CMS Call Recording Requirements 2026: The Complete Compliance Guide for Medicare Agents and Agencies

In 2026, CMS call recording requirements are no longer a small compliance task, they are a make or break risk for every Medicare agency. 

With strict oversight from Centers for Medicare & Medicaid Services, agents must record the entire chain of enrollment, deliver disclaimers within 60 seconds, verify Permission to Contact, and securely store files for 10 years.

One missed script or unrecorded call can trigger audits, fines, or even license loss. The problem is simple: manual processes fail at scale. 

The solution is building an audit proof workflow powered by automation and AI tools that monitor, secure, and verify every call in real time so you stay compliant and focused on serving seniors.

Introduction: The New Reality of Medicare Compliance in 2026

• As we step into 2026, the Medicare Advantage (MA) landscape has shifted from a period of rapid expansion to one of intense regulatory scrutiny. As a leader in this industry, I have seen many changes, but none as transformative as the current oversight era. 
• The federal government is projected to pay MA plans approximately $590.9 billion this year. With that level of investment comes a non negotiable expectation of transparency. We are no longer operating in an environment where compliance is a check the box activity, it is now the very foundation of our business's valuation and longevity.  
• The 2026 contract year represents the full maturity of several initiatives. Most notably, CMS has completed its transition to the 2024 CMS HCC risk adjustment model, which is now used for 100% of risk score calculations. 
• This means every diagnosis and every benefit discussion captured on a call has a direct, auditable impact on the financial integrity of the Medicare program. 
• For my fellow agency owners, this makes understanding and mastering the CMS call recording requirements the single most important operational priority of the year.

What changed in the 2026 CMS marketing and communications guidelines

• The 2026 medicare communications and marketing guidelines are defined by a move toward outcome based measurement. CMS has fundamentally altered how it audits organizations, removing traditional point based scoring in favor of binary classifications: Corrective Action Required (CAR) or Observation. 
• This shift reflects a deeper philosophy, if a marketing error impacts a beneficiary's access to care or their financial well being, it is no longer a minor infraction, it is a systematic failure that requires immediate remediation.
• Furthermore, 2026 brings the permanent status of the 48 hour Scope of Appointment (SOA) rule, alongside stricter one to one consent mandates for lead generation. 
• These changes were designed to eliminate the daisy chaining of beneficiary data, ensuring that when an agent picks up the phone, they do so with clear, documented permission. 
• The CMS call recording requirements are the mechanism by which CMS verifies that these permissions were honored during the actual sales interaction.

Why non compliance is more costly than ever (fines + loss of certification)

• The financial stakes have reached an inflection point. Starting in February 2026, CMS is launching a random quarterly audit program that will scrutinize 250 records across the industry to identify marketing failures. 
• Civil Monetary Penalties (CMPs) for reporting delays or missing records have been adjusted for inflation, with daily fines reaching up to $1,000 per record, capped at $365,000 annually per instance.  
• However, the financial penalty is often secondary to the reputational and contractual damage. CMS has demonstrated a willingness to impose Intermediate Sanctions, which can include the immediate suspension of all enrollment and marketing activities. 
• For an independent agent, a significant violation of the CMS call recording requirements can result in a 10 year re-enrollment bar, effectively ending a career. In this guide, we will treat compliance not as a burden, but as a strategic asset that protects our agencies and our clients.  

What Are CMS Call Recording Requirements?

• According to CMS, Medicare plans and Third Party Marketing Organizations (TPMOs), which include independent agents, brokers, and lead generators, are expected to capture all marketing and sales calls in their entirety, including the audio portion of calls made using web based technologies such as Zoom or FaceTime. 
• These calls should be securely stored in a manner that is HIPAA compliant and should be retained for a minimum of 10 years to ensure that they are accessible in the event of a CMS audit or in response to a complaint from a Medicare beneficiary.

Who must comply (carriers, agents, TPMOs, FMOs)

The reach of the CMS call recording requirements is intentionally broad. CMS defines a TPMO as any organization or individual compensated to perform lead generation, marketing, sales, or enrollment related functions as part of the chain of enrollment. This means:  

• Independent Agents and Brokers: Even if you are a solo practitioner, you are a TPMO. There is no small business exemption for these rules.  
• Captive Agents: Agents working directly for a single carrier must adhere to the same recording standards.
• FMOs and Agencies: Large organizations must provide the infrastructure and oversight to ensure their downstream agents are compliant.  
• Lead Vendors: Any firm that collects beneficiary data for the purpose of selling it to an agent must record the initial outreach that established the permission to contact.

When the requirements apply

The mandate is triggered by the content of the conversation, not just the intent to enroll. If your discussion could influence a beneficiary's decision regarding a Medicare Advantage or Part D plan, the CMS call recording requirements apply.  

• Marketing & Education: Explaining plan features, star ratings, or comparing two different Medicare Advantage plans.
• Needs Assessments: Asking a beneficiary about their doctors, current medications, or monthly budget.
• Enrollment: The actual telephonic application process.
• Retention: Retention marketing, or calls intended to persuade a client to stay with their current plan, must also be recorded.

Purely administrative calls, such as those made solely to schedule an in person appointment or to confirm a mailing address, do not strictly require recording. However, from a CEO’s perspective, I recommend recording every call. 

A simple scheduling call can instantly turn into a marketing discussion if the client asks, Wait, does my doctor still take this plan? At that moment, the CMS call recording requirements go into effect, and if you aren't already recording, you are in violation.  

The Core CMS Medicare Call Recording Mandate: The Chain of Enrollment

The Chain of Enrollment is the regulatory framework CMS uses to protect the entire beneficiary journey. 

Medicare call recording encompasses every step a consumer takes from the moment they first become aware of a plan through the final enrollment decision. 

