Half of Medicare beneficiaries are enrolled in Medicare Advantage (MA) plans. This extensive growth, which represents a doubling of MA enrollment since 2010, has been driven in part by an extensive network of insurance agents and brokers, field marketing organizations and lead generators that identify beneficiaries and assist them in selecting and enrolling in plans. Regulators have focused on some segments of this industry, citing marketing tactics that could mislead or confuse Medicare beneficiaries.
To address some of these practices, the Centers for Medicare & Medicaid Services (CMS) released a final rule on April 4 that puts substantial limits on the ability of a third-party marketing organization (TPMO), including lead generators, to share and sell Medicare leads to insurance carriers, brokers and other TPMOs. TPMOs are organizations and individuals, including agents and brokers, that are compensated to perform lead generation, marketing, sales and enrollment-related functions on behalf of MA plans. TPMOs include first tier, downstream or related entity (FDRs) to MA plans, but can also include entities that may not be considered an FDR under existing rules.
Beginning October 1, 2024, the new rule will require that TPMOs obtain express written consent from a beneficiary prior to sharing the beneficiary’s data with other TPMOs for purposes of marketing or enrolling a beneficiary into an MA or Part D plan. Consent must be obtained separately for each TPMO that receives beneficiary data through a clear and conspicuous disclosure. The rule requires that the beneficiary has a clear opportunity to opt in to receiving follow-up from particular organizations; a blanket consent to redisclose contact information will no longer be sufficient. The rule will also prohibit a TPMO from conditioning a beneficiary’s access to information on the beneficiary agreeing to have their contact information sold or shared. CMS says beneficiaries expect that their information will be used only by the entity that they have reached out to directly, so the “one-to-one” consent requirement is designed to honor that expectation.
The rule supplements existing privacy rules, including the Health Insurance Portability and Accountability Act (HIPAA). TPMOs that are HIPAA-covered entities, or business associates of a covered entity, must comply with the HIPAA Privacy Rule, including its restrictions on sharing protected health information (PHI) with telemarketers. For example, a TPMO that is a business associate of an MA plan must use PHI only for communicating on behalf of the MA plan and not to market the TPMO’s goods or services.
TPMOs may also be required to comply with the Telephone Consumer Protection Act (TCPA), and regulations promulgated by the Federal Communications Commission (FCC). Under the TCPA, texters and callers must obtain prior express written consent with certain clear and conspicuous disclosures when telemarketing via robocalls or robotexts, which are calls sent with an autodialer, artificial voice or prerecorded voice message, including calls made with artificial intelligence. Under TCPA amendments that will become effective January 27, 2025, texters and callers must also obtain “one-to-one” consent for each seller and consent cannot be transferred or sold to another seller.1 CMS’ new rule is modeled after these FCC rules “in order to make it simple and less arduous for a TPMO to comply with both rules, when applicable.” Unlike the FCC rules, however, the new CMS rule will apply to manual calls. Manual calls will require prior express written consent by the beneficiary to share their data with another TPMO. As a result, TPMOs should exercise caution when calling Medicare leads using both automated and manual dialing.
1 Federal Communications Commission, FC-23-107: Second Report and Order, Second Further Notice of Proposed Rulemaking in CG Docket NOS. 02-278 and 21-402, and Waiver Order in CG Docket no. 17-59, p. 12, 21, https://docs.fcc.gov/public/attachments/FCC-23-107A1.pdf (Dec. 18, 2023).