HealthLink Secure – Terms of Service

Effective Date: April 23, 2025

These Terms of Service (the "Terms") constitute a legally‑binding agreement between Ardor Service LLC d/b/a Informed + Choice ("Informed + Choice," "we," "our," or "us") and (a) any Licensed or Authorized User (defined below) who registers for an account on, integrates with, or otherwise uses the HealthLink Secure platform, and (b) any Medicare Beneficiary who authorizes the transmission of their Medicare data through HealthLink Secure (collectively, "you" or "your").

Blue Button 2.0 Attribution & Disclaimer

HealthLink Secure uses the Centers for Medicare & Medicaid Services' Blue Button 2.0 APIs but is not endorsed or certified by the Centers for Medicare & Medicaid Services (CMS) or the U.S. Department of Health & Human Services (HHS).

1. Definitions

Term Meaning
"Service" The HealthLink Secure online platform, associated APIs, mobile or web applications, documentation, and all related services provided by Informed + Choice.
"Medicare Beneficiary" A person enrolled in Medicare who authorizes the Service, via Medicare's secure OAuth flow, to access their Medicare claims data.
"Authorized User" A healthcare provider, pharmacist, licensed insurance agent or other professional who registers for an account on the Service and, with a Beneficiary's consent, accesses that Beneficiary's data.
"PHI" Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
"CMS Data" Health information obtained from CMS via the Blue Button 2.0 API, including but not limited to Parts A, B and D claims, coverage, and related metadata.
"Consent Window" The limited period—ten (10) hours unless otherwise displayed—during which the Service may transmit CMS Data to an Authorized User after Beneficiary consent.

2. Scope of Agreement

2.1 Separate Audiences

  • Medicare Beneficiaries do not create accounts or continuously use the Service. Your interaction is limited to providing or revoking authorization.
  • Authorized Users create accounts, integrate with, and actively use the Service to view Beneficiary data for permitted purposes.

Where provisions apply only to one audience, headings and context will indicate so.

3. Consent & Authorization (For Beneficiaries)

  1. Voluntary Authorization. You may voluntarily authorize HealthLink Secure, through Medicare's Blue Button 2.0 OAuth process, to retrieve your Medicare claims data for the sole purpose of sharing it with a chosen Authorized User.
  2. Informed Disclosure. Prior to authorization you will be shown: (a) the name and contact information of the Authorized User; (b) the categories of data requested; and (c) the duration of access (the Consent Window).
  3. Revocation. You may revoke authorization at any time by (i) using the Medicare.gov "Manage My Connected Apps" dashboard, (ii) using any revocation option presented in our emails/SMS, or (iii) contacting us at [email protected]. Upon revocation we will immediately cease transmission and delete any CMS Data remaining in our possession, except audit logs required by law.
  4. No Condition of Benefits. Granting or withholding authorization has no effect on your Medicare benefits.

4. Account Registration & Responsibilities (For Authorized Users)

  1. Eligibility. You must be (i) a duly‑licensed healthcare provider, pharmacist, insurance agent, or other professional authorized under applicable law to receive Beneficiary health data, and (ii) located in the United States.
  2. Accurate Information. You agree to provide true, current, and complete registration information and to keep it updated.
  3. Credential Security. You are responsible for maintaining the confidentiality of your Service credentials and any data exported to your systems.
  4. Permitted Use. You will use Beneficiary data solely for healthcare operations, care management, or plan advisory services for that Beneficiary. You will not:
    • reuse the data for marketing, analytics, or other Beneficiaries without fresh consent;
    • request or collect a Beneficiary's Medicare.gov username/password; or
    • retain PHI beyond your own legal record‑keeping requirements without appropriate safeguards.
  5. Regulatory Compliance. If you are a HIPAA Covered Entity or your activities otherwise trigger HIPAA, you agree to execute our Business Associate Agreement ("BAA"). In all cases, you agree to handle PHI with reasonable and appropriate administrative, technical, and physical safeguards.
  6. Audit Rights. We reserve the right to audit or suspend your access if we believe you are misusing the Service or violating these Terms.

