Informed + Choice – Terms of Service
Informed + Choice – Terms of Service
Effective Date: April 23, 2025
These Terms of Service (the “Terms”) constitute a legally‑binding agreement between Ardor Service LLC d/b/a Informed + Choice (“Informed + Choice,” “we,” “our,” or “us”) and (a) any Licensed or Authorized User (defined below) who registers for an account on, integrates with, or otherwise uses Informed + Choice, and (b) any Medicare Beneficiary who authorizes the transmission of their Medicare data through Informed + Choice (collectively, “you” or “your”).
Blue Button 2.0 Attribution & Disclaimer
Informed + Choice uses the Centers for Medicare & Medicaid Services’ Blue Button 2.0 APIs but is only a registered Blue Button application and is not endorsed or certified by Medicare, the Centers for Medicare & Medicaid Services (CMS), or the U.S. Department of Health & Human Services (HHS).
1. Definitions
| Term | Meaning |
|---|---|
| ”Service” | The Informed + Choice online service, associated APIs, mobile or web applications, documentation, and all related services provided by Informed + Choice. |
| ”Medicare Beneficiary” | A person enrolled in Medicare who authorizes the Service, via Medicare’s secure OAuth flow, to access their Medicare claims data. |
| ”Authorized User” | A healthcare provider, pharmacist, licensed insurance agent or other professional who registers for an account on the Service and, with a Beneficiary’s consent, accesses that Beneficiary’s data. |
| ”PHI” | Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). |
| ”CMS Data” | Health information obtained from CMS via the Blue Button 2.0 API, including but not limited to Parts A, B and D claims, coverage, and related metadata. |
| ”Consent Window” | The limited period—ten (10) hours unless otherwise displayed—during which the Service may receive, display, prefill, or transmit CMS Data after Beneficiary consent. The Consent Window does not by itself define retention for submitted annual review information, provider refresh keys, audit records, or records that must be kept for legal, security, operational, or recordkeeping reasons. |
2. Scope of Agreement
2.1 Separate Audiences
Medicare Beneficiaries do not create accounts or continuously use the Service. Your interaction is limited to providing or revoking authorization.
Authorized Users create accounts, integrate with, and actively use the Service to view Beneficiary data for permitted purposes.
Where provisions apply only to one audience, headings and context will indicate so.
3. Consent & Authorization (For Beneficiaries)
Voluntary Authorization. You may voluntarily authorize Informed + Choice, through Medicare’s Blue Button 2.0 OAuth process, to retrieve your Medicare claims data for the purpose of sharing it with a chosen Authorized User, displaying it in the authorized workflow, or helping prefill an annual review that you choose to submit.
Informed Disclosure. Prior to authorization you will be shown: (a) the name and contact information of the Authorized User; (b) the categories of data requested; and (c) the duration of access (the Consent Window).
Revocation. You may revoke authorization at any time by (i) using the Medicare.gov “Manage My Connected Apps” dashboard, (ii) using any revocation option presented in our emails/SMS, or (iii) contacting us at [email protected]. Revocation stops future retrieval or transmission under the revoked authorization. If you ask us to remove information obtained from Medicare through Blue Button for an annual review or provider/physician workflow, we remove that information from our active systems and do not continue storing it, except for minimal audit, security, legal, or operational records we are required to keep. Provider refresh keys are removed when the related provider authorization expires or is revoked.
No Condition of Benefits. Granting or withholding authorization has no effect on your Medicare benefits.
4. Account Registration & Responsibilities (For Authorized Users)
Eligibility. You must be (i) a duly‑licensed healthcare provider, pharmacist, insurance agent, or other professional authorized under applicable law to receive Beneficiary health data, and (ii) located in the United States.
Accurate Information. You agree to provide true, current, and complete registration information and to keep it updated.
Credential Security. You are responsible for maintaining the confidentiality of your Service credentials and any data exported to your systems.
Permitted Use. You will use Beneficiary data solely for healthcare operations, care management, or plan advisory services for that Beneficiary. You will not:
- reuse the data for marketing, analytics, or other Beneficiaries without fresh consent;
- request, access, use, collect, or share a Beneficiary’s Medicare.gov username/password or other Medicare.gov login credentials; or
- retain PHI beyond your own legal record‑keeping requirements without appropriate safeguards.
Regulatory Compliance. If you are a HIPAA Covered Entity or your activities otherwise trigger HIPAA, you agree to execute our Business Associate Agreement (“BAA”). In all cases, you agree to handle PHI with reasonable and appropriate administrative, technical, and physical safeguards.
Audit Rights. We reserve the right to audit or suspend your access if we believe you are misusing the Service or violating these Terms.
5. Data Handling & Retention (Company Commitments)
Connection Model. We are not a general CMS Data warehouse. CMS Data is held only as necessary to receive, display, prefill, transmit, and perform minimal processing for the workflow you authorized. If you do not submit an annual review and no provider refresh authorization applies, CMS Data used for the connection is deleted after the Consent Window ends.
