Blog

CMS Medicare Marketing Compliance for Lead Generators: The Complete 2026 Guide

CMS Medicare Marketing Compliance for Lead Generators: The Complete 2026 Guide

Master the regulatory framework governing Medicare lead generation. Learn TPMO requirements, one-to-one consent rules, Scope of Appointment protocols, prohibited practices, and how to build compliant operations that survive CMS enforcement.

Medicare lead generation operates under the most restrictive marketing rules in the insurance industry. The Centers for Medicare and Medicaid Services has progressively tightened controls over the past decade, driven by documented patterns of misleading and high-pressure tactics directed at elderly beneficiaries. For lead generators, the current regulatory framework – updated significantly for Contract Year 2026 – imposes requirements that fundamentally reshape how Medicare leads can be generated, transferred, and monetized.

This is not optional compliance. CMS can impose Civil Monetary Penalties exceeding $100,000 per violation. It can suspend your marketing activities, halt enrollment processing, or terminate your ability to participate in Medicare programs entirely. A single compliance failure can end a Medicare lead generation operation before you receive your first payment.

Those who succeed in Medicare treat CMS compliance not as a checkbox but as core business infrastructure. This guide covers everything you need to build and maintain that infrastructure: the regulatory framework, consent requirements, prohibited practices, documentation standards, and enforcement realities you will face.

Understanding the CMS Regulatory Framework

The Centers for Medicare and Medicaid Services administers Medicare – the federal health insurance program for Americans 65 and older, those with certain disabilities, and those with End-Stage Renal Disease. CMS regulates not just the healthcare delivery side but the marketing side as well, issuing annual rules through the Medicare Communications and Marketing Guidelines (MCMG) and related regulatory documents.

Medicare marketing rules exist because the beneficiary population is vulnerable. People over 65 are disproportionately targeted by scams. Cognitive decline affects some beneficiaries’ ability to evaluate complex insurance products. The stakes are high – choosing the wrong Medicare plan can result in thousands of dollars in unexpected medical costs or loss of access to preferred providers and medications.

CMS has responded by creating a regulatory framework stricter than what applies to other insurance products. If you are generating leads for Medicare Advantage, Medicare Supplement, or Part D plans, you are subject to these rules regardless of whether you consider yourself an “insurance company” or a “lead generator.”

Contract Year 2026 Updates

CMS issues final rules each April that take effect for the following contract year, which begins January 1. The Contract Year 2026 final rule, published in April 2024, implemented significant changes affecting lead generation:

One-to-One Consent Requirement: Before sharing beneficiary information with another entity, you must obtain prior express written consent from the beneficiary that specifically names each entity that will receive their data. This is not general consent to share information broadly – the beneficiary must consent to each specific recipient in the distribution chain.

Manual Dialing Consent: The 2026 rules clarified that even manual dialing – previously exempt from many telemarketing consent requirements – requires prior express written consent for Medicare marketing contacts. This closes a loophole that some operators exploited by avoiding automated dialers.

Recording Requirements: All sales, marketing, and enrollment calls with beneficiaries must be recorded in their entirety. This includes both inbound and outbound calls. The recording requirement applies to Third-Party Marketing Organizations (TPMOs) as well as plan sponsors.

Expanded TPMO Oversight: CMS strengthened requirements for written agreements between plan sponsors and TPMOs, and between TPMOs and their sub-contractors. These agreements must explicitly require compliance with all applicable CMS marketing requirements.

These changes represent CMS’s most aggressive move yet against lead aggregation models that traditionally collected broad consent and distributed leads to multiple buyers without beneficiary knowledge of who would contact them.

What is a Third-Party Marketing Organization (TPMO)?

Third-Party Marketing Organization is the regulatory term CMS uses for entities that perform lead generation, marketing, sales, and enrollment functions for Medicare Advantage and Part D plans. Understanding this classification is critical because it determines your compliance obligations.

TPMO Definition

Under CMS regulations, a TPMO is any individual or entity that:

  • Generates leads for Medicare Advantage or Part D plan enrollment
  • Conducts marketing activities on behalf of plan sponsors
  • Performs sales activities related to Medicare plans
  • Assists beneficiaries with enrollment in Medicare plans

If your business collects contact information from Medicare-eligible consumers and transfers that information to agents, brokers, Field Marketing Organizations (FMOs), or carriers for Medicare plan sales, you are a TPMO. The classification is functional, not definitional – what matters is what you do, not what you call yourself.

