Back
MHICO

Terms of Use

Effective Date: April 1, 2026 • Last Updated: May 13, 2026

1. Acceptance of Terms

These Terms of Use (“Terms”) constitute a legally binding agreement between you (“User,” “you,” or “your”) and MHICO Inc., doing business as My Health Insurance Copilot (“MHICO,” “we,” “us,” or “our”), governing your access to and use of the MHICO platform, including the website at mhico.ai, mobile applications, AI-powered health insurance navigation tools, and any related services (collectively, the “Platform”). MHICO is both the organization and the application developer of the Platform.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and any additional terms or policies referenced herein. If you do not agree to these Terms, you must discontinue use of the Platform immediately.

We reserve the right to modify these Terms at any time. Material changes will be communicated to you via email at least thirty (30) days prior to taking effect. When a material update is deployed, existing users are automatically notified by email. Upon your next login following a material change, you will be shown a re-consent screen describing the key updates and must accept the updated Terms to continue. Your continued use of the Platform after accepting the updated Terms constitutes your agreement to be bound by them.

2. Description of Services

MHICO is an AI-native health insurance navigation platform that helps consumers and employers understand, compare, and optimize health insurance coverage. The Platform provides:

  • (a)AI-powered plan comparison and recommendation tools across Employer, ACA Marketplace, Medicare, and Medicaid coverage types, as well as educational guidance on COBRA continuation coverage;
  • (b)Claims analysis, denial dispute assistance, and cost optimization insights;
  • (c)Provider directory lookups via FHIR-based APIs;
  • (d)Consumer-directed health data access, including planned integration with commercial health plan Patient Access APIs, CMS Blue Button 2.0 (Medicare), and VHA Lighthouse APIs (Veterans Affairs), using FHIR-based data exchange to enable retrieval of your claims, clinical, pharmacy, dental, and vision data (integrations are being rolled out progressively; availability varies by data source);
  • (e)Educational resources on health insurance concepts, benefits, rights, and data privacy; and
  • (f)Employer plan analysis tools to help individuals and plan sponsors compare and evaluate employer-sponsored health benefits.

3. CARIN Alliance Trust Framework and Code of Conduct

MHICO, as both the organization and the application developer, is a signatory to the CARIN Alliance Code of Conduct and operates as a Consumer-Facing Application (CFA) under the CARIN Alliance Trust Framework. MHICO attested to the CARIN Code of Conduct on May 4, 2026; our listing is publicly available at myhealthapplication.com/app/mhico. As a consumer-facing application that collects health information on behalf of users through consumer-directed exchange, MHICO commits to the following principles:

3.1 Transparency. MHICO maintains a publicly accessible, easy-to-read Privacy Policy that addresses data collection, consent, use, disclosure, access, security, and retention/deletion practices for all personal data, health data, and de-identified information. Our Privacy Policy is developed using the ONC Model Privacy Notice as a resource.

3.2 Consent. MHICO obtains informed, proactive consent before collecting, using, or disclosing personal data. We do not engage in default data sharing. We obtain separate opt-in consent specifically for the purpose of facilitating the marketing of goods or services. We comply with COPPA. When our Privacy Policy changes materially, all existing users are automatically notified by email; upon their next login, they are presented with a re-consent screen and must accept the updated policy or close their account. Our Privacy Policy is clear about what happens to your data in each scenario.

3.3 Use and Disclosure Limitations. We contractually bind all third-party service providers and any app developers to commitments substantively similar to those we make to users. We prohibit uses of personal data and de-identified information except as described in our Privacy Policy or with the individual’s consent. We do not use personal data or de-identified information for targeted advertising.

3.4 Individual Access. MHICO supports the right of users to access their data, easily change their consent options, and close their account and delete their data. Our Privacy Policy is clear about situations when data deletion may not be feasible.

