Operational Compliance for Medicare Lead Sourcing: Navigating TCPA and CMS AI Outreach Restrictions

Medicare agencies face two overlapping compliance frameworks in 2025: the CMS one-to-one consent rule that took effect October 1, 2024, and a revised TCPA structure whose key provisions landed January 27, 2025 and April 11, 2025. Getting both right determines whether your lead pipeline stays open or becomes a liability.

The CMS one-to-one consent rule, effective October 1, 2024, requires a Third-Party Marketing Organization (TPMO) to obtain written consent naming a single, specific seller before collecting or sharing a beneficiary's personal data. Generic multi-seller blanket permissions no longer satisfy CMS requirements, and violations can reach $15,000 per incident in 2025.

Practically, this means a lead sourced through a co-registration form or shared lead vendor is only compliant if that form names your agency explicitly. If a beneficiary's data passes from one TPMO to another, a second, fresh consent naming the receiving organization is required. As noted by Essential Care Agents and Klein Moynihan Turco in their coverage of the rule, the consent language must be unambiguous and specific. Agencies running high-volume co-reg buys need to audit every intake form now. Kadence's CRM captures and timestamps consent data at the point of entry, giving agencies a documented chain of custody for every contact before a single call is placed.

What are the critical TCPA rules required for Medicare outreach compliance?

The TCPA one-to-one consent rule, effective January 27, 2025, prohibits artificial-voice, prerecorded, or autodialed calls to a beneficiary's number unless prior express written consent names your agency specifically and is logically tied to the interaction that generated the consent. Telemarketing calls to residential lines are restricted to 8 a.m. to 9 p.m. local time.

Two additional TCPA changes demand operational attention. First, beginning April 11, 2025, agencies must honor opt-out requests made through any reasonable communication channel, not just a reply keyword or a specific form, and must process those revocations within 10 business days, down from the previous 30-day window, according to BCLP's analysis of the new opt-out rules. Second, a cross-channel opt-out synchronization requirement is projected to take effect April 11, 2026, meaning suppression lists must be consistent across email, SMS, and voice. Agencies still running legacy suppression systems should begin that consolidation now rather than in the quarter the rule lands. The Essential Guide to TCPA-Compliant Medicare Insurance Leads and Calls from Astoria Company provides a useful operational checklist for each channel.

How can insurance agencies safely use artificial intelligence in Medicare outreach?

Agencies can use AI to draft scripts, prioritize callbacks, and route inbound transfers, but CMS guidance explicitly prohibits inputting beneficiary PII or PHI into any publicly accessible AI tool, and AI cannot serve as the sole basis for Medicare Advantage coverage decisions. Every AI-assisted workflow touching beneficiary data requires a human compliance review step.

The operational boundaries matter because the penalties for crossing them are not theoretical. According to CMS guidance on responsible AI use, coverage determinations require human oversight and AI may only support, not replace, that judgment. For outbound calling, Voice AI is fully viable when the consent record is clean: the system dials only contacts where prior express written consent names the agency, suppresses numbers on the National DNC and internal opt-out lists, and logs every interaction. Kadence's Voice AI is built inside this boundary, automating follow-up and warm-transfer workflows without touching suppressed records or bypassing consent gates. Inbound warm transfers, per CMS rules, require real-time verbal or written consent that names the receiving TPMO before the transfer completes.

What criteria should agencies use to vet external lead-generation vendors?

A compliant lead vendor must provide documentation showing each lead's consent language, the exact timestamp and URL of consent capture, and confirmation that the consent names your agency specifically as the authorized seller. Vendors who cannot produce that audit trail for every record are a compliance liability regardless of price.

Beyond consent documentation, vet vendors on three additional dimensions. First, ask for their reassigned-number suppression process: calling a number reassigned to a new subscriber after consent was granted is a TCPA violation even when the original consent was clean. Second, confirm they suppress against the National DNC registry and maintain their own internal opt-out list. Third, require contractual liability language that places responsibility for non-compliant records on the vendor, not your agency. Boomsourcing's guide to compliant Medicare lead generation in 2025 outlines what a vendor data sheet should contain. Agencies using Kadence can run incoming lead batches against suppression records automatically before any dial, reducing the window between lead delivery and compliance exposure.

How must agencies handle opt-out records and compliance audit trails?

Agencies must retain detailed consent records, opt-out requests, and permission histories for a minimum of four years, and must now process opt-out revocations within 10 business days of receipt across all outreach channels. Records must be producible in an audit without manual reconstruction.