Some operators attempt to distinguish between “TPMOs” (which are subject to CMS rules) and “lead generators” (which they argue are not). This distinction does not exist in CMS’s regulatory framework.

CMS has explicitly stated that lead generation activities for Medicare plans fall within TPMO oversight. The Medicare Communications and Marketing Guidelines make clear that any entity performing marketing functions – which includes collecting prospective beneficiary information for transfer to plan sponsors or their representatives – is subject to TPMO requirements.

The practical implication: if you are generating Medicare leads, you are a TPMO under CMS rules, and you must comply with all TPMO requirements. Calling yourself a “lead generator” does not exempt you from CMS jurisdiction.

TPMO Registration and Agreement Requirements

Operating as a TPMO requires formal relationships with the plan sponsors whose products your leads ultimately support:

Written TPMO Agreements: You must have a written agreement with each plan sponsor (or their authorized intermediary, such as an FMO) whose Medicare products your leads will be used to market. These agreements must specify compliance obligations and require adherence to all CMS marketing rules.

Sub-Contractor Agreements: If you use sub-contractors in your lead generation activities – whether technology vendors, call centers, or other service providers – you must have written agreements with those sub-contractors that flow down CMS compliance requirements.

Chain of Agreements: CMS requires a complete chain of written agreements from the plan sponsor through every intermediary to the entity performing the marketing activity. If your lead distribution involves multiple parties, each link in the chain must have a compliant agreement in place.

These requirements create documentation burdens but also create accountability. When CMS investigates compliance failures, they trace the chain of agreements to determine who is responsible.

The one-to-one consent rule represents the most significant change to Medicare lead generation compliance in the past decade. Understanding this requirement is essential because it fundamentally alters how Medicare leads can be generated and distributed.

Under the one-to-one consent requirement, before you can share beneficiary contact information with another TPMO or plan sponsor, you must obtain prior express written consent from the beneficiary that specifically identifies that recipient.

This is different from traditional lead generation consent models. In auto insurance or mortgage lead generation, you might capture consent for contact from “marketing partners” or list dozens of potential buyers in small print – see our guide on the one-to-one consent rule for broader context. That approach does not work for Medicare.

For Medicare leads, your consent disclosure must specifically name each entity that will receive the beneficiary’s information. The beneficiary must affirmatively consent to contact from that specific entity. Generic consent to receive “Medicare information from our partners” does not satisfy CMS requirements.

A compliant consent disclosure for Medicare lead generation must include:

Specific Entity Identification: The name of each entity that will receive the beneficiary’s information. This cannot be a generic category like “insurance companies” or “Medicare plan sponsors.” It must be specific names.

Purpose of Contact: Clear statement that the beneficiary is consenting to be contacted for Medicare Advantage, Medicare Supplement, or Part D plan marketing purposes.

Contact Methods: Specification of what contact methods the beneficiary is consenting to – phone calls, text messages, emails, mail. The consent must authorize the specific methods that will be used.

ATDS and Prerecorded Message Authorization: If automated dialers or prerecorded messages will be used, the consent must specifically authorize that technology, consistent with TCPA requirements.

Not Condition of Purchase: Clear statement that providing consent is not a condition of receiving Medicare plan information or enrolling in any Medicare plan.

Example of compliant consent language:

“By providing my contact information and clicking submit, I consent to be contacted by [Specific Company Name] and [Second Specific Company Name] regarding Medicare Advantage and Medicare Supplement plans. I authorize contact by telephone, including automated dialing and prerecorded messages, text message, and email at the phone number(s) and email address provided. This consent is not a condition of enrollment in any Medicare plan.”

Lead Aggregation Model Challenges

Traditional lead aggregation models face fundamental challenges under one-to-one consent requirements.

The standard model for non-Medicare verticals involves capturing leads, running them through a ping tree or auction system, and selling them to multiple buyers. A single lead might be sold to three or four different agents or carriers. This model does not comply with CMS one-to-one consent requirements because the beneficiary did not specifically consent to each buyer at the time of lead capture.

Operators have adapted through several approaches:

Exclusive Lead Models: Capture consent for a single specific entity and sell exclusively to that entity. This model is CMS-compliant but reduces revenue per lead since you cannot monetize through multiple sales.

