Key Consent Strategies to Navigate CMS Medicare and TCPA Compliance [Webinar Recap]

How prepared is your health insurance sales organization to navigate the shifting regulatory tides of CMS and TCPA compliance? With regulatory fines and the potential loss of key partners looming for those who fall behind, understanding the latest requirements is more critical than ever.

ActiveProspect’s webinar, [FCC Series: Episode 14] Harmonized Compliance: Consent Strategies for CMS Medicare and TCPA brings in expert guidance for Medicare professionals engaged in lead generation and sales with the essential knowledge and actionable steps needed to stay ahead of the curve.

Hosted by Ben Farrar, Director of Privacy, Security, and Compliance at ActiveProspect, and featuring industry experts Chris Deatherage, General Counsel at Apollo Interactive, and John Henson, Attorney at Troutman Amin, the session delved into the critical updates to CMS and TCPA regulations, their implications for your business, and the practical strategies necessary for maintaining compliance in today’s evolving regulatory landscape.

The new rules from the Centers for Medicare & Medicaid Services (CMS) and the Telephone Consumer Protection Act (TCPA) updates set stringent requirements for how personal data is collected, managed, and shared. For individuals and organizations involved in the Medicare chain of enrollment, following both regulations is essential.

"In April, CMS released their annual rule... any TPMO that collects personal beneficiary data has to have that beneficiary's prior express written consent before they can share that data with an additional TPMO," Henson said. ​This rule, effective October 1, 2024, marks a significant shift in regulatory expectations and underscores the growing importance of strict data privacy and consent protocols.

The TCPA one-to-one consent update, effective January 27, 2025, requires each consumer to give consent to a single seller at a time in order for that seller to contact the consumer.

The two rule changes go hand-in-hand, but they have important distinctions. “The TCPA focuses on the definition of a seller, which is very different from the definition of a TPMO under CMS's rules,” Deatherage said. “In a lot of instances in this industry, the seller will not be a TPMO.”

“In the insurance space, the seller is frequently the entity that writes the policies. You're talking about Humana, UHC, Anthem, or Elevance…all these different carriers, whereas the TPMO is never a carrier.”

A TPMO is any organization or individual that is compensated to perform lead generation, marketing, sales, or enrollment-related functions as part of the chain of enrollment in a Medicare Advantage (MA) or Part D plan.

These distinctions mean that the CMS update coming in October is not “just a rinse of repeat of what you were getting ready to do in January [for TCPA],” Farrar said.

To summarize the essential points of difference between the TCPA and CMS rules:

• The TCPA update requires each seller to get prior express written consent before contacting a consumer.

• The CMS update requires TPMOs to get prior express written consent before sharing data with another TPMO.

Failing to comply with the CMS and TCPA regulations isn’t just risky—it could be disastrous for your business. Non-compliance can be financially and legally devastating. “The penalties can be steep. The consequences can be steep,” Henson said.

This stark reality means that you must be vigilant, ensuring that your consent practices are fully aligned with the latest regulations. Even a minor oversight in consent capture or data sharing can trigger substantial fines, lawsuits, and other regulatory sanctions—draining your resources and disrupting your operations.

The risks don’t stop at fines and legal action. Non-compliance can also jeopardize your critical business relationships, especially with carriers who play a vital role in the Medicare space. If a carrier discovers that your practices are non-compliant, the consequences can be swift and severe.

"If the carrier finds out your ads were not compliant, or you weren't getting proper consent or transferring properly…[they] can just execute you right there. No trial, no nothing. They’re just going to send out an email saying, ‘Don’t do business with this TPMO,’” Deatherage said. This means that even a single major compliance failure could lead to the permanent loss of key partnerships, effectively shutting you out of the Medicare market.

To avoid crippling penalties, protect vital business relationships, and safeguard your operations from legal action, you must prioritize compliance at every level. The stakes are simply too high to do otherwise.

The compliance landscape has always been fraught with complexity, and these updates add yet another layer. To help you comply with these regulatory changes, Henson and Deatherage broke down key strategies.

One of the most effective strategies for obtaining compliant consent is through the use of multi-party checkbox forms, where each party is listed individually. This method allows consumers to explicitly agree to share their data with specific entities involved in the lead generation process, offering both transparency and control over their personal information.

When using checkboxes, it’s essential that the box is presented unchecked to the consumer. “The default has to be not to share the consumer's data,” Deatherage said. The consumer must actively choose to share their data with certain parties.

