Acceptable Use Policy

Effective Date: April 23, 2025

1. Purpose and Scope

1.1

This Acceptable Use Policy (AUP) governs all access to and use of the HealthLink Secure platform (the Platform) operated by Informed + Choice (we, our, or us). The Platform enables authorized users to access Medicare beneficiary data and other health-related information and provides supplemental tools such as chatbots, appointment-scheduling modules, and customizable agent websites.

1.2

The AUP applies to every individual or entity that accesses or uses any portion of the Platform, including: (1) licensed insurance agents and brokers; (2) clinicians and other health-care professionals (for example physicians, nurses, care coordinators); (3) authorized staff of health-care organizations (for example administrators of accountable care organizations, physician groups, or federally qualified health centers); and (4) any other person granted access to the Platform or its data.

1.3

This AUP supplements—but does not replace—your independent legal and professional obligations, including those under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the CMS Blue Button 2.0 Terms of Service, state licensing laws, and Centers for Medicare & Medicaid Services (CMS) marketing regulations.

2. Definitions

2.1 PHI

PHI means protected health information as defined by HIPAA.

2.2 Beneficiary Authorization

Beneficiary Authorization means a documented, active consent or authorization by a Medicare beneficiary permitting the Platform to retrieve, store, and share that beneficiary’s data with designated users.

2.3 User (you)

User (you) means any natural person or legal entity that accesses or uses any component of the Platform under an issued account or API credential.

3. Eligibility and User Credentials

3.1 Active Licensure or Credentials

By registering an account you represent that you hold all licenses, certifications, and credentials required to perform your role. You must notify us immediately if any licensure or credential is suspended, revoked, or expires. Continued use of the Platform without valid credentials is prohibited.

3.2 Single-User Accounts

Each account is for a single named individual. You must keep credentials confidential, may not share them with others, and may not access the Platform using another person’s credentials.

3.3 Verification

We may request documentary proof of licensure or authorization and may suspend or terminate access for failure to provide proof.

4. Authorized Uses of Data and Services

4.1 Permitted Purpose

You may access PHI and other data obtained through the Platform solely to serve the beneficiary (for example enrollment assistance, clinical treatment, care coordination) in accordance with the scope of the beneficiary’s authorization and applicable law.

4.2 Minimum Necessary

You must limit any use, disclosure, or request for PHI to the minimum necessary information required to accomplish the intended purpose.

4.3 Chatbot and AI Tools

Chatbots and AI features are provided for convenience. They may not be relied on as the sole source of clinical or financial advice, and you must not input PHI into tools that are not identified as HIPAA-supporting.

4.4 Custom Agent Websites

When using Platform-provided websites or landing pages, you must comply with CMS Medicare Communications and Marketing Guidelines and display all required disclaimers. Misleading or deceptive content is prohibited.

4.5 Scope-of-Appointment (SOA) and Scheduling Tools

SOA forms must be completed and stored in accordance with CMS rules, including the 48-hour rule where applicable. You must not manipulate scheduling tools to circumvent regulatory timing requirements.

4.6 Data Retention

The Platform stores certain records (for example SOA PDFs and audit logs) for your convenience, but ultimate regulatory retention duties remain yours. You must export and retain any records you are legally required to maintain.

5. Prohibited Activities

5.1

Access data without authorization or in excess of beneficiary consent.

5.2

Redisclose or sell data obtained through the Platform to any third party except as expressly permitted by law and the beneficiary’s authorization.

5.3

Scrape, mine, or bulk-download data using automated scripts or tools.

5.4

Impersonate any person or entity or misrepresent your affiliation with Medicare or the U.S. government.

5.5

Introduce malicious code or attempt to bypass security controls, probe for vulnerabilities, or disrupt system operation.

5.6

Transmit unlawful, harassing, or discriminatory content, or use the Platform to facilitate illegal activity (for example insurance fraud or unapproved marketing).

5.7

Violate CMS marketing rules, including unsolicited beneficiary contact or failure to provide required disclaimers.

6. Security and Privacy Obligations

6.1 Safeguards

You must implement administrative, physical, and technical safeguards consistent with HIPAA to protect PHI, including encrypted transmission and storage, secure workstations, and proper screen-locking.

6.2 Breach Notification

You must promptly report to us any security incident or breach involving PHI accessed via the Platform and cooperate with required notifications under applicable law.

6.3 Audit

We reserve the right to audit Platform activity logs and user conduct to verify compliance. You agree to cooperate with any audit or investigation by us, CMS, OCR, or other regulators.

7. Enforcement and Remedies

7.1 Suspension or Termination

Violation of this AUP may result in suspension or permanent termination of your access, deletion of data you uploaded, and other remedial steps at our discretion.

7.2 Regulatory Reporting

We may report serious violations to licensing boards, CMS, OCR, or other authorities.

7.3 Indemnification

You agree to indemnify and hold us harmless from any liability, loss, or expense arising out of your violation of this AUP or applicable laws.

8. Changes to the AUP

8.1

We may amend this AUP at any time. Material changes will be communicated via email or Platform notice at least 30 days before they become effective, unless a shorter period is required to comply with law or address an urgent security concern.

9. Contact Information

9.1

Informed + Choice — Compliance Department

9.2

Email: [email protected]

9.3

Legal Contact — Lyndsy Rodgers
Email: [email protected]
Address: 1034 N. Madison Ave, Pasadena, CA 91104

10. Acknowledgment

10.1

By accessing or using any part of the Platform on or after April 23, 2025, you acknowledge that you have read, understood, and agreed to be bound by the terms of this Acceptable Use Policy.