3.5 Security. MHICO, as both the organization and app developer, protects identifiable health information by implementing security safeguards including encryption of data in transit (TLS 1.2+) and at rest (AES-256), and internal accountability measures such as role-based access controls and comprehensive audit logs. All third-party service providers are contractually required to implement equivalent safeguards. As part of our security and compliance obligations, MHICO operates continuous security monitoring on its infrastructure, including network-level traffic logging (which captures connection metadata such as source and destination IP addresses), API activity audit trails, and automated threat detection. These controls operate at the infrastructure layer to detect unauthorized access, anomalous activity, and potential security incidents. Security and infrastructure logs are retained for defined periods as described in our Privacy Policy and are used solely for security, compliance, and incident response purposes.

3.6 Authentication. MHICO, as both the organization and app developer, uses provider portal credentials compliant with SMART on FHIR standards. Email verification is required before account activation. User authentication supports three forms of multi-factor authentication (MFA): an authenticator app (TOTP), email OTP (delivered via Twilio SendGrid), and SMS OTP (delivered via Twilio Verify). MFA is designed to meet NIST Authenticator Assurance Level 2 (AAL2) standards. MHICO uses SMART on FHIR OAuth 2.0 flows for payer data access.

3.7 Breach Notification. MHICO, as both the organization and app developer, and all third-party service providers, comply with all applicable breach notification laws including the FTC Health Breach Notification Rule (16 CFR Part 318).

3.8 Re-Identification Prohibition. MHICO, as both the organization and app developer, and all third-party service providers, prohibit the re-identification of de-identified, anonymized, or pseudonymized data.

3.9 Data Provenance. MHICO tracks the origin of every claim record. Claims imported via a payer integration carry the originating health plan, the unique FHIR resource identifier (EOB ID), and a reference to the specific sync event that retrieved them. Claims entered manually are marked as manually entered. Claims derived from an uploaded document (such as an EOB or insurance card) are marked as document-sourced. All provenance information is included in your data export.

3.10 Accountability. MHICO, as both the organization and app developer, complies with all applicable federal and state laws. A designated executive officer is committed to these data principles. We maintain a complaint process and regularly train our entire workforce on the data practices covered by the CARIN Code of Conduct.

3.11 Education. MHICO includes educational resources within the Platform to help users understand the application’s data practices and the steps they can take to protect their privacy and the confidentiality of their personal data.

3.12 Change of Ownership. Our Privacy Policy is clear about what happens to your data if MHICO has a change in ownership or goes out of business, including advance notice, successor entity obligations, and your right to download or delete your data.

4. Health Data Access via FHIR, Patient Access APIs, and Government Health Data Sources

4.1 Consumer-Directed Data Retrieval. MHICO is building integrations with health data sources using HL7 FHIR R4 standards and SMART on FHIR protocols. MHICO supports three categories of data source: (1) commercial health plan Patient Access APIs — participating commercial payers (such as Anthem, UnitedHealthcare, Aetna, and others) that expose FHIR-based Patient Access APIs, aligned with the CARIN Blue Button Implementation Guide; (2) CMS Blue Button 2.0 — the Centers for Medicare & Medicaid Services API for Medicare Part A, Part B, and Part D beneficiaries, accessible through your MyMedicare.gov account; and (3) VHA Lighthouse APIs — the U.S. Department of Veterans Affairs health data API for Veterans enrolled in VHA benefits, accessible through your VA.gov account. As integrations are activated, you will be able to authorize MHICO to retrieve your health data through the OAuth 2.0 consent flow provided by each data source. The list of supported sources is updated in your account settings as integrations become available.

4.2 Scope of Data Accessed. Through Patient Access APIs, MHICO may access your claims data (medical, pharmacy, dental, and vision), clinical data, coverage information, explanation of benefits data, and related health records as made available by your health plan. This data may include up to five (5) years of historical information.

4.3 Token-Based Access. Access is governed by time-limited OAuth tokens. You may revoke access at any time by disconnecting the data source within the Platform or through your health plan’s member portal.

