How to ensure compliance with new CMS requirements


The Centers for Medicare and Medicaid Services (CMS) have implemented new electronic communications recording, disclosure and oversight rules. How can you stay compliant? 

On October 1 2022, new rules in electronic communications came into place from CMS and are viewed as part of a broader global trend towards increased disclosure for complex healthcare, financial or insurance products directly marketed to customers.

In a recent post, Theta Lake detailed how companies can remain compliant in line with the new regulations.

Theta Lake said the new regulations ‘highlight the heightened scrutiny around the sale of complex healthcare products, to promote transparency and protect consumers’. The firm said that complaints about misleading advertising and sales of Medicare Advantage plans and Part D were the key catalyst for the CMS regulatory updates.

The new CMS obligations consist of three core components. Firstly is the requirement for third-party marketing organisations (TPMOs) to record or capture any electronic communications of sales conversations about MA plans or Part D. This includes telephone calls or any other interactions such as emails, video conferences and chats on platforms like Zoom and Teams.

Secondly, CMS will mandate the provision of specific disclaimer language during the first minute of a telephone call or within the relevant electronic communication. Finally, TPMOs must report monthly disciplinary actions or violations to the “first tier entities,” such as insurance providers.

Theta Lake highlighted that the obligations are critical to ensuring the regulators and ‘first tier entities’ can review communications with customers to determine what information and advice was given in the event of a complaint or investigation.

What challenges do the regulations pose to TPMOs? Theta Lake said, “The requirements could create significant challenges for TPMOs not previously subject to mandates to record calls or other electronic communications, provide routine disclaimers, or report on compliance issues.

“The basic tasks of recording, archiving, and supervising communications for compliance and disciplinary purposes are compounded by the fact that they occur across multiple modern platforms like Zoom, Slack, Microsoft Teams, RingCentral as well as mobile applications, SMS, and WhatsApp.”

In order to comply, companies must ensure they are able to record all calls or electronic communications and should also be able to retain the growing volumes of records for at least ten years.

Companies should be able to easily search and retrieve records so that they can be provided without delay when requested by regulators, and must be able to review the conversations to identify instances of where inappropriate or non-compliant behaviour occurred.

In addition, businesses must be able to retain their records in a way that meets HIPAA compliance is important to ensure that sensitive medical or personal data is protected and ensure that they have a way of including the mandated disclaimer into all communications. That includes written communications like chat messages.

Read the full post here.

Theta Lake previously teamed up with fellow communication security solution Movius to help companies improve compliance with collaboration tools.

Copyright © 2022 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.