- (b)ACA Marketplace / Qualified Health Plans (QHPs) on Federally-Facilitated and State-Based Exchanges;
- (c)Medicare (including Medicare Advantage, Part D, and Medigap);
- (d)COBRA continuation coverage (educational guidance);
- (e)Individual and family plans outside the Marketplace.
As we add integrations, we aim to support members across all plan types for each participating insurer.
6. Not Insurance, Medical, or Legal Advice
MHICO is an educational and navigational tool. The Platform does not provide insurance, medical, legal, tax, or financial advice. MHICO is not an insurance company, broker, or agent. We do not sell, bind, or underwrite insurance policies.
Our AI features use Anthropic’s Claude models (through Amazon Bedrock). Claude is a general-purpose AI. It is not a medical device, and the FDA and other health authorities have not cleared, approved, or rated it for medical advice, diagnosis, or treatment. AI answers can be inaccurate, incomplete, or out of date (sometimes called “hallucinations”). Always check important coverage, claims, or cost decisions with your insurer or benefits administrator. Check any health question with your doctor or a licensed professional.
If the AI gives you an unusual or worrying result: for a possible billing or claims error, go over it with your insurer or benefits administrator (the Claims page can create a draft appeal for you to review before sending - MHICO never sends appeals for you); for anything about your health, contact your doctor; and to report an AI error, a harmful or biased answer, or a privacy concern, email julia@mhico.ai. In a medical emergency, call 911 or your local emergency number. See Privacy Policy Section 17 for more.
7. User Accounts and Eligibility
The Platform is only for residents of the United States, its territories, and the District of Columbia. By creating an account, you confirm that you live there.
You must be at least 18 to create an account. All information you provide must be accurate and complete. You are responsible for keeping your credentials private and for all activity under your account.
8. Prohibited Uses
You agree not to:
- (a)Use the Platform unlawfully;
- (b)Attempt unauthorized access to systems or data;
- (c)Interfere with Platform operation;
- (d)Scrape or harvest data without written consent;
- (e)Impersonate any person;
- (f)Use the Platform to discriminate; or
- (g)Use health data obtained through the Platform for targeted advertising, underwriting, or unauthorized purposes; or
- (h)Submit, upload, import, or use any data, document, image, or file that is not your own, unless you have the right or permission to use it - for example, as the parent, legal guardian, or authorized representative of the person it belongs to. This includes insurance cards, bills, Explanations of Benefits, and claims. You are responsible for making sure you are allowed to use any information you give the Platform. You may only access or act on data that is your own or that you have permission to use;
- (i)Attempt to manipulate, jailbreak, reverse-engineer, or extract the system prompt or underlying instructions of the AI features, or use the AI features to generate content that is unlawful, harmful, deceptive, or misleading. Your use of the AI features is also subject to Anthropic’s Usage Policy; or
- (j)Present AI-generated output as professional advice to others, or use the AI features or their output to develop, train, or improve a competing AI model or service.
9. Intellectual Property
All content and features of the Platform are owned by MHICO Inc. or its licensors. You may use the Platform for personal, non-commercial purposes. This license is limited and cannot be transferred.
AI-generated output. Some features create content for you using AI, such as draft appeal letters, summaries, and answers to your questions. As between you and MHICO, you own the output you generate through these features and may use it for your personal, non-commercial purposes. MHICO makes no claim of ownership over that output. Because AI output can be inaccurate or may not be unique to you (see Section 6), we do not warrant that it is correct, complete, or free of similarity to content generated for other users. Your use of the AI features and their output is also subject to Section 8 and to Anthropic’s Usage Policy.
10. Third-Party Services and Integrations
The Platform integrates with the following third-party services:
- •Amazon Web Services (AWS). MHICO uses AWS for hosting (EC2, EBS), AI responses (AWS Bedrock with Anthropic’s Claude), content delivery and security (AWS CloudFront with WAF), DNS (AWS Route 53), and log management (AWS CloudWatch). Web server and app logs go to CloudWatch and are kept for 90 days. WAF logs (including IP addresses) are kept for 14 days in the US. All logs are used only for security and incident response. Any data you upload or enter may be processed by AWS Bedrock to create responses. This data is not used to train the Claude AI models. Personal data is stored in the United States. CloudFront edge locations are used only for traffic routing and do not store personal data. MHICO has signed a HIPAA Business Associate Agreement (BAA) with AWS covering all services listed above.
