Medicare AI Compliance Guide: HIPAA, TCPA, TPMO & Consumer Health Privacy

1. HIPAA and Medicare Lead Generation

HIPAA governs only two categories of organizations: Covered Entities — health plans, healthcare clearinghouses, and providers that transmit health information electronically — and Business Associates, which are entities that create, receive, maintain, or transmit Protected Health Information on behalf of a Covered Entity.^[1],[2]

A software vendor is never itself a Covered Entity. HIPAA reaches vendors only through the Business Associate path — by handling PHI on behalf of a Covered Entity or its Business Associate. If no Covered Entity sits in the data chain, the same data is governed by other laws. This is because HIPAA defines PHI as health information held by or for a Covered Entity — the status of the holder determines whether HIPAA applies, not the sensitivity of the information alone.

Are insurance brokers Covered Entities?

Generally no. The Covered Entities within Medicare are the health plans — the carriers and insurance issuers that underwrite the plans. Insurance agents and brokers who market and sell Medicare Advantage and supplement plans are intermediaries, not health plans.

• Lead data a consumer volunteers directly to a broker, before any carrier relationship exists, is typically not PHI under HIPAA.
• A brokerage can become a Business Associate in other contexts — for example, if it administers group health benefits and directly handles a carrier's PHI. In that context, a subcontractor BAA is appropriate.
• Whether a specific brokerage is a BA for a specific data flow requires a fact-specific analysis; carriers sometimes contractually treat distribution partners as BAs.

When HIPAA does apply

If a Medicare program's data flow ties to a Covered Entity or BA relationship — for example, a technology vendor processing lead data that feeds directly into a carrier's enrollment workflow — HIPAA applies and a Business Associate Agreement is required before PHI can be shared with that vendor.

Even when not strictly required, HIPAA-aligned controls are worth maintaining. Enterprise security teams require them contractually, those controls represent the floor demanded by other applicable laws, and maintaining them removes "are you HIPAA compliant?" as a procurement obstacle.

2. The Regulatory Framework That Actually Applies

The compliance conversation for Medicare AI programs should not begin and end with HIPAA. Here is the regulatory landscape as it actually applies to consumer Medicare lead generation over SMS:

The compliance conversation should lead with consent + state health privacy law + TCPA, with HIPAA/BAA as an available scope that attaches when the data chain involves a Covered Entity.

3. Collecting Health Data Over SMS — What the Rules Actually Say

There is a widespread misconception that collecting personal or health data over SMS is inherently non-compliant. That is not what the regulations say, and it is not how the market has operated.

What HIPAA actually says about SMS

HHS Office for Civil Rights has stated explicitly that covered entities may communicate with individuals via unencrypted text or email when the individual is informed of the risks and still prefers that channel.^[3] The obligation is to warn and document, not to refuse the channel entirely.

The Security Rule's transmission-encryption standard is "addressable" — not mandatory — meaning a covered entity may implement an alternative measure and document why it is reasonable. A documented consent and risk acknowledgment is an established alternative to end-to-end encryption for the carrier hop.

What TCPA says about SMS

TCPA's primary gate is prior express written consent before sending marketing messages — not the content or sensitivity of the data exchanged in those messages. A program that has proper consent in place, honors opt-outs, and operates with a compliant sender profile is within the TCPA framework regardless of whether health-related information is discussed.

How to mitigate SMS risk responsibly

• Consent and risk disclosure captured before messaging — combining TCPA prior express written consent with state health-privacy opt-in requirements.
• Minimize what's solicited over SMS — general intake and education only; keep the conversational footprint light over the carrier hop.
• Route sensitive fields to a secure web channel — medications, provider relationships, and specific benefit decisions route to an encrypted web form by design, keeping the heaviest PII off the SMS transmission.
• HIPAA-eligible transport for the messaging layer when operating in HIPAA scope (Twilio HIPAA tier, Bandwidth, Telnyx, Sinch, and AWS End User Messaging all provide BAA-backed messaging infrastructure).

4. State Consumer Health Privacy Laws

Washington My Health My Data Act (MHMDA)

Enacted in 2023 (ESHB 1155),^[4] the MHMDA is one of the most significant consumer health privacy laws enacted outside the federal HIPAA framework. Key provisions:

• Affirmative opt-in consent is required before collecting or sharing consumer health data — passive or implied consent is not sufficient.
• A consumer health data privacy policy must be published and linked from the first point at which health data is collected.
• Consumers have the right to access, delete, and withdraw consent for their health data.
• The law applies to entities that collect health data of Washington residents regardless of where the entity is based, making it effectively extraterritorial for programs that market nationally.
• It carries a private right of action — individual consumers and class plaintiffs can sue for violations, significantly elevating enforcement risk compared to laws enforced only by government regulators.

For a Medicare SMS program that may reach Washington residents, MHMDA compliance is not optional and does not depend on whether the program is subject to HIPAA.

Nevada SB 370

Nevada Senate Bill 370 (effective 2023)^[5] establishes a parallel framework for Nevada residents. Like MHMDA, it requires opt-in consent before collecting or sharing consumer health data, establishes consumer access and deletion rights, and applies to entities collecting Nevada residents' data regardless of where the entity is located.

CCPA / CPRA — California Sensitive Data

California's Consumer Privacy Rights Act^[6] treats health information and precise geolocation as "sensitive personal information." This triggers additional requirements: the right to limit sensitive data use, specific notice obligations, and the requirement that data shared with vendors be covered by a CCPA-compliant service-provider agreement. For programs reaching California residents, CCPA/CPRA is the baseline state privacy framework.