Submitted Annual Review Information. If a Medicare Beneficiary submits an annual review to an Authorized User, we may store the annual review information used for that review for up to one year after submission. This may include information the Beneficiary confirmed, information the Beneficiary marked as incorrect, information the Beneficiary added, source dates, and related review records. We store this information for up to one year because Medicare plan reviews are tied to the plan year. If questions, coverage concerns, or follow-up issues arise during that plan year, the Authorized User can refer back to the information used for the review. After one year, a new annual review may require new information, a new manual submission, or a new Medicare Data authorization.
Provider Refresh Keys. For provider workflows, we may store a secure key that allows the provider to request the latest information from the Beneficiary’s plan until the approval period ends. This key is typically kept for up to 13 months, or until the Beneficiary revokes access, then removed from our systems.
Removal Requests. A Beneficiary may ask us to remove information obtained from Medicare through Blue Button for an annual review or provider/physician workflow by contacting the Authorized User or Informed + Choice at [email protected]. When we receive that request, we remove that information from our active systems and do not continue storing it, except for minimal audit, security, legal, or operational records we are required to keep.
No Sale or Advertising Use. We never sell, rent, or otherwise monetize Beneficiary PHI, nor do we use it for targeted advertising.
Security Measures. We employ administrative, technical, and physical safeguards designed to protect Beneficiary information, including encryption in transit and at rest, hardened infrastructure, role-based access controls, logging, monitoring, and access reviews.
Service Providers. Vendors and subcontractors that handle data for the Service are bound by appropriate privacy and security commitments, including Business Associate Agreements where required, and may use the data only to help operate the Service.
Breach Notification. In the unlikely event of a data breach involving PHI, we will notify affected parties and regulators as required by HIPAA, the FTC Health Breach Notification Rule, and other applicable laws.
Business Transfers. If Informed + Choice is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, or sale of assets, information covered by these Terms may be transferred as part of that transaction. Any transferred information remains subject to the applicable Privacy Policy and these Terms unless we notify affected users of a material change and obtain any required approval.
6. Privacy Policy Incorporation
Our Beneficiary Privacy Policy, available at https://informedpluschoice.com/privacy/, explains how we collect, use, store, and share information for Medicare Beneficiaries and health plan enrollees. Our Professional User Privacy Policy, available at https://informedpluschoice.com/legal/privacy-policy/, explains how we handle information for Authorized Users. Both policies are incorporated into these Terms by reference. In the event of a conflict, the stricter protection for individual privacy will control.
7. Intellectual Property
We retain all rights, title, and interest in the Service, including software, branding, and content, except that CMS Data remains the property of CMS and/or the Beneficiary. Nothing in these Terms transfers ownership of CMS Data to us.
8. Disclaimers
No Medical Advice. The Service itself does not provide medical or insurance advice. Any advice is provided solely by the Authorized User.
Data Origin. CMS Data is supplied by CMS systems. We do not warrant its completeness or accuracy.
AS IS. Except as expressly stated, the Service is provided “AS IS” and “AS AVAILABLE” without warranties of any kind.
9. Limitation of Liability
To the maximum extent permitted by law, Informed + Choice will not be liable for (a) indirect, incidental, special, or consequential damages, or (b) an amount exceeding the greater of fees paid to us for the prior twelve (12) months or one hundred U.S. dollars (US $100), arising out of or relating to these Terms or the Service.
Some jurisdictions do not allow certain limitations; in such cases our liability is limited to the minimum extent permitted by law.
10. Indemnification (Authorized Users)
You agree to indemnify, defend, and hold harmless Informed + Choice and its affiliates from any claims or liabilities arising out of (i) your misuse of CMS Data, (ii) your violation of law or these Terms, or (iii) content or instructions you provide to the Service.
11. Termination
By Authorized User. You may delete your account at any time. We retain minimal audit logs as required by law.
By Beneficiary. Revocation of authorization terminates our ability to transmit your CMS Data going forward.
By Company. We may suspend or terminate access immediately if you violate these Terms or CMS policy, or upon reasonable belief your use poses a risk to Beneficiary privacy or Service integrity.
Effect. Upon termination we will cease data transmission and delete stored CMS Data as described in Section 5.
12. Governing Law & Venue
These Terms are governed by the laws of the State of California and applicable U.S. federal law. Any dispute will be resolved in the state or federal courts located in Los Angeles County, California, unless otherwise preempted by federal law.
13. Changes to Terms
We may update these Terms from time to time. Material changes affecting Beneficiary data handling will not take effect until approved by CMS and after we provide at least 30 days’ notice to affected users. Continued use of the Service after changes become effective constitutes acceptance.
14. Contact Us
Ardor Service LLC d/b/a Informed + Choice
1034 North Madison Avenue
Pasadena, California 91104
Email: [email protected]
Legal Contact — Lyndsy Rodgers
Email: [email protected]
Address: 1034 N. Madison Ave, Pasadena, CA 91104
By using the Service—either by (i) registering for an account (Authorized User) or (ii) authorizing data transmission (Beneficiary)—you acknowledge that you have read, understood, and agree to be bound by these Terms of Service.