Consumer Selection Models: Present beneficiaries with specific plan sponsor or agent options and capture separate consent for each entity they select. This model allows multiple buyer monetization but requires more complex form design and typically reduces conversion rates because beneficiaries see the complexity.

Real-Time Dynamic Consent: Use ping/post or similar technology to identify the likely buyer before consent is captured, then dynamically display that buyer’s name in the consent disclosure. This preserves some auction dynamics while maintaining one-to-one consent compliance, but requires sophisticated technical integration.

Each approach has trade-offs. The operators succeeding in Medicare have built their business models around compliance rather than trying to retrofit compliance onto non-compliant models.

Scope of Appointment (SOA) Requirements

Before any sales appointment – whether in-person, telephonic, or virtual – a licensed agent must obtain a completed Scope of Appointment form from the beneficiary. This requirement affects lead generation because it determines what can happen in initial contact and how leads must be structured for handoff.

The 48-Hour Rule

CMS requires that the Scope of Appointment be completed at least 48 hours before the scheduled appointment. This waiting period exists to prevent high-pressure tactics where agents call beneficiaries and immediately attempt to sell them plans without giving them time to consider whether they want the contact.

The 48-hour rule has direct implications for lead generation:

Initial Contact Limitations: When an agent first contacts a lead, they cannot discuss specific plan recommendations during that initial call. The initial contact must be limited to fact-finding – confirming interest, discussing general Medicare options without recommending specific plans, explaining the SOA process, and scheduling a formal appointment for at least 48 hours later.

Live Transfer Complications: Live transfer models where leads are transferred directly to agents for immediate sales conversations face SOA compliance challenges. The transferred call cannot be used for plan-specific recommendations without a completed SOA from at least 48 hours prior. Some operators capture SOA consent during the lead generation process to enable immediate plan discussions, but this requires careful implementation.

Lead Timing Considerations: Leads intended for immediate agent contact must be structured to support SOA-compliant workflows. Either the SOA must be captured during lead generation, or the initial contact must be limited to fact-finding with plan discussions occurring only after the 48-hour window.

SOA Content Requirements

The Scope of Appointment form must specify which products will be discussed during the appointment. CMS provides a model SOA form that covers the required elements:

  • Beneficiary name and contact information
  • Date SOA is completed
  • Products authorized for discussion (Medicare Advantage plans, Medicare Supplement policies, Part D prescription drug plans, etc.)
  • Clear statement that the beneficiary may rescind the appointment at any time
  • Beneficiary signature (which can be electronic for telephonic appointments)

The products authorized in the SOA determine what can be discussed during the appointment. If a beneficiary authorizes discussion of Medicare Advantage plans only, the agent cannot discuss Medicare Supplement products during that appointment without obtaining a new SOA.

Digital SOA Capture

Lead generators can capture SOA consent electronically as part of the lead generation process. This approach enables agents to engage in plan-specific discussions immediately upon receiving the lead (assuming 48 hours have passed since SOA completion).

Digital SOA capture requires:

Clear Product Selection: The form must allow beneficiaries to clearly indicate which products they are authorizing for discussion. This cannot be hidden in terms of service or buried in small print.

Timestamp Documentation: The exact date and time of SOA completion must be documented to prove 48-hour compliance.

Electronic Signature Compliance: The electronic signature mechanism must comply with E-SIGN Act requirements – consent to receive electronic disclosures, hardware/software requirements disclosure, and affirmative signature action.

Retention: SOA forms must be retained for 10 years, per CMS requirements. This is longer than the standard TCPA documentation retention period.

Prohibited Medicare Marketing Practices

CMS explicitly prohibits numerous marketing practices that are common – or at least accepted – in other lead generation verticals. Violating these prohibitions can result in immediate enforcement action, including marketing suspensions and Civil Monetary Penalties.

Prohibited Contact Methods

Unsolicited Contact: CMS prohibits unsolicited telephonic, electronic, or in-person contact for Medicare marketing purposes. “Unsolicited” means contact without prior express written consent from the beneficiary specifically authorizing contact from your organization for Medicare marketing purposes.

