The Centers for Medicare & Medicare Services (CMS) have continued to refine and expand rules for third-party marketing organizations (TPMOs) that they first implemented as part of their 2023 Medicare Advantage (MA) and Part D Final Rule.
With their Final Rule for Contract Year 2025, CMS now requires TPMOs to obtain prior express written consent from the beneficiary before sharing their personal data. Here are the details you need to know.
What Is a TPMO in Medicare?
CMS defines TPMOs as “organizations that are compensated to perform lead generation, marketing, sales, and enrollment related functions as a part of the chain of enrollment.”
Are Insurance Agents Considered TPMOs?
Yes. According to their definition, CMS considers all lead generation organizations, agencies, and independent insurance agents and brokers to be TPMOs; therefore, field marketing organizations, insurance agents, and brokers must adhere to all CMS’ TPMO rules and guidelines.
Learn more about the other TPMO rules and guidelines in our blog post, Insurance Agents as TPMOs: What CMS Compliance Regulations Mean for You, including the TPMO disclaimer and call recording.
What Qualifies as Personal Beneficiary Data?
Personal beneficiary data includes some or all of this information:
- Name
- Address
- Phone number and other contact information
- Any other information given by the beneficiary for the purpose of finding an appropriate MA or Part D plan
When in doubt as to whether data is considered personal, err on the side of caution and assume it is.
Obtaining Prior Express Written Consent
CMS’ new rules require all TPMOs to obtain prior expressed written consent from the beneficiary before sharing their personal data. The consent must involve a clear and easy visible disclosure listing each TPMO receiving the data. Additionally, the beneficiary must have the option to consent or reject data sharing with each individually specified TPMO.
Affirmative action is required for consent, with the default being “no sharing” unless the beneficiary actively agrees to share data with each TPMO.
TPMOs may obtain consent through various written forms besides a signed hard copy, including a website interface, email, or text message.
CMS Informed Consent Requirements FAQs
Here are some frequently asked questions about the Medicare data sharing TPMO regulation.
Why has CMS imposed this rule?
CMS wants to curtail activities by bad actors in the industry, stating: “Some TPMOs have been selling and reselling personal beneficiary data, which can undermine existing rules that prohibit cold calling people enrolled in Medicare and result in other aggressive marketing tactics for Medicare Advantage and Part D plans. Individuals may be unaware that by placing a call or clicking on a generic-looking web link, they are unwittingly agreeing and providing consent for their personal beneficiary data to be collected and sold to other entities for future marketing activities.”
Are there any circumstances when I don’t need to obtain prior express written consent?
CMS states that prior express written consent may not be necessary in situations of real-time assistance and phone transfers. A beneficiary may call a TPMO seeking to get information about Medicare and that TPMO.
To assist the beneficiary, the TPMO may be able to transfer or connect that beneficiary to another TPMO (such as an agent) during the call to provide real-time assistance. A verbal agreement from the beneficiary during the live call is sufficient. We recommend that agents record any permission granted (which agents are likely doing anyways because of call recording requirements) or obtain emailed consent.
If the agent cannot assist the beneficiary through a live transfer, then that agent will need to obtain written consent before sharing the data with another agent for a callback.
CMS also clarifies that “the definition of TPMO does not apply to MA organizations or Part D sponsors, and therefore TPMOs may share personal beneficiary data with those entities without acquiring direct consent from the beneficiary under this rule.” Any agent or entity sharing personal beneficiary data would still need to ensure they are complying with HIPAA privacy rules.
Do I have to get permission for each TPMO I’m sharing data with?
Yes, a beneficiary must have the option to consent or reject data sharing with each individual TPMO. The disclaimer must specify each TPMO by name and get permission for each in a one-to-one consent structure.
Can I share personal beneficiary data with another independent agent?
No, an independent agent cannot share personal beneficiary data with another independent agent — even if both are affiliated with the same FMO — unless the independent agent obtains prior express written consent before sharing.
That means the first independent agent must obtain prior express consent from the beneficiary to share their personal data with a specifically identified independent agent. A generic “another agent” in the disclaimer is not sufficient.
Do I still need to obtain consent even when I’m manually dialing phone numbers?
Yes, even if you adhere to the TCPA regulations while manually dialing, you still must obtain prior express written consent.
Is there a model disclaimer I can use?
CMS points to the Federal Trade Commission (FTC) for examples of “clear and conspicuous” disclaimers regarding obtaining consent. See the FTC’s .com Disclosures booklet for an in-depth discussion on disclaimers and examples. You can also read more in this section of the Federal Register.
Do I have to get permission even if we’re downlines of the same upstream entity?
Yes, even if TPMOs are affiliated (e.g., shared parent company, contracts for downstream services, or independent agents under the same FMO), sharing the beneficiary’s data still requires prior express written consent.
Will I still be able to buy leads from my FMO or other organizations?
It depends on the FMO or lead generator organization and the type of lead. If the FMO or other organization has implemented the proper steps to obtain prior express written consent for MA and PDP leads to sell the lead to you specifically, then yes, you will still be able to buy compliant leads. The Final Rule only applies to buying MA and PDP leads; the same rules do not apply to other kinds of leads, like Medicare Supplement and final expense.
How long do I have to store the written consent?
Similarly to the Scope of Appointment, store prior express written consent for 10 additional years after the selling year.
How long is the consent good for?
Similarly to the Medicare Permission to Contact form, the prior express written consent is good for 12 months or until a client declines further contact. After that, the TPMO would need to obtain renewed consent.
2025 is a year of change for Medicare. Proceed compliantly with lead sharing by following these guidelines and obtaining prior express written consent. If you have any questions, please reach out to our Compliance team. If you’d like a single-page document of these guidelines, please download Sharing of Personal Beneficiary Data with other TPMOs from Integrity.
Ritter takes compliance seriously, and we’re dedicated to helping our agents follow all the necessary CMS guidelines and regulations. Register with us to stay up to date on rulings, receive support, and get access to compliant sales technology.
Not affiliated with or endorsed by Medicare or any government agency.
Share Post