More than 66 million people in the United States receive health insurance coverage through Medicare.
Medicare Advantage (MA) organizations and Part D sponsors often use third-party agents and brokers to assist with the marketing, sales, and enrollment for MA and Part D plans.
On October 1, 2024, CMS’s new sales and marketing guidelines went into effect. These rules include a new consent requirement for Third-Party Marketing Organizations (TPMO).
TPMOs must be aware of this new consent rule to maintain Medicare compliance.
What is a Third-Party Marketing Organization (TPMO)?
The CMS defines Third-Party Marketing Organizations (TPMOs) as organizations and individuals that perform lead generation, marketing, sales, and enrollment related functions for a fee as part of enrolling people in MA and Part D plans.
TPMOs often sell and share Medicare beneficiaries’ information to other TPMOs. The other TPMOs then use that information to market to those Medicare beneficiaries.
CMS Now Requires Prior Express Written Consent (PEWC) on a One-to-One Basis
Over the past couple years, CMS has become increasingly concerned with TPMOs selling and sharing Medicare beneficiaries’ information without sufficient disclosures, and beneficiaries’ complaining about receiving unwanted TPMO calls.
To combat those issues, the CMS implemented a new consent rule, effective October 1, 2024.
A TPMO can now only share a beneficiary’s personal data with another TPMO—data it has collected for marketing or enrolling the beneficiary in a MA or Part D plan—if the beneficiary provided prior express written consent (PEWC) for their personal data to be shared with that other TPMO.
CMS took this PEWC requirement from the Federal Communications Commission’s (FCC) TCPA-implementing regulations. You can read more about PEWC under the Telephone Consumer Protection Act (TCPA) here.
The rule further provides that a beneficiary’s PEWC “to share the information and be contacted
for marketing or enrollment purposes” can only be obtained through a “clear and conspicuous”
disclosure.
The disclosure must list every entity the TPMO would share the beneficiary’s data with, and allow the beneficiary to individually consent to or reject each entity.
Through this language, CMS is requiring PEWC be obtained on a one-to-one basis. This is similar to the FCC’s new one-to-one consent rule, which takes effect January 27, 2025.
CMS believes that its requirement will make it easier for TPMOs to collect PEWC that complies with both its rule and the FCC’s one-to-one consent rule at the same time.
PEWC Must be Obtained Through a Clear And Conspicuous Disclosure
To comply with CMS’s new rule, a TPMO must obtain a beneficiary’s PEWC through a clear and conspicuous disclosure.
The CMS advised that the Federal Trade Commission’s (FTC) guidance on clear and conspicuous disclosure is instructive and encouraged TPMOs to rely on the FTC’s numerous examples and guides.
In its final order, CMS provides two instructions on the type of disclosure it envisions to comply with its new rule:
- A disclosure containing a default selection where the beneficiary elects not to share their data. The beneficiary then must perform an affirmative action acknowledging that they consent to having their data shared with another TPMO.
- A disclosure listing every entity the TPMO desires to share the beneficiary’s data with. The disclosure includes an empty check-box by every entity’s name. The beneficiary then has to check the box of every entity they consent to having their data shared with and to receive a call from.
CMS PEWC Rule Applies to Manually Dialed Calls
CMS’s final rule makes it clear that its new PEWC rule applies to TPMOs’ manually dialed calls.
This makes CMS’s PEWC rule more restrictive than the FCC’s TCPA PEWC rule, which only applies to certain types of calls made with an autodialer or prerecorded voice.
CMS PEWC Rule Applies When a TPMO Shares Beneficiary Data With Different Legal Entities
CMS’s new PEWC rule restricts the sharing of a beneficiary’s personal data, absent PEWC, between TPMOs that are different legal entities.
This CMS rule applies in the following circumstances:
- A TPMO shares a beneficiary’s personal data with another TPMO, and those TPMOs share the same parent organization. So even if the other TPMO is a related entity, you still need the beneficiary’s PEWC to share their data with that related TPMO.
- A TPMO shares a beneficiary’s personal data with another TPMO it has a contract with to perform a downstream function. Thus, a contractual relationship between two TPMOs does not exempt them from this new consent rule.
When the CMS PEWC Rule Doesn’t Apply
CMS also provided two examples where its new PEWC rules do not apply.
First Example
The first is when a TPMO, in real time and to assist the beneficiary, transfers its call with the beneficiary to another TPMO.
A beneficiary’s PEWC is not required in this case, provided the beneficiary verbally consents to the transfer during the call.
Second Example
The second is when the beneficiary’s personal data is de-identified or redacted by the TPMO before that data is shared with another TPMO.
A beneficiary’s PEWC is not required in this circumstance, provided the de-identification or redaction of the beneficiary’s data prevents the entity receiving the data from using it “to contact the beneficiary as a potential sales lead, and the purpose of the data sharing is not related to marketing or enrollment.”
New Rule is a Reminder of the Importance of TCPA Compliance
TPMOs engaged in Medicare sales and marketing need to comply with the CMS’s new one-to-one consent rule to stay Medicare compliant.
CMS’s modeling of its new rule on the FCC’s new one-to-one consent rule also serves as a reminder that TPMOs making calls as part of their Medicare sales and marketing also need to comply with the Telephone Consumer Protection Act (TCPA).
Check out our comprehensive guide to learn more about call center compliance, including TCPA requirements and how Readymode can help you protect your business.
This article is only offered for informational purposes, it is not legal advice. Please consult a qualified attorney for your specific compliance needs.
Joe Bowser
Joe Bowser is a partner at Roth Jackson. He has been practicing communications and marketing law for two decades. He advises and defends calling and SMS platform providers (like Readymode), carriers/VoIP providers, and heavy users of those services in their wide range of compliance needs. In his spare time, you can find him taking his boys to their sports, getting in a workout of his own, or catching an Arsenal match.