- •Brave Search. The Platform may use Brave Search to find publicly available information for your queries. We apply two layers of protection: the AI is instructed never to include your personal or health data in a search query, and a technical filter automatically scrubs structured PII patterns - such as Social Security numbers, phone numbers, email addresses, dates of birth, and member IDs - from every query before it is sent. Brave does not receive your health data or personal data.
- •Google (Sign in with Google). MHICO offers “Sign in with Google” as an optional authentication method. If you use this option, Google receives your authentication request and returns your name and email address to MHICO. MHICO does not receive or store your Google password. Your use of Google Sign-In is also subject to Google’s Privacy Policy.
- •Google (Google Ads). If you arrive at MHICO via a Google advertisement and create an account in that session, MHICO transmits the Google Click Identifier (GCLID) and a signup timestamp to Google via Google’s server-side Conversion API. No health information or personal data beyond the click identifier is transmitted. No Google tracking pixels or JavaScript tags are loaded on any MHICO page. This practice is governed by Google’s Privacy Policy.
- •Reddit (Reddit Ads). If you arrive at MHICO via a Reddit advertisement and create an account in that session, MHICO transmits the Reddit Click Identifier (rdt_cid) and a signup timestamp to Reddit via Reddit’s server-side Conversions API. No health information or personal data beyond the click identifier is transmitted. No Reddit tracking pixels or JavaScript tags are loaded on any MHICO page. This practice is governed by Reddit’s Privacy Policy.
- •Twilio (SendGrid & Verify). MHICO uses SendGrid (by Twilio) to deliver account emails - like verification and policy updates. If you turn on SMS two-factor authentication, we use Twilio Verify to send you one-time codes. Your email goes to SendGrid for delivery. Your phone number (if SMS MFA is on) goes to Twilio Verify only for sending codes.
- •Health Plan Patient Access APIs (commercial payers). MHICO connects directly to commercial health plan FHIR-based Patient Access APIs. As integrations are activated, you can authorize MHICO to retrieve your data from participating commercial payers (such as Anthem, UnitedHealthcare, Aetna, and Cigna) via OAuth 2.0. No intermediary handles your data for these connections.
- •Medicare (direct government connection). For Medicare beneficiaries who authorize access, MHICO connects directly to the Centers for Medicare & Medicaid Services API. MHICO retrieves your Medicare Part A, Part B, and Part D claims data on your behalf. Authorization is performed through your MyMedicare.gov account via OAuth 2.0. CMS is a federal government entity, not a contracted service provider; your use of this connection is subject to CMS Blue Button API Terms of Service.
Your use may also be subject to each third party’s own terms of service. We are not responsible for third-party availability or practices. Note: CMS is a federal agency, not a contractor. The data protections we require of our vendors do not apply to it.
All contracted service providers must follow privacy and security standards that match ours. This includes data use limits, breach notification, and a ban on re-identifying anonymous data.
11. Disclaimers and Limitation of Liability
This section limits what MHICO is legally responsible for if something goes wrong. These limitations are required by law to be written in the exact legal language below. Plain-English explanations follow each one.
THE PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.
In plain terms: we do our best, but we cannot guarantee the platform will always work perfectly or be error-free.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, MHICO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF YOUR USE OF THE PLATFORM.
In plain terms: if you experience a loss that is not directly caused by our actions - for example, lost time, lost income, or stress - we are generally not responsible for those damages.
There is also a limit on the total amount MHICO may have to pay you. Our total liability will never be more than the greater of these two amounts:
- (a)what you paid MHICO in the 12 months before the claim; or
- (b)$100.
The Platform is free today, so for most users (a) is $0. That makes the real cap $100. This limit applies as far as the law allows.
This cap does not apply to: (i) claims from gross negligence (serious carelessness) or willful misconduct; or (ii) claims under state privacy laws that set their own fixed damages a contract cannot reduce, such as California’s Consumer Privacy Rights Act (CPRA) or the Washington My Health My Data Act.
12. Indemnification
You agree to indemnify (compensate us for losses), defend, and hold harmless (protect from liability) MHICO Inc., its officers, directors, employees, and agents from third-party claims, losses, and reasonable legal costs that arise from your misuse of the Platform, your violation of these Terms, your violation of any law or any third-party right, or content or data you submit. This obligation does not apply to any claim to the extent it results from MHICO’s own negligence, willful misconduct, or violation of law. We will tell you about any claim and let you take part in defending it. You will not settle any claim in a way that creates an obligation for us without our written consent.