This prohibition is stricter than TCPA requirements in several ways:

  • Even manual dialing requires prior written consent (TCPA allows certain manual dialing without written consent)
  • Consent must specifically authorize Medicare marketing (general marketing consent is insufficient)
  • Each entity in the distribution chain must be specifically named in the consent

Cold Calling: CMS prohibits cold calling beneficiaries about Medicare plans under any circumstances. There is no “established business relationship” exception as exists in some TCPA contexts. Prior written consent specifically authorizing Medicare marketing contact is required.

Door-to-Door Solicitation: Unsolicited door-to-door sales of Medicare products are prohibited. This includes canvassing, cold-calling at residences, or any in-person contact without prior appointment scheduled by the beneficiary.

Prohibited Marketing Locations

Healthcare Provider Offices: CMS prohibits marketing Medicare plans in or near healthcare provider offices, pharmacies, or other healthcare settings. Beneficiaries visiting healthcare settings are considered vulnerable, and CMS prohibits taking advantage of that vulnerability for plan marketing.

Retail Settings Near Pharmacies: Marketing in retail stores that contain pharmacies is restricted. Agents cannot approach beneficiaries in these settings to discuss Medicare plans. Educational events may be permitted in some retail settings with proper approvals.

Prohibited Marketing Content

False Urgency Language: CMS prohibits using words and phrases that create false urgency or pressure. This includes:

  • “Limited time offer”
  • “Act now”
  • “Call immediately”
  • “Last chance”
  • “Offer expires soon”

These restrictions apply to all marketing materials – landing pages, advertisements, email content, and call scripts.

Misleading Plan Representations: Marketing materials cannot misrepresent plan benefits, costs, or features. This includes:

  • Guaranteeing specific premium amounts without geographic qualification (benefits vary by plan and location)
  • Promising benefits that are not available in all service areas
  • Implying government endorsement or CMS approval of marketing content
  • Using “Medicare” logo or branding in ways that suggest government affiliation

Free Gifts Exceeding Limits: CMS limits the value of gifts or incentives used in Medicare marketing. As of 2026, the promotional gift limit is $15 retail value (adjusted annually for inflation). Gifts cannot be conditioned on enrollment and cannot be offered as enrollment inducements.

Cross-Selling Prohibitions: During Medicare sales appointments, agents cannot cross-sell non-health products. This means no life insurance sales, no annuity pitches, no financial product marketing during Medicare consultations. Medicare and non-Medicare sales must be completely separated.

Prohibited Educational Event Practices

CMS permits educational events where beneficiaries can learn about Medicare options without sales pressure. However, sales activities are prohibited at educational events – no plan recommendations, enrollment applications, or sales conversations. If you hold a sales event at the same location as an educational event, there must be at least 12 hours between the events. Healthcare personnel cannot be present during sales events, as their presence could imply provider endorsement.

Call Recording Requirements

CMS requires recording of all beneficiary calls related to Medicare marketing, sales, and enrollment. This requirement applies to TPMOs as well as plan sponsors and agents.

What Must Be Recorded

Inbound Calls: All incoming calls from beneficiaries regarding Medicare plans must be recorded from the moment of connection.

Outbound Calls: All outgoing calls to beneficiaries for Medicare marketing purposes must be recorded.

Warm Transfers: When beneficiaries are transferred between call centers or agents, the recording must continue through the transfer. There should be no gaps in recording during the beneficiary’s journey.

Voicemails Left by Agents: Voicemails left for beneficiaries regarding Medicare plans should be documented and retained as part of the call record.

Recording Retention

Call recordings must be retained for 10 years from the date of the call. This retention period significantly exceeds the standard four-year TCPA retention recommendation. Plan your storage infrastructure accordingly – call recording archives for Medicare operations must be maintained far longer than for other verticals.

Recording Access and Quality

CMS may request call recordings during compliance audits or investigations. TPMOs must be able to produce recordings promptly upon request, which requires organized storage with searchable metadata, export capabilities, and secure storage preventing unauthorized access. Recordings must be of sufficient quality to allow CMS reviewers to understand the conversation – muffled or partially recorded calls may be treated as non-compliance.

Documentation and Audit Requirements

CMS requires comprehensive documentation of Medicare marketing activities. This documentation serves both compliance verification and enforcement investigation purposes.

Required Documentation

Permission to Contact Records: For every beneficiary contact, you must maintain documentation of the consent that authorized that contact. This includes:

  • The consent disclosure language displayed to the beneficiary
  • Timestamp of consent capture
  • Method of consent (web form, business reply card, verbal)
  • Identification of each entity authorized for contact
  • The phone number(s) and other contact information covered by consent

SOA Documentation: Completed Scope of Appointment forms for every sales appointment, with clear timestamps showing 48-hour compliance.