In practice, a compliant audit trail includes the original consent record with timestamp and source URL, a log of every outbound and inbound contact attempt, a suppression entry dated to the day the opt-out was received, and confirmation the number was removed from all active campaign queues within the 10-day window. According to Ritter Insurance Marketing's best practices guidance, agents should treat the four-year retention floor as a minimum and document the process for how records are stored and retrieved, not just that they are stored. Kadence maintains a single contact timeline per record in the CRM, so consent status, call logs, and suppression events are co-located and exportable for any regulatory inquiry without data archaeology.

How should agencies structure warm transfers to stay compliant?

Medicare warm transfers require either written or real-time verbal consent that explicitly names the receiving TPMO before the call is handed off. A generic third-party transfer permission collected at the top of the funnel does not satisfy this requirement under the updated CMS rules.

Operationally, this changes the scripting and call flow for any agency running inbound or outbound transfer programs. The agent or IVR handling the initial contact must collect and log a named-party consent on that call before routing the beneficiary. That consent event needs to be timestamped, linked to the beneficiary record, and accessible to the receiving TPMO. ActiveProspect's comparison of CMS versus TCPA consent requirements explains how the two frameworks overlap on this point. Agencies running high-volume transfer programs should build the consent-capture step into the call script as a required gate, not an optional disclosure, and verify that the receiving party's name matches exactly what appears in the consent language.

Sources

The steps

Audit all consent language for CMS one-to-one compliance. Review every lead intake form, co-registration page, and transfer script to confirm the consent language names your agency specifically as the authorized seller. Remove any generic multi-seller permissions. Document the date of each form update and retain the prior version to show the transition timeline.
Update TCPA consent capture and suppression workflows. Rebuild outbound call queues so that only contacts with prior express written consent naming your agency are loaded for autodialed or AI-voice campaigns. Integrate the National DNC registry and your internal opt-out list as pre-dial suppression gates, and verify the suppression check runs on every campaign launch, not just at list import.
Reduce opt-out processing to 10 business days across all channels. Map every inbound channel where a beneficiary could submit an opt-out: phone reply, SMS, email, web form. Assign a named owner to each channel, set a calendar alert for the 10-business-day processing deadline, and confirm the suppression entry is logged in the CRM with the date received and the date actioned.
Establish AI usage guardrails for Medicare outreach workflows. Audit every AI tool in your stack against two CMS rules: no beneficiary PII or PHI may enter a publicly accessible AI system, and no AI output may serve as the sole basis for a coverage determination. Document the human review step in each workflow and retain that documentation alongside the beneficiary record it covers.
Vet lead vendors against a documented compliance checklist. Require every lead vendor to supply the consent timestamp, source URL, and exact consent language for each record before purchase. Add contractual liability language placing responsibility for non-compliant records on the vendor. Run all incoming batches against your suppression list before any dial attempt.
Build a four-year consent and contact audit trail. Configure your CRM to co-locate the consent record, all outbound and inbound contact logs, and the suppression event for every contact in a single exportable timeline. Test the export quarterly by pulling a random sample of records and verifying all four elements are present and timestamped accurately.
Prepare for the 2026 cross-channel opt-out synchronization requirement. Begin consolidating suppression lists across voice, SMS, and email into a single master suppression table now. Assign an owner responsible for ensuring any opt-out received in one channel propagates to all others within the 10-business-day window. Document the synchronization process so it is auditable before the April 11, 2026 effective date.

Frequently asked questions

What does the TCPA one-to-one consent rule mean for agencies buying shared Medicare leads?

The TCPA one-to-one consent rule, effective January 27, 2025, prohibits agencies from calling a Medicare prospect using a shared-list consent that names multiple sellers. Each lead's consent document must name your agency specifically, making most legacy co-registration lead pools non-compliant without fresh consent capture.

How quickly must a Medicare agency process an opt-out request under the 2025 TCPA rules?

As of April 11, 2025, agencies must process opt-out revocation requests within 10 business days of receipt, down from the previous 30-day window. The opt-out must be honored regardless of the channel through which the request was made, whether phone, SMS, email, or any other reasonable method.

Can a Medicare agency use AI voice tools without violating CMS guidance?

Yes, agencies can deploy AI voice tools for outreach if the beneficiary's consent names the agency specifically, no PII or PHI is entered into publicly accessible AI systems, and a human compliance review step remains in any workflow touching coverage decisions. AI that operates only on consented contact records and suppression lists stays within CMS boundaries.

How long must Medicare agencies retain consent and opt-out records?

Agencies must retain consent records, opt-out histories, and permission documentation for a minimum of four years under standard Medicare agency compliance guidance. Those records must be stored in a retrievable format that allows production during a regulatory audit without manual reconstruction of the contact history.

Written by

Kadence Team

Kadence is the growth system for life insurance teams: a CRM with Voice AI, an AEO website, and done-for-you content. We write about speed to lead, AI search, CRM hygiene, and the systems that help agencies win more policies.

Book a demo