4.4 CARIN Blue Button Alignment. MHICO’s Patient Access API integrations are designed and being built to align with the CARIN Blue Button Implementation Guide (STU1 or later).

4.5 Payer Links. When you link a health plan, MHICO immediately imports a snapshot of your claims and coverage data — this is a one-time point-in-time sync, not an ongoing live connection. MHICO stores the link record and the OAuth access token issued by your insurer. The link record persists in your account until you unlink or it is purged due to inactivity (see our Privacy Policy). The access token itself is short-lived — it typically expires within hours, as determined by the insurer. Because most insurers do not support long-term token access, each time you want to re-sync you will most likely need to sign in to your insurer’s portal again. When your token expires, MHICO will prompt you to reconnect; your already-imported health data is not affected by token expiry. All active links and their link dates are visible in your account settings. You may unlink any payer at any time; unlinking revokes access and deletes the stored token.

4.6 AI Personalization Using Linked Health Data. Once you link an insurer, your imported coverage details and recent claims are automatically made available to the MHICO AI assistant to personalize responses. This means the AI will apply your actual deductible, copays, out-of-pocket maximum, and recent claim history when answering your questions, instead of providing generic guidance. Only display-level information (service descriptions, financial amounts, provider names, and dates) is used; diagnostic codes, procedure codes, and internal system identifiers are never sent to the AI. This data is processed via AWS Bedrock, covered under MHICO’s HIPAA Business Associate Agreement with AWS. You can opt out of AI personalization at any time by unlinking your insurer on the Link Insurer page.

5. Scope of Supported Consumers

MHICO supports consumers across all 50 U.S. states, the District of Columbia, and U.S. territories. The Platform serves individuals enrolled in or exploring:

  • (a)Commercial employer-sponsored plans;
  • (b)ACA Marketplace / Qualified Health Plans (QHPs) on Federally-Facilitated and State-Based Exchanges;
  • (c)Medicare (including Medicare Advantage, Part D, and Medigap);
  • (d)Medicaid and CHIP managed care plans;
  • (e)COBRA continuation coverage (educational guidance);
  • (f)Individual and family plans outside the Marketplace; and
  • (g)U.S. Military Veterans enrolled in Veterans Health Administration (VHA) benefits, including access to VA health records and benefits data via the VHA Lighthouse APIs.

As payer Patient Access API integrations are activated, MHICO aims to support members across all available lines of business for each participating health plan.

6. Not Insurance, Medical, or Legal Advice

MHICO is an educational and navigational tool. The Platform does not provide insurance, medical, legal, tax, or financial advice. MHICO is not an insurance company, broker, or agent. We do not sell, bind, or underwrite insurance policies.

MHICO exhausts all available data sources before providing responses. However, AI-generated outputs may contain errors. Verify important coverage decisions with your insurer or benefits administrator.

7. User Accounts and Eligibility

The Platform is intended solely for use by residents of the United States, its territories, and the District of Columbia. By creating an account, you represent that you are a resident of the United States, its territories, or the District of Columbia.

You must be at least 18 years of age to create an account. You represent that all information you provide is accurate, current, and complete. You are responsible for maintaining account credential confidentiality and for all activities under your account.

8. Prohibited Uses

You agree not to:

  • (a)Use the Platform unlawfully;
  • (b)Attempt unauthorized access to systems or data;
  • (c)Interfere with Platform operation;
  • (d)Scrape or harvest data without written consent;
  • (e)Impersonate any person;
  • (f)Use the Platform to discriminate; or
  • (g)Use health data obtained through the Platform for targeted advertising, underwriting, or unauthorized purposes.

9. Intellectual Property

All content, features, and functionality of the Platform are the exclusive property of MHICO Inc. or its licensors. You are granted a limited, non-exclusive, non-transferable license to use the Platform for personal, non-commercial use (or internal business use for employer subscribers).