Call Recordings: As discussed above, all beneficiary calls must be recorded and retained.

TPMO Agreements: Written agreements with plan sponsors, FMOs, and sub-contractors must be maintained and available for review.

Marketing Material Approvals: CMS-approved versions of all marketing materials, with documentation of the approval process and any required modifications.

Agent Licensing Verification: Documentation confirming that agents receiving leads are appropriately licensed in the states where they will be contacting beneficiaries.

Audit Preparation

CMS conducts routine audits of plan sponsor and TPMO marketing practices. Being prepared for audits requires:

Organized Records: Documentation must be retrievable within reasonable timeframes. CMS requests during audits typically require production within 10-30 days. Disorganized records that cannot be produced promptly may be treated as non-compliance.

Complete Chain of Custody: For leads that pass through multiple parties, you must be able to document the complete chain from initial capture through final sale, with consent documentation at each transfer point.

Regular Self-Audits: Conduct internal audits of your Medicare lead generation operations at least quarterly. Review consent capture processes, call recordings, documentation practices, and marketing materials. Document findings and remediation of any issues discovered.

Compliance Officer Designation: For organizations with significant Medicare lead generation volume, designate a compliance officer responsible for TPMO compliance. This person should have authority to halt non-compliant activities and access to legal counsel familiar with CMS requirements.

Penalties and Enforcement

CMS enforcement of Medicare marketing rules has intensified significantly over the past several years. Understanding the penalty framework helps you calibrate your compliance investment.

Civil Monetary Penalties

CMS can impose Civil Monetary Penalties for Medicare marketing violations. The penalty amounts are substantial:

  • Up to $116,156 per violation for most marketing violations (amount adjusted annually for inflation)
  • Penalties can multiply rapidly when violations affect multiple beneficiaries
  • A campaign that violates consent requirements and reaches 1,000 beneficiaries could theoretically generate over $100 million in penalty exposure

In practice, CMS typically imposes penalties based on the nature of the violation, the number of beneficiaries affected, the duration of non-compliance, and whether the violation appears willful or negligent. First-time violations by operators who demonstrate good faith compliance efforts may receive reduced penalties or warning letters. Repeated violations or willful non-compliance receive maximum enforcement.

Intermediate Sanctions

Before or instead of CMPs, CMS can impose intermediate sanctions that may be equally damaging to your business:

Marketing Suspension: CMS can suspend a plan sponsor’s marketing activities, which cascades down to TPMOs supporting that sponsor. During suspension, you cannot generate leads for that sponsor’s products.

Enrollment Processing Suspension: CMS can halt enrollment processing for a plan sponsor, making all leads for that sponsor worthless since they cannot be used for enrollment.

Payment Suspension: CMS can suspend payments to plan sponsors, creating cash flow crises that affect the entire distribution chain.

These intermediate sanctions can destroy a Medicare lead generation operation’s economics even before formal penalty proceedings conclude.

Contract Termination

For severe violations, CMS can terminate a plan sponsor’s Medicare contract entirely. This removes the sponsor’s ability to offer Medicare Advantage or Part D products, eliminating the market for leads related to that sponsor’s products.

TPMO-Specific Enforcement

While CMS’s formal enforcement authority runs primarily through plan sponsors, the TPMO agreement requirements create accountability mechanisms that reach lead generators:

Sponsor Responsibility: Plan sponsors are responsible for the activities of their TPMOs. When CMS discovers TPMO violations, it holds the sponsor accountable, which creates strong incentives for sponsors to terminate relationships with non-compliant TPMOs.

Contractual Remedies: TPMO agreements typically include indemnification provisions and termination rights for compliance failures. Even if CMS does not directly fine a TPMO, the sponsor may terminate the relationship and seek damages.

Industry Blacklisting: Medicare is a relationship-based industry. TPMOs known for compliance problems find themselves unable to secure agreements with sponsors or FMOs. Word travels fast, and a reputation for non-compliance can end your Medicare lead generation business permanently.

Building a Compliant Medicare Lead Generation Operation

Compliance cannot be bolted onto an existing operation – it must be built into the foundation. This section outlines the systems and processes required for compliant Medicare lead generation.

