1. MediMatch
  2. Compliance
  3. TCPA & Medicare Text Messaging
TCPA · Topic Guide · June 2026

TCPA and Medicare Text Messaging: Prior Consent, Opt-Out, and Litigation Risk

Published June 2026 · Last updated June 2026 · Part of the Medicare AI Compliance Guide

For SMS-based Medicare programs, TCPA is frequently a more immediate and more costly compliance risk than HIPAA — yet it receives far less attention in vendor evaluation conversations. This guide covers the TCPA consent requirements that govern Medicare text messaging, the 2024 FCC one-to-one consent rule, opt-out obligations, and the litigation exposure that comes from skipping any of them.

Not legal advice. This guide draws on primary regulatory sources and is provided for educational purposes. Consult qualified TCPA counsel for compliance determinations specific to your program's consent flow, sender configuration, and applicable state laws.

The TCPA Framework for Marketing Text Messages

What does the TCPA require for Medicare marketing texts?
Prior express written consent from each recipient, obtained before the first marketing message is sent, identifying the specific sender. The consent must be documented and retained. Opt-outs must be honored immediately and permanently.

The Telephone Consumer Protection Act (47 U.S.C. § 227)[1] and implementing FCC regulations govern the use of text messages for marketing communications. The TCPA applies regardless of:

  • Whether the messages contain health information (TCPA is channel-agnostic on content)
  • Whether the program is HIPAA-subject (TCPA and HIPAA are independent frameworks)
  • The size of the sending organization — there is no small-entity exemption
  • Whether the messages are sent by a human or an automated system (though automated systems trigger additional provisions)

The TCPA distinguishes between three categories of consent for text messaging, each with different requirements:

  • Informational texts: Require prior express consent (written or oral). These are transactional or service-related — appointment reminders, enrollment confirmations. No marketing content.
  • Marketing texts: Require prior express written consent. Any text with a marketing purpose — even a subtle one — is in this category. Medicare plan-related outreach is marketing.
  • Emergency texts: No consent required for genuinely time-sensitive public safety messages. Not applicable to Medicare marketing.

Medicare lead generation and plan marketing fall into the "marketing texts" category, requiring the highest consent standard: prior express written consent.

Prior Express Written Consent — What It Actually Means

What exactly is prior express written consent?
A documented, affirmative agreement from the consumer, obtained before the first marketing text, clearly authorizing the specific sender. Electronic signatures qualify. Verbal consent, a pre-existing business relationship, or a buried disclosure in terms of service do not.

Under FCC regulations implementing the TCPA,[2] prior express written consent requires that the consumer:

  • Prior: Provides consent before the first marketing message — not at the time of receiving the message, not afterward, not implied by the act of sending an initial text.
  • Express: Affirmatively agrees — passive non-objection, a pre-existing relationship, or providing a phone number in another context (e.g., to receive a callback) are not express consent for marketing texts.
  • Written: Agreement is documented in a written record. Electronic signatures and online opt-in forms qualify under the E-SIGN Act. Verbal consent does not meet the written standard for marketing texts.
  • Clear and conspicuous: The disclosure must make clear that the consumer is agreeing to receive marketing texts from the specific sender, and must include the statement that consent is not a condition of purchase.
Common consent failures:
1. Checkbox pre-checked by default — the consumer must affirmatively check it.
2. Consent buried in terms of service without a clear, stand-alone disclosure.
3. Consent obtained for one purpose (e.g., appointment reminders) then used for marketing texts.
4. Phone number collected for a callback, then added to a text marketing list.
5. Sharing consent across multiple marketing partners — prohibited by the 2024 one-to-one rule.

The 2024 FCC One-to-One Consent Rule

What changed with the FCC's 2024 consent rule?
Each marketing sender must be specifically identified in the consent. A lead generation form that collects a single consent and routes it to multiple marketing partners no longer satisfies the written consent requirement for any of those marketers individually.

The FCC issued a declaratory ruling and order in 2024 significantly tightening how TCPA written consent operates in lead generation contexts.[3] Prior to this ruling, lead generation companies commonly used a single consent event — a consumer clicking "I agree to receive information from our partners" — to cover dozens of downstream marketing companies. The 2024 rule ended this practice.

What the rule requires

  • Prior express written consent must identify the specific company that will send the marketing texts — not "our marketing partners," not a list of companies in fine print.
  • Consent must be logically and topically related to the website or context in which it was obtained — a consent obtained on a Medicare plan comparison site covers Medicare-related outreach, not unrelated product marketing.
  • The consumer must take an affirmative step to consent to each marketing sender — passive or blanket consent is not sufficient.

Practical impact for Medicare programs

Medicare lead generation programs that rely on shared or aggregated lead lists — where the original consent was obtained by a lead-gen platform and "sold" or "shared" to multiple marketing partners — face significant exposure under the 2024 rule. Each marketer who received shared consent and used it to send marketing texts may independently lack the valid prior express written consent required for each message.

The compliant approach is to collect consent directly, specifically, and in the sender's own name — at the point of first contact with the consumer.