10. Third-Party Services and Integrations

The Platform integrates with the following third-party services:

  • Amazon Web Services (AWS). MHICO uses AWS for infrastructure hosting (EC2, EBS), AI-powered response generation (AWS Bedrock, using Anthropic’s Claude models), content delivery and TLS termination (AWS CloudFront), web application firewall (AWS WAF, attached to CloudFront), DNS resolution (AWS Route 53), and log aggregation (AWS CloudWatch). Web server access and error logs are shipped to CloudWatch and retained for 90 days; Django application logs (HTTP errors and authentication events) are shipped to CloudWatch and retained for 90 days; AWS WAF logs (request metadata including IP addresses) are retained for 14 days in CloudWatch in the us-east-1 region. All logs are used solely for security and incident response purposes. Any data you upload or enter, including documents, images, and health information, may be processed by AWS Bedrock to generate responses. Personal data is stored in the United States; CloudFront edge locations are used solely for traffic routing and do not store personal data. MHICO has executed a signed HIPAA Business Associate Agreement (BAA) with AWS covering all services listed above.
  • Brave Search. The Platform may use Brave Search to retrieve publicly available web information in response to your queries. The AI is instructed not to include personally identifiable information or protected health information in search queries; queries are designed to be generic and informational only.
  • Google (Sign in with Google). MHICO offers “Sign in with Google” as an optional authentication method. If you use this option, Google receives your authentication request and returns your name and email address to MHICO. MHICO does not receive or store your Google password. Your use of Google Sign-In is also subject to Google’s Privacy Policy.
  • Google (Google Ads). If you arrive at MHICO via a Google advertisement and create an account in that session, MHICO transmits the Google Click Identifier (GCLID) and a signup timestamp to Google via Google’s server-side Conversion API. No health information or personal data beyond the click identifier is transmitted. No Google tracking pixels or JavaScript tags are loaded on any MHICO page. This practice is governed by Google’s Privacy Policy.
  • Reddit (Reddit Ads). If you arrive at MHICO via a Reddit advertisement and create an account in that session, MHICO transmits the Reddit Click Identifier (rdt_cid) and a signup timestamp to Reddit via Reddit’s server-side Conversions API. No health information or personal data beyond the click identifier is transmitted. No Reddit tracking pixels or JavaScript tags are loaded on any MHICO page. This practice is governed by Reddit’s Privacy Policy.
  • Twilio (SendGrid & Verify). MHICO uses Twilio’s SendGrid service to deliver transactional emails, including account verification emails, email-based MFA codes, and policy update notifications. MHICO uses Twilio Verify to send SMS one-time passwords to users who enable SMS two-factor authentication. Your email address is shared with SendGrid for email delivery; your mobile phone number (if SMS MFA is enabled) is shared with Twilio Verify solely for authentication purposes.
  • Health Plan Patient Access APIs (commercial payers). MHICO connects directly to commercial health plan FHIR-based Patient Access APIs. As integrations are activated, you can authorize MHICO to retrieve your data from participating commercial payers (such as Anthem, UnitedHealthcare, Aetna, and Cigna) via OAuth 2.0. No intermediary handles your data for these connections.
  • CMS Blue Button 2.0 API (Medicare — direct government connection). For Medicare beneficiaries who authorize access, MHICO connects directly to the Centers for Medicare & Medicaid Services Blue Button 2.0 API. MHICO retrieves your Medicare Part A, Part B, and Part D claims data on your behalf. Authorization is performed through your MyMedicare.gov account via OAuth 2.0. CMS is a federal government entity, not a contracted service provider; your use of this connection is subject to CMS Blue Button 2.0 Terms of Service.
  • VHA Lighthouse APIs (Veterans Affairs — direct government connection). For Veterans enrolled in VHA benefits who authorize access, MHICO connects directly to the U.S. Department of Veterans Affairs Lighthouse APIs. MHICO retrieves your VA health and benefits data on your behalf. Authorization is performed through your VA.gov account via OAuth 2.0. The VA is a federal government entity, not a contracted service provider; your use of this connection is subject to VA Lighthouse API Terms of Service.