Your lead capture forms must be designed for CMS compliance from the beginning:

Clear Product Identification: The form must clearly indicate that the beneficiary is requesting information about Medicare plans. Use plain language that beneficiaries can understand.

Named Entity Consent: The consent disclosure must specifically name each entity that will receive the beneficiary’s information. If you are using ping/post or similar technology, you need real-time integration to display the actual buyer in the consent disclosure before consent is captured.

Separate Consent Action: Consent should require an affirmative action – checking a box, clicking a dedicated button – not just scrolling past terms of service.

No Pre-Checked Boxes: Consent checkboxes should not be pre-checked. The beneficiary must actively select the consent option.

Mobile Optimization: Many Medicare beneficiaries access the internet via tablets or smartphones. Ensure consent disclosures are readable and consent actions are clear on mobile devices.

Accessibility Considerations: Consider the needs of beneficiaries with visual impairments. Use adequate font sizes, high contrast colors, and screen-reader-compatible designs.

Technology Infrastructure

Compliant Medicare lead generation requires specific technology capabilities:

Consent Verification Integration: Integrate with TrustedForm, Jornaya, or similar consent verification services. These services provide independent documentation of what the beneficiary saw and when they provided consent.

Call Recording Platform: Implement call recording that captures all beneficiary interactions. The platform must support 10-year retention, organized retrieval, and export in standard formats.

CRM with Compliance Fields: Your CRM must track consent status, SOA completion status, and other compliance-relevant data points. Standard lead generation CRMs may require customization for Medicare compliance.

Document Management: Implement a document management system that can organize and retrieve TPMO agreements, approval documentation, and other compliance records.

Audit Trail Logging: All systems handling Medicare leads should maintain detailed audit logs showing who accessed what data and when. These logs support compliance demonstration during CMS audits.

Staff Training

Personnel involved in Medicare lead generation must understand CMS requirements:

Initial Training: Before anyone works with Medicare leads, they should complete training covering CMS marketing rules, consent requirements, prohibited practices, and documentation requirements.

Ongoing Training: CMS updates its rules annually. Conduct refresher training each year covering rule changes and any compliance issues discovered through internal audits.

Script Compliance: Call center scripts must be reviewed for CMS compliance. Scripts should be provided to agents, and deviation from approved scripts should be monitored.

Escalation Procedures: Staff should know how to escalate compliance questions. Better to pause and verify than to proceed and violate.

Quality Assurance

Ongoing monitoring catches compliance failures before they become enforcement actions:

Call Monitoring: Regularly review recorded calls for compliance with approved scripts, required disclosures, and prohibited practice avoidance.

Consent Audit: Periodically audit consent capture processes. Review consent certificates to verify that disclosed entities match actual buyers. Test form functionality to ensure consent disclosures render correctly.

Documentation Review: Check that required documentation is being captured and retained. Gaps in documentation create enforcement vulnerability.

Complaint Tracking: Monitor beneficiary complaints for patterns suggesting compliance issues. A spike in complaints about specific marketing practices warrants immediate investigation.

Working with Carriers and FMOs

Your relationships with plan sponsors and Field Marketing Organizations determine your access to the Medicare market. TPMO agreements with sponsors or FMOs must specify compliance obligations, indemnification provisions, audit rights, and termination conditions for compliance violations. Review these agreements carefully – you are agreeing to be bound by CMS regulations, and violations can result in relationship termination and damages claims.

Most sophisticated buyers prefer fewer compliant leads over more leads with compliance risk. If compliance requirements limit your volume, communicate transparently rather than cutting corners. Fixed volume commitments create pressure that can lead to compliance shortcuts – structure agreements with flexibility where possible.

Even after relationships end, retain compliance documentation for required periods. Do not destroy records when relationships terminate.

Enrollment Period Considerations

Medicare enrollment periods affect not just buyer demand but compliance requirements. Different enrollment periods have different rules.

Annual Enrollment Period (AEP)

The Annual Enrollment Period (October 15 - December 7) is the highest-volume period for Medicare lead generation. During AEP, beneficiaries can switch Medicare Advantage plans, add or change Part D coverage, and return to Original Medicare.

AEP marketing is subject to all standard CMS requirements, plus heightened enforcement attention. CMS monitors marketing during AEP closely because the high volume creates opportunities for abuse.