5. Data Handling & Retention (Company Commitments)

  1. Pipeline Model. We operate as a secure data pipeline, not a warehouse. CMS Data is held only as necessary to transmit it to the intended Authorized User and perform minimal processing (e.g., formatting). Unless you are enrolled in an optional analytics module (subject to a separate agreement), we delete all CMS Data at the end of the Consent Window.
  2. No Sale or Advertising Use. We never sell, rent, or otherwise monetize Beneficiary PHI, nor do we use it for targeted advertising.
  3. Security Measures. We employ industry‑standard safeguards including end‑to‑end encryption, hardened infrastructure, role‑based access controls, continuous monitoring, and SOC 2 Type II‑audited processes.
  4. Breach Notification. In the unlikely event of a data breach involving PHI, we will notify affected parties and regulators as required by HIPAA, the FTC Health Breach Notification Rule, and other applicable laws.

6. Privacy Policy Incorporation

Our Privacy Policy, available at https://informedpluschoice.com/privacy/, explains in detail how we collect, use, and share information. That Policy is incorporated into these Terms by reference. In the event of a conflict, the stricter protection for individual privacy will control.

7. Intellectual Property

We retain all rights, title, and interest in the Service, including software, branding, and content, except that CMS Data remains the property of CMS and/or the Beneficiary. Nothing in these Terms transfers ownership of CMS Data to us.

8. Disclaimers

  1. No Medical Advice. The Service itself does not provide medical or insurance advice. Any advice is provided solely by the Authorized User.
  2. Data Origin. CMS Data is supplied by CMS systems. We do not warrant its completeness or accuracy.
  3. AS IS. Except as expressly stated, the Service is provided "AS IS" and "AS AVAILABLE" without warranties of any kind.

9. Limitation of Liability

To the maximum extent permitted by law, Informed + Choice will not be liable for (a) indirect, incidental, special, or consequential damages, or (b) an amount exceeding the greater of fees paid to us for the prior twelve (12) months or one hundred U.S. dollars (US $100), arising out of or relating to these Terms or the Service.

Some jurisdictions do not allow certain limitations; in such cases our liability is limited to the minimum extent permitted by law.

10. Indemnification (Authorized Users)

You agree to indemnify, defend, and hold harmless Informed + Choice and its affiliates from any claims or liabilities arising out of (i) your misuse of CMS Data, (ii) your violation of law or these Terms, or (iii) content or instructions you provide to the Service.

11. Termination

  1. By Authorized User. You may delete your account at any time. We retain minimal audit logs as required by law.
  2. By Beneficiary. Revocation of authorization terminates our ability to transmit your CMS Data going forward.
  3. By Company. We may suspend or terminate access immediately if you violate these Terms or CMS policy, or upon reasonable belief your use poses a risk to Beneficiary privacy or Service integrity.
  4. Effect. Upon termination we will cease data transmission and delete stored CMS Data as described in Section 5.

12. Governing Law & Venue

These Terms are governed by the laws of the State of California and applicable U.S. federal law. Any dispute will be resolved in the state or federal courts located in Los Angeles County, California, unless otherwise preempted by federal law.

13. Changes to Terms

We may update these Terms from time to time. Material changes affecting Beneficiary data handling will not take effect until approved by CMS and after we provide at least 30 days' notice to affected users. Continued use of the Service after changes become effective constitutes acceptance.

14. Contact Us

Ardor Service LLC d/b/a Informed + Choice

1034 North Madison Avenue

Pasadena, California 91104

Email: [email protected]

Phone: (714) 317‑2779

By using the Service—either by (i) registering for an account (Authorized User) or (ii) authorizing data transmission (Beneficiary)—you acknowledge that you have read, understood, and agree to be bound by these Terms of Service.

©2025 Ardor Service LLC d/b/a Informed + Choice. All rights reserved.