Your use of the Platform may be subject to these third-party providers’ terms of service. MHICO is not responsible for third-party availability or practices. Note: CMS and the VA are federal government entities and are not subject to the contractual data protection commitments that apply to MHICO’s private contracted service providers.

All contracted third-party service providers and app developers engaged by MHICO are contractually obligated to follow commitments substantively similar to those in our Privacy Policy regarding the use and disclosure of personal data, health data, and de-identified information, including equivalent security safeguards, breach notification obligations, and prohibitions on re-identification.

11. Disclaimers and Limitation of Liability

THE PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, MHICO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF YOUR USE OF THE PLATFORM.

MHICO’s total aggregate liability shall not exceed the greater of: (a) amounts paid by you in the twelve (12) months preceding the claim; or (b) one hundred dollars ($100).

12. Indemnification

You agree to indemnify, defend, and hold harmless MHICO Inc., its officers, directors, employees, and agents from claims arising out of your use of the Platform, your violation of these Terms, your violation of any third-party right, or any data you provide.

13. Dispute Resolution and Arbitration

13.1 Informal Resolution. Contact julia@mhico.ai to attempt informal resolution within thirty (30) days.

13.2 Binding Arbitration. If informal resolution fails, disputes shall be resolved by binding arbitration under the AAA Consumer Arbitration Rules in New Jersey.

13.3 Class Action Waiver. YOU WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

13.4 New Jersey Enforceability. This provision is governed by the Federal Arbitration Act, 9 U.S.C. §§ 1–16. The parties acknowledge enforceability standards under N.J.S.A. 2A:23B-1 et seq. and applicable case law including Atalese v. U.S. Legal Services Group, L.P., 219 N.J. 430 (2014).

BY AGREEING TO THESE TERMS, YOU WAIVE YOUR RIGHT TO A TRIAL BY JURY AND YOUR RIGHT TO PARTICIPATE IN A CLASS ACTION.

14. Governing Law

These Terms are governed by New Jersey law, without regard to conflict of law provisions, except as preempted by federal law.

15. Termination and Change of Ownership

15.1 Termination by MHICO. We may terminate or suspend access at any time upon notice. Upon termination: (a) your license ceases; (b) you may request export or deletion of personal data per our Privacy Policy; and (c) data is handled per our Privacy Policy and CARIN commitments.

15.2 Account Closure by You. You may close your account at any time through your account settings or by contacting julia@mhico.ai. Upon closure, all your personal data and health information are immediately and permanently removed. A de-identified record with no personally identifiable information is retained solely for audit integrity and legal compliance purposes. See Privacy Policy Section 8.2 for full details, including the limited situations when immediate deletion may not be feasible.

15.3 Change of Ownership or Cessation of Business. In the event of a merger, acquisition, sale of assets, reorganization, bankruptcy, or cessation of business, MHICO will handle your personal data as follows: (a) provide advance written notice at least thirty (30) days before any data transfer; (b) describe the identity of the successor entity, scope of data transferred, and successor’s intended data practices; (c) ensure the successor’s commitments are consistent with our Privacy Policy at the time of transfer; (d) provide you the option to securely download your data, request secure deletion, or close your account before the transfer; and (e) if MHICO ceases operations without a successor, securely dispose of all personal data within sixty (60) days and notify affected users.

16. Miscellaneous

If any provision is unenforceable, the remainder continues in effect. Failure to enforce any right is not a waiver. These Terms, together with the Privacy Policy, constitute the entire agreement.

17. Contact Information

MHICO Inc., My Health Insurance Copilot

Website: https://mhico.ai

Email: julia@mhico.ai

Read our Privacy Policy →