Key AEP compliance considerations:

  • Ensure all marketing materials are CMS-approved before AEP begins
  • Staff up compliance monitoring to handle increased volume
  • Prepare for faster CMS response to complaints during AEP
  • Budget for increased call recording storage

Open Enrollment Period (OEP)

The Medicare Advantage Open Enrollment Period (January 1 - March 31) allows beneficiaries enrolled in Medicare Advantage plans to switch to a different MA plan or return to Original Medicare.

OEP restrictions are significant:

  • OEP is only available to beneficiaries currently enrolled in Medicare Advantage
  • Beneficiaries can only make one OEP change per year
  • Marketing during OEP cannot target beneficiaries not currently enrolled in MA

Lead qualification for OEP must confirm current MA enrollment. Generating OEP leads from beneficiaries on Original Medicare violates CMS rules.

Special Enrollment Periods (SEP)

Special Enrollment Periods are triggered by qualifying life events that allow beneficiaries to enroll or change coverage outside standard enrollment periods.

SEP marketing requires additional documentation:

  • You should capture information about the qualifying event during lead generation
  • Buyers will want to verify SEP eligibility before contacting leads
  • False claims of SEP eligibility can result in enrollment denials and compliance issues

Common SEP triggers include moving to a new service area, losing employer coverage, gaining Medicaid eligibility, and plan termination by CMS. Your lead forms should identify which SEP trigger applies.

Frequently Asked Questions

What is a TPMO and how do I know if I am one?

A Third-Party Marketing Organization (TPMO) is any individual or entity that generates leads, conducts marketing, performs sales, or assists with enrollment for Medicare Advantage or Part D plans. If you collect contact information from Medicare-eligible consumers and transfer that information to agents, brokers, FMOs, or carriers for Medicare plan marketing, you are a TPMO. The classification is based on your activities, not what you call yourself. Being a TPMO subjects you to all CMS Medicare marketing requirements, including consent rules, recording requirements, and documentation standards.

Standard TCPA consent allows you to capture consent for contact from “marketing partners” or list multiple potential buyers in your disclosure. CMS one-to-one consent for Medicare is stricter: you must specifically name each entity that will receive the beneficiary’s information, and the beneficiary must affirmatively consent to contact from each named entity. Generic consent to receive “Medicare information from our partners” does not satisfy CMS requirements. This means traditional lead aggregation models where one lead is sold to multiple buyers face fundamental compliance challenges in Medicare unless each buyer was specifically named in the original consent disclosure.

What is the 48-hour SOA rule and how does it affect lead generation?

The Scope of Appointment (SOA) must be completed at least 48 hours before any sales appointment where specific plan recommendations will be discussed. For lead generation, this means initial agent contact with a lead cannot include plan-specific recommendations unless an SOA was captured at least 48 hours earlier. Initial contact must be limited to fact-finding and scheduling a formal appointment. Some lead generators capture SOA consent during the lead generation process to enable immediate plan discussions, but this requires careful form design and timing documentation. Live transfer models face particular challenges because transferred calls typically cannot be used for plan recommendations without a pre-existing SOA.

What call recording requirements apply to Medicare lead generation?

CMS requires recording of all beneficiary calls related to Medicare marketing, sales, and enrollment. This includes both inbound and outbound calls. Recordings must be retained for 10 years – significantly longer than the four-year standard for TCPA documentation. The recording requirement applies to TPMOs as well as plan sponsors and agents. CMS may request recordings during audits, so you must be able to produce recordings promptly with organized metadata. Recording quality must be sufficient for CMS reviewers to understand the conversation.

What are the penalties for Medicare marketing violations?

CMS can impose Civil Monetary Penalties of up to $116,156 per violation (adjusted annually for inflation). Penalties can multiply rapidly when violations affect multiple beneficiaries. Beyond CMPs, CMS can impose intermediate sanctions including marketing suspension, enrollment processing suspension, and payment suspension. For severe violations, CMS can terminate a plan sponsor’s Medicare contract entirely. Even if CMS does not directly fine a TPMO, plan sponsors may terminate relationships and seek damages under indemnification provisions. A reputation for non-compliance can effectively end your ability to operate in Medicare.

Can I sell Medicare leads to multiple buyers?