Opt-Out Requirements

How must a Medicare SMS program handle opt-outs?
Immediately and permanently. Any marketing text program must recognize standard opt-out keywords (STOP, QUIT, CANCEL, END, UNSUBSCRIBE), process opt-outs without delay, and never send another marketing message to an opted-out number. Failure to honor opt-outs is itself a TCPA violation.

What is required

  • Recognize standard keywords: STOP, QUIT, CANCEL, END, and UNSUBSCRIBE must all trigger opt-out processing. The CTIA Messaging Principles and Best Practices[4] treat this as the industry standard floor.
  • Immediate processing: Opt-outs must be honored without delay. A system that queues opt-outs and processes them in batch — potentially sending additional marketing messages in the meantime — is non-compliant.
  • No further marketing texts: After an opt-out, no marketing messages may be sent to that number regardless of the program, campaign, or time elapsed. A system that allows the same number to be re-enrolled without a fresh, documented re-consent is non-compliant.
  • Confirmation text permitted: A single, non-marketing confirmation of the opt-out ("You've been unsubscribed and will receive no further messages from [Sender]") is permitted and is considered best practice.
Retain opt-out records: Opt-out records should be maintained for as long as the number could theoretically be recontacted. If a number is reassigned to a new consumer who opts in, the prior opt-out must not silently override the new consent — and vice versa. Number reassignment is a known TCPA compliance hazard.

TCPA Penalties and Class Action Exposure

What are the TCPA penalties for Medicare SMS programs that lack proper consent?
$500 to $1,500 per message, and class actions are common. A Medicare SMS program that sends 10,000 texts without documented consent faces $5–$15 million in potential exposure before any class multiplier is applied.

The TCPA's damages provision is unusually punishing because it operates on a per-message basis and is privately enforceable without needing to show actual harm:

Violation typeStatutory damagesWho can bring the claim
Each marketing text sent without proper consent $500 per message Private plaintiff or class action
Willful or knowing violation Up to $1,500 per message (treble damages)[1] Private plaintiff, class action, or FCC
Failure to honor opt-out $500–$1,500 per message sent after opt-out Private plaintiff or class action

TCPA class actions are a mature and active area of plaintiff-side litigation. A Medicare SMS program that sends marketing texts to a list of 10,000 numbers without documented prior express written consent for each faces theoretical exposure of $5 million (at $500/message) to $15 million (at $1,500 for willful). Class certification for TCPA claims is relatively accessible because the statutory damages remove the need to prove individual actual harm.

Why this matters more than HIPAA for most SMS programs: HIPAA enforcement is government-initiated, typically targets Covered Entities with major breaches, and rarely produces per-message damages. TCPA enforcement is plaintiff-initiated, available for any program lacking consent documentation, and produces per-message damages that aggregate quickly. For an SMS-based Medicare program, the immediate financial risk from TCPA is almost always larger than the HIPAA risk.

TCPA vs. HIPAA: Comparing the Risk Profiles

Should a Medicare SMS program prioritize TCPA or HIPAA compliance?
Both, but TCPA is typically the more immediate litigation risk. The risks are independent — they require different controls and cannot be satisfied by the same measures. But TCPA's private right of action and per-message damages create exposure that HIPAA enforcement rarely matches for a typical Medicare lead program.
FactorTCPAHIPAA
Who can enforce Private plaintiffs, class actions, state AGs, FCC HHS OCR only (government-initiated)
Applies to Medicare brokers? Yes — always, regardless of CE status Only if CE/BA relationship exists
Damages structure $500–$1,500 per message; private class actions Tiered civil penalties; rarely per-message
Requires actual harm? No — statutory damages, no harm required Government enforcement; harm inferred from breach
Litigation velocity High — active plaintiff bar Lower — government process
Primary defense Documented prior express written consent BAA + implemented Security Rule controls

The two frameworks require different controls and cannot be satisfied by the same measures. TCPA compliance is about consent documentation and opt-out processing. HIPAA compliance (when it applies) is about data security controls and contractual frameworks for PHI. A program needs to address both, but the prioritization question has a clear answer for most Medicare SMS programs: TCPA consent infrastructure is non-negotiable and immediately actionable.

Frequently Asked Questions

Common TCPA questions for Medicare SMS programs.

What consent is required before sending Medicare marketing texts?

Prior express written consent under the TCPA (47 U.S.C. § 227).[1] The consent must be: (1) prior — obtained before the first marketing message; (2) express — affirmative, not implied by an existing relationship; (3) written — electronic signatures and online forms qualify, verbal does not; (4) specific to the sender — under the FCC's 2024 one-to-one rule, the consent must name the specific marketing sender, not just "our partners."

What is the FCC one-to-one consent rule and when does it apply?

The FCC's 2024 declaratory ruling[3] requires that prior express written consent for marketing texts identify the specific marketing sender. A single consent obtained on a lead-gen form covering "our partners" or a list of companies no longer satisfies the consent requirement for any individual marketer. The rule applies to any entity sending marketing texts — including Medicare lead programs that acquire leads from third-party lead generation companies. If the original consent did not specifically name your organization, the consent is likely insufficient under the 2024 rule.