Other states

Colorado, Connecticut, Virginia, Texas, and several other states have enacted or are implementing consumer privacy laws with health data provisions. The landscape is evolving rapidly. Confirm currently effective laws for the specific states your program will market into before launch, and build in a quarterly review cadence to catch new enactments.

5. TCPA and Medicare Text Messaging

The TCPA framework

The Telephone Consumer Protection Act (47 U.S.C. § 227)^[7] and FCC regulations require prior express written consent before sending marketing text messages to a consumer's mobile phone. Key requirements:

• Prior — consent must be obtained before the first marketing message, not concurrent with or after.
• Express — not implied by an existing business relationship. The consumer must affirmatively agree.
• Written — electronic signatures and online opt-in forms qualify; verbal consent does not meet the written standard for marketing messages.
• Specific sender — following the FCC's 2024 one-to-one consent rule, consent must identify the specific marketing sender. A consumer cannot consent on behalf of multiple companies through a single opt-in event.

Opt-out requirements

Any SMS marketing program must honor opt-outs immediately. Industry standard is to recognize STOP, QUIT, CANCEL, END, and UNSUBSCRIBE. Opt-outs must be processed promptly and the consumer must not receive further marketing messages after opting out. Failure to honor opt-outs is itself a TCPA violation independent of the initial consent question.

Why TCPA is often the higher enforcement risk

HIPAA enforcement is initiated by government regulators and typically focuses on Covered Entities with significant data breaches — the enforcement path is slow and generally not available to individual plaintiffs. TCPA violations can be brought as private class actions on a per-message basis — statutory damages of $500 to $1,500 per message. A Medicare SMS program that sends 10,000 texts without proper consent faces potential exposure of $5–$15 million before any class multiplier. The plaintiff-side TCPA bar is active and well-funded.

Documented consent records, a clean opt-in flow, and a properly configured opt-out mechanism are the primary defenses against TCPA class action exposure.

6. CMS Medicare Marketing & TPMO Rules

TPMO definition and scope

CMS defines Third-Party Marketing Organizations as entities that perform lead generation, marketing, sales, or enrollment functions on behalf of Medicare Advantage or Part D plans.^[8] The key question for technology vendors is whether they are acting as a pure technology provider or as a functional TPMO. The analysis turns on what the vendor actually does, not what technology it uses.

TPMO compliance requirements

• Required disclaimer: Every marketing communication must include the CMS-mandated disclaimer: "We do not offer every plan available in your area. Any information we provide is limited to those plans we do offer in your area. Please contact Medicare.gov or 1-800-MEDICARE to get information on all of your options." This applies to text, email, websites, and digital channels — not only printed materials.
• Communication recording: CMS requires audio recording of marketing and sales calls, retained for a minimum of 10 years. The application of this requirement to SMS conversation logs warrants analysis with qualified Medicare compliance counsel.
• Scope of Appointment (SOA): Before discussing specific plan options with a Medicare beneficiary, agents must obtain a documented SOA indicating which plan types the consumer agrees to discuss. SOAs must generally be obtained at least 48 hours before the appointment.

Technology vendors vs. TPMOs

A technology platform that provides software infrastructure — SMS routing, data collection, lead management — without directly marketing plan options or influencing enrollment decisions may be a technology vendor rather than a TPMO. However, this is a fact-specific analysis. Vendors that generate enrollment-ready leads with plan-specific messaging, or that present plan options to consumers, are more likely to be classified as TPMOs. For ambiguous situations, the safer course is a counsel read and direct confirmation with your CMS Regional Office.

7. AI Systems and Medicare Compliance

AI and the HIPAA analysis

Adding an AI model to a Medicare intake workflow doesn't change the fundamental HIPAA question: is there a Covered Entity or BA relationship for this data flow? If there is, PHI that flows through or is processed by the AI is subject to HIPAA controls, and a BAA is required with the AI provider if that provider processes PHI on the CE's behalf.

Key questions for AI in a HIPAA-scope Medicare program:

• Does the AI model process PHI? If intake conversations include PHI and are sent to a third-party AI model, that model provider may need to be a Business Associate with a BAA. AWS Bedrock, Azure OpenAI (Enterprise), and Google Vertex AI all offer HIPAA-eligible tiers.
• Are prompts and conversation logs retained? AI platforms often log prompts and completions by default. In HIPAA scope, those logs can constitute PHI and must be handled accordingly.
• Is PHI de-identified before AI processing? If the AI operates on de-identified data (per the HIPAA Safe Harbor or Expert Determination standards), the output is not PHI and many HIPAA controls do not apply to that processing step.

AI and TCPA / TPMO

TCPA does not distinguish between AI-generated and human-generated text messages — the same prior express written consent requirement applies. If anything, AI systems that can send messages at scale make documented consent records more important, not less, because the volume of potential exposure per consent failure is higher.

For TPMO purposes, CMS rules apply to the marketing function, not the technology. An AI system performing lead generation on behalf of a Medicare Advantage plan is performing a TPMO function regardless of whether it is automated.

Evaluating AI vendors for Medicare programs

Key compliance questions when evaluating an AI vendor for a Medicare program:

• Will the vendor sign a BAA if operating in HIPAA scope?
• What AI subprocessors does the vendor use, and will they sign BAAs?
• How are prompts and conversation logs retained, and can retention be configured or disabled?
• Is PHI detection and redaction available before data crosses to the AI processing layer?
• Does the platform enforce and log consent, opt-in, and opt-out events?
• What CMS TPMO controls — disclaimer, SOA support, communication recording — are built in?
• What deployment options exist for data-sovereignty requirements?

Frequently Asked Questions

Common compliance inquiries from brokers, carriers, compliance teams, and TPMOs evaluating SMS-based Medicare AI programs.