When it comes to call transfers, navigating the requirements of both CMS and TCPA can be challenging, but there are specific guidelines that can help ensure compliance. The CMS ruling specifies cases when transferring a call to someone who can immediately assist.

"CMS has said that if you have a consumer on a call, and you can pass them to someone who can immediately help them, then you don't have to have prior express written consent to pass that [call] along," Henson said.

However, this transfer must be direct and cannot involve multiple parties daisy chained together. "You cannot transfer them anywhere else...it has to be that immediate assistance," Henson said.

There’s a critical caveat when dealing with outbound calls. In these cases, both TCPA and CMS regulations apply, adding an extra layer of complexity. For outbound calls, the calling party must have obtained prior express written consent under the TCPA before dialing the consumer.

If, during an outbound call, you plan to transfer the consumer to another party—such as an agent or broker—under CMS rules you must obtain "double consent." This means you need the initial TCPA consent to make the call and then secure CMS consent on the call before transferring the consumer to the TPMO agency or brokerage. "You need double consent in that instance," Henson said, "your TCPA consent, your CMS consent."

It’s also essential to note that if the person or entity you transferred the consumer to is not available to take the call at that time, they don’t have permission to call that consumer back.

These requirements underscore the importance of being meticulous in how you handle transfers to avoid any compliance missteps. Ensuring that all necessary consents are properly obtained before and during the call is vital for staying compliant with both sets of regulations.

Another innovative strategy discussed is sending a text or email consent request to the consumer while they are on the call. This approach allows the consumer to quickly provide written consent, which is particularly useful when the interaction is likely to lead to future communications or data sharing.

Henson described an example inbound scenario for this strategy: You can say, “Thanks for calling. I want to make sure this is a good number and that I can call you back. Do you mind if I send you a text [or an email]?” They can click on the link provided in that text or email, and it goes to a TCPA landing page where the consumer can give their consent to be contacted.

Henson expects this strategy to become common as organizations seek to comply with both CMS and TCPA regulations without disrupting the customer experience. It offers a flexible solution that can be adapted to different situations, ensuring that consent is captured in real time.

Effective vendor management is critical to maintaining compliance, especially when working with multiple third parties in the lead generation and marketing chain. Ensuring that all upstream and downstream partners are compliant with CMS and TCPA regulations will help your company avoid any liability.

Kickstart conversations to help you understand the entire lead flow. "If you're responsible for compliance, go to your marketing teams, go to your sales teams, and have them walk you through the process of the lead," Henson said.

He further stressed the need for continuous oversight: "Start reaching out to those partners, your third parties on either side—the buy or the sell side—and say, ‘How are you thinking about this? What can you do to help?’" By maintaining open lines of communication and regularly reviewing vendor practices, you can mitigate the risk of non-compliance.

Given the complexity of CMS and TCPA compliance, consulting with an expert is often the best course of action.

"If you need help on this, call John. Seriously, just call him. He will literally hold your hand and guide you. If you're a client of Apollo's, reach out to your account manager. I'm always happy to hop on [a call] and discuss regulations and what our plans are, and how we can maybe help you," Deatherage said.

While he mentioned specific legal counsel and an account manager from his company here, this advice applies broadly. Whether you’re working with a legal expert, an in-house compliance officer, or third-party software providers, it's crucial to seek out those who have the expertise to help you navigate these regulations.

With deadlines rapidly approaching—October 1 for the CMS rule and January 27 for the TCPA update—there’s no time to waste. If you haven’t addressed these requirements yet, you must do so now to avoid severe penalties and operational disruptions.

The path to compliance is clear: understand the regulations, implement effective consent capture and data sharing strategies, manage vendor relationships meticulously, and stay vigilant in monitoring your compliance efforts.

As Deatherage succinctly put it, “Compliance is literally comply or die.”

By prioritizing compliance, you not only protect your organization from legal and financial risks but also maintain strong business relationships and build lasting trust with your consumers in an increasingly regulated environment.

Get a recap of the latest contact center compliance news delivered monthly to your inbox. Subscribe here>

DISCLAIMER: The information on this page and related links is provided for general education purposes only and is not legal advice. Convoso does not guarantee the accuracy or appropriateness of this information to your situation. You are solely responsible for using Convoso’s services in a legally compliant way and should consult your legal counsel for compliance advice. Any quotes are solely the views of the quoted person and do not necessarily reflect the views or opinions of Convoso.