What are the TCPA penalties for texts sent without proper consent?

Statutory damages of $500 per violation, trebled to $1,500 per willful or knowing violation.[1] Each non-compliant text message is a separate violation. TCPA claims may be brought as private class actions, and no showing of actual harm is required — the statutory damages are designed to be recoverable without proof of injury. For a program sending tens of thousands of texts without documented consent, aggregate exposure can reach millions of dollars before any class multiplier.

How must a Medicare SMS program handle opt-outs?

Opt-outs must be honored immediately and permanently. Industry standard requires recognizing STOP, QUIT, CANCEL, END, and UNSUBSCRIBE as opt-out keywords.[4] After an opt-out, no further marketing messages may be sent to that number under any campaign. Failure to honor an opt-out is itself a TCPA violation, separate from and independent of the initial consent question. Opt-out records should be maintained and cross-checked before any message is sent from any campaign touching that number.

Can a Medicare SMS program buy leads and text them?

It depends entirely on the consent documented by the lead source. Under the FCC's 2024 one-to-one consent rule, the lead's original consent must specifically identify your organization as a marketing sender — not just "insurance partners" or a generic description. If the lead source's consent form named your company specifically, and you can obtain documentation of that consent, the consent may be sufficient. If the consent was a blanket "our partners" consent, it is likely insufficient for your organization to send marketing texts. Purchasing leads without verifying the specific consent documentation is a significant TCPA exposure. Consult TCPA counsel before texting purchased lead lists.

Does the TCPA apply to informational texts as well as marketing texts?

Yes, but with a lower consent standard. Purely informational or transactional texts — enrollment confirmations, appointment reminders, service notifications with no marketing content — require prior express consent (not necessarily written). Marketing texts — any text with a promotional element, including Medicare plan information or lead nurturing — require the higher standard of prior express written consent. In practice, the line between informational and marketing text content can be blurry, and Medicare-related outreach is generally treated as marketing. When in doubt, apply the written consent standard.

Is TCPA or HIPAA a bigger risk for Medicare SMS programs?

For most Medicare SMS programs, TCPA is the more immediate litigation and financial risk. HIPAA enforcement is government-initiated and typically targets Covered Entities with significant data breaches — the enforcement path is slow and the damages structure differs. TCPA violations can be brought by private plaintiffs as class actions at $500–$1,500 per message, with no proof of actual harm required. The plaintiff-side TCPA bar is active and well-funded. A Medicare SMS program sending 10,000 texts without documented consent faces potential exposure of $5–$15 million before any class multiplier. Both compliance frameworks are necessary, but the TCPA is the more immediate action item for SMS programs.

Does prior express written consent expire?

TCPA regulations do not specify a fixed expiration period for prior express written consent. However, there are practical risks to relying on old consent: (1) the consent may have been for a specific program or product that is no longer accurate; (2) the phone number may have been reassigned to a different consumer who has not consented; (3) FCC interpretations of consent "revocation" create uncertainty about how long consent remains valid once a consumer indicates they no longer want to be contacted. Best practice is to treat consents older than 12–18 months as requiring re-validation, and to use real-time number reassignment data services before texting numbers from older lists.

Related Compliance Guides

→ The full Medicare AI Compliance Guide (HIPAA, TCPA, TPMO, MHMDA) → HIPAA & Medicare Lead Generation — When It Applies and When It Doesn't → All MediMatch compliance resources

Sources

Primary regulatory sources verified as of June 2026.

  1. 1 Telephone Consumer Protection Act — 47 U.S.C. § 227 The TCPA as enacted and amended. Establishes the prior express written consent standard for marketing calls and texts, statutory damages ($500–$1,500 per violation), and private right of action.
    Publisher: FCC · Last verified June 2026
  2. 2 FCC TCPA Rules — 47 C.F.R. § 64.1200 FCC implementing regulations for the TCPA, including the prior express written consent requirement and opt-out obligations for marketing text messages.
    Publisher: FCC · Last verified June 2026
  3. 3 FCC One-to-One Consent Rule — 2024 Declaratory Ruling and Order FCC ruling requiring that prior express written consent identify the specific marketing sender. Eliminates the "blanket consent" practice used by lead aggregators.
    Publisher: FCC · Issued 2024 · Last verified June 2026
  4. 4 CTIA Messaging Principles and Best Practices Industry standard guidelines for SMS programs, including opt-out keyword recognition (STOP, QUIT, CANCEL, END, UNSUBSCRIBE) and opt-out processing requirements.
    Publisher: CTIA · Last verified June 2026

About MediMatch

MediMatch collects, documents, and stores TCPA prior express written consent before any marketing message is sent. Opt-outs are processed in real time. Consent records are retained with timestamps and the full consent event detail needed as a TCPA defense.

Questions about TCPA compliance for your Medicare SMS program?

Schedule a Call Learn About MediMatch

This guide is educational and is not legal advice. Consult qualified TCPA counsel for consent flow review and program-specific compliance determinations.