Under the one-to-one consent requirement, you can only transfer beneficiary information to entities specifically named in the consent disclosure. Traditional shared lead models where one lead is sold to three or four buyers do not comply with CMS requirements unless each buyer was specifically named and the beneficiary consented to each. Compliant approaches include exclusive leads with single named buyer consent, consumer selection models where beneficiaries choose which entities can contact them, or real-time dynamic consent where the buyer is identified and named in the consent disclosure before consent is captured.

What marketing practices are prohibited in Medicare lead generation?

CMS prohibits numerous practices common in other verticals. False urgency language (“limited time offer,” “act now,” “call immediately”) is prohibited. Cold calling beneficiaries without prior written consent is prohibited – there is no established business relationship exception. Marketing at healthcare provider offices, pharmacies, or retail settings near pharmacies is prohibited. Cross-selling non-health products during Medicare presentations is prohibited. Gifts exceeding $15 retail value are prohibited. Implying government endorsement or using Medicare branding to suggest official affiliation is prohibited. Sales activities at educational events are prohibited.

How long must I retain Medicare lead documentation?

CMS requires retention of call recordings and certain documentation for 10 years from the date of the interaction. This exceeds the standard four-year TCPA retention recommendation. Scope of Appointment forms must be retained for 10 years. Consent documentation, TPMO agreements, and marketing material approvals should also be retained for 10 years. Plan your storage infrastructure accordingly – you will be maintaining Medicare compliance archives far longer than for other lead generation verticals.

Do CMS rules apply during all enrollment periods?

Yes, CMS marketing rules apply year-round, not just during AEP or OEP. However, different enrollment periods have additional specific requirements. The Open Enrollment Period (January 1 - March 31) is only available to beneficiaries currently enrolled in Medicare Advantage, so OEP marketing cannot target Original Medicare beneficiaries. Special Enrollment Periods require documentation of qualifying life events. CMS enforcement attention is heightened during AEP (October 15 - December 7) due to the high volume of marketing activity. Compliance is required at all times, but expect closer scrutiny during peak enrollment periods.

How do I structure my business to comply with CMS requirements?

Building compliant Medicare lead generation requires designing for compliance from the foundation: lead capture forms with specific named entity consent, SOA capture capabilities, call recording with 10-year retention, CRM systems tracking compliance status, staff training on CMS requirements, quality assurance monitoring of calls and consent processes, written TPMO agreements with plan sponsors or FMOs, and documentation management supporting CMS audits. Compliance cannot be retrofitted onto an existing non-compliant operation – you must build compliance into your systems, processes, and business model from day one.

Key Takeaways

  1. TPMO classification is functional, not definitional. If you generate leads for Medicare plans, you are a Third-Party Marketing Organization subject to all CMS marketing requirements, regardless of what you call yourself.

  2. One-to-one consent fundamentally changes Medicare lead economics. Traditional lead aggregation models do not comply with CMS requirements. Each entity receiving beneficiary information must be specifically named in the consent disclosure. Build your business model around this requirement.

  3. The 48-hour SOA rule limits initial contact. Agents cannot discuss specific plan recommendations in initial contact without a completed Scope of Appointment from at least 48 hours prior. Structure your lead delivery and agent workflows accordingly.

  4. All beneficiary calls must be recorded and retained for 10 years. This exceeds TCPA retention standards. Invest in recording infrastructure that supports long-term organized storage and retrieval.

  5. Prohibited practices differ from other verticals. False urgency language, cold calling, healthcare setting marketing, and cross-selling are all prohibited. Review all marketing materials and scripts against CMS requirements.

  6. CMS penalties can reach $116,156 per violation. Beyond CMPs, intermediate sanctions like marketing suspension can destroy your business economics. Invest in compliance commensurate with your risk exposure.

  7. Documentation requirements are extensive. Consent records, SOA forms, call recordings, TPMO agreements, and marketing material approvals must all be maintained and retrievable for CMS audits.

  8. Compliance must be built in, not bolted on. Technology infrastructure, form design, staff training, and quality assurance processes must all be designed for CMS compliance from the foundation of your operation.

Regulatory information current as of December 2025. CMS requirements change annually. Consult qualified legal counsel for current compliance requirements specific to your operations.

The Podcast

Industry Conversations.

Candid discussions on the topics that matter to lead generation operators. Strategy, compliance, technology, and the evolving landscape of consumer intent.

Listen on Spotify