13. Dispute Resolution and Arbitration
13.1 Informal Resolution. Email julia@mhico.ai to try to resolve the issue informally within 30 days.
13.2 Binding Arbitration. If we cannot resolve it informally, the dispute goes to binding arbitration in New Jersey under the AAA Consumer Arbitration Rules. If the total amount in dispute is $10,000 or less, MHICO pays all AAA filing and administration fees. For larger claims, the AAA Consumer Arbitration Rules decide who pays those fees. Either way, each side pays its own attorney fees, unless the arbitrator orders otherwise under the law. Small claims exception. Instead of arbitration, either you or MHICO may bring an individual claim in small claims court, as long as the matter stays in small claims court and is brought only on an individual basis.
13.3 Class Action Waiver. YOU WAIVE (GIVE UP) ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.
13.4 New Jersey Enforceability. This arbitration section is governed by the Federal Arbitration Act. If you live in New Jersey, state law also requires us to clearly explain what rights you are giving up by agreeing to arbitration. By accepting these Terms, you give up your right to sue MHICO in court and your right to have a jury decide your case. You also give up the right to join a class action lawsuit. This paragraph exists to make sure those waivers are valid and enforceable in New Jersey.
13.5 Your Right to Opt Out of Arbitration. You can opt out of this arbitration agreement (Sections 13.2 and 13.3, including the class action waiver) within 30 days of first accepting these Terms. Email julia@mhico.ai with your name and a statement that you want to opt out of arbitration. If you opt out, neither you nor MHICO can require the other to arbitrate, and any dispute is resolved in court instead. Opting out does not affect any other part of these Terms, and it has no effect on your access to the Platform.
UNLESS YOU OPT OUT AS DESCRIBED IN SECTION 13.5, BY AGREEING TO THESE TERMS, YOU WAIVE YOUR RIGHT TO A TRIAL BY JURY AND YOUR RIGHT TO PARTICIPATE IN A CLASS ACTION.
14. Governing Law
These Terms follow New Jersey law, except where federal law applies.
15. Termination and Change of Ownership
15.1 Termination by MHICO. We may end or suspend your access at any time. In most cases, we will email your account address at least 7 days before we do this. If we have to act right away - for example, to stop an active security threat - we will email you as soon as we can after the action. When your access ends: (a) your right to use the Platform ends; (b) you can request a copy or deletion of your data under our Privacy Policy; and (c) your data is handled as described in our Privacy Policy and CARIN commitments.
15.2 Account Closure by You. You can close your account at any time in your account settings or by emailing julia@mhico.ai. When you close it, we delete all your personal data and health information right away. We delete any encrypted backup copies within 30 days. We keep only an anonymous record with no personal details, for audit and legal purposes. See Privacy Policy Section 8.2 for details, including the rare cases when immediate deletion may not be possible.
15.3 Change of Ownership or Cessation of Business (Business Transfer). Your data may move to another company if MHICO is sold, merged, restructured, financed, or taken over, if we go bankrupt, or if we shut down. If that happens, we will:
- (a)Tell you ahead of time - by email and a notice on the Platform - at least 30 days before any data transfer, when that is possible. If 30 days’ notice is not possible (such as a court-run bankruptcy), we give you as much notice as we can. If we cannot give notice first, we tell you soon after the transfer, and always before the new company uses your data in any way our Privacy Policy does not already allow;
- (b)Tell you who the new company is and what they plan to do with your data;
- (c)Require the new company, by contract, to protect your data at least as well as we do at the time of transfer;
- (d)Let you download your data, ask us to delete it, or close your account before the transfer;
- (e)If we shut down and no one takes over, securely delete all personal data within 60 days and tell affected users; and
- (f)Only hand over de-identified data to a company that agrees in writing to keep it de-identified.
A business transfer never removes the protections in our Privacy Policy. See Privacy Policy Section 6.6 for full details.
16. Miscellaneous
If any part of these Terms is unenforceable, the rest still applies. Choosing not to enforce a right does not mean we give it up. These Terms and our Privacy Policy are the complete agreement between us.