This holistic view ensures that agents cannot use educational calls to make misleading promises that aren't captured during the formal enrollment recording.

What must be recorded

To comply with the CMS call recording requirements, agents must capture the interaction from start to finish. This means the recording must begin before the first greeting and end only after the beneficiary has hung up. The file must include:  

• The Initial Disclaimer: Confirmation that you read the required TPMO language within the first 60 seconds.  
• Verification of Identity: Documentation that you identified yourself as a licensed agent and clarified you are not affiliated with the government.
• The Benefit Review: Every detail regarding co-pays, deductibles, and the 2026 Part D out of pocket cap, which is now $2,100.
• Audio of Video Calls: If you are using Zoom, you do not need to save the video, but the audio track must be archived per the CMS call recording requirements.

Required verbal disclosures at start of each call

• Before diving into plan details, you must establish the legal basis for the call. First, you must obtain explicit verbal consent to be recorded. 
• If a beneficiary declines, you are legally obligated to terminate the call immediately there are no exceptions, even if the client is a long term friend or family member. 
• Furthermore, your script must include a clear statement that by calling this number, you will be connected to a licensed insurance agent and that you are not affiliated with the federal government or the Medicare program. 
• These disclosures are non-negotiable elements of the CMS call recording requirements.  

The Full 2026 CMS Requirements Checklist

• To manage an agency effectively, you need a single source of truth for compliance standards. Use this table to audit your current technology and training protocols for the CMS call recording requirements.
• RequirementApplies ToSpecific RulePenalty for Violation Comprehensive Recording All TPMOs/AgentsRecord all sales, marketing, and enrollment calls in full.
• Enrollment suspension daily CMPs up to $1k.
• 10 Year Data Retention.All TPMOs/AgentsSecure storage of audio files for 10 years after the interaction.$365k max annual fine, loss of carrier contracts.
• Standardized disclaimer read within the first 60 seconds of a call.
• Marketing violation, audit failure, commission clawbacks.
• Recording Consent.All TPMOs/AgentsVerbal consent at start, end call if beneficiary refuses.
• Recording is inadmissible, immediate compliance failure.
• One to One Consent.All Lead SourcesWritten consent to share data with a specific agent/agency.
• Lead is considered cold, resulting in marketing sanctions.
• Adherence to the CMS call recording requirements is the only way to ensure your business is protected during the random audits scheduled for this contract year.

Medicare Permission to Contact Guidelines

As CEO, I tell my team that Permission is our most valuable currency. The medicare permission to contact guidelines have evolved to eliminate the aggressive, unrequested outreach that plagued the industry in years past. 

In 2026, the rules around Permission to Contact (PTC) and Scope of Appointment (SOA) are more rigid than ever.

Scope of Appointment (SOA) requirements

The SOA is a federally mandated form that outlines the specific products to be discussed during a meeting.  

• The 48 Hour Rule: You must secure a signed SOA at least 48 hours prior to any scheduled appointment, whether that appointment is in person or over the phone.
• Literal Timing: CMS interprets this literally. If the SOA is signed at 10:00 AM on Monday, you cannot discuss plans until 10:00 AM on Wednesday.
• New Products: If a beneficiary suddenly wants to discuss a product type not checked on the original SOA (e.g., shifting from MA to a Stand alone Part D plan), you must stop, have them sign a new SOA, and reset the 48 hour clock.  
• Exceptions: The only valid exceptions are unscheduled walk-ins initiated by the beneficiary and appointments scheduled within the final four days of an enrollment period.

Permission to Contact (PTC) rules

While an SOA governs the meeting, the PTC governs the initial reach out.

• One to One Consent: CMS now enforces a rule where a lead vendor cannot sell a single consent to twenty different agents. The beneficiary must specifically agree to be contacted by your agency or you by name.
• Prohibited Outreach: Cold calling, door to door solicitation, and approaching beneficiaries in public spaces like parking lots or grocery stores remain strictly prohibited.
• Lead Documentation: You must retain proof of the original lead source and the specific consent for 10 years, matching the retention period for the CMS call recording requirements.

Documentation requirements

• In 2026, your CRM is your best friend. Every interaction must be logged with a timestamp that connects the lead source to the SOA, and then to the call recording. CMS auditors no longer want to see effort, they want to see proof. 
• If your digital paper trail has a single gap, the CMS call recording requirements may be deemed unfulfilled, putting your commissions and certifications at risk.

The 3 Audit-Proof Checkpoints Every Medicare Agent Needs

To simplify the CMS call recording requirements for our producing agents, we have developed a three checkpoint system. This ensures that compliance is integrated into the workflow rather than being a post call afterthought.

Checkpoint 1: Pre-call compliance setup

Preparation is the strategy of the elite. Before the agent dials a number:

• Verify SOA: Confirm the SOA is signed and that the 48 hour cooling off period has expired.
• Check Ready to Sell Status: Ensure the agent is certified for the specific 2026 plans they intend to discuss.
• Record Activation: Verify that the recording system is live and that the agent is in a secure, private environment where PHI won't be overheard.
• Script Readiness: The agent should have the TPMO disclaimer and the CMS call recording requirements consent language visible on their screen.

Checkpoint 2: During-call disclosures

This is where the tactical execution of the CMS call recording requirements occurs.

• The First Minute Rule: Within the first 60 seconds, state your name, license status, non-affiliation with the government, and the TPMO disclaimer.  
• Consent Confirmation: Secure an explicit Yes from the beneficiary to be recorded.
• Avoid Superlatives: Even though some rules have been relaxed in proposals, the current 2026 standard is to avoid terms like best or top rated unless they are supported by specific CMS approved data.
• MPPP Explanation: For 2026, explain the Medicare Prescription Payment Plan (MPPP) clearly, ensuring the beneficiary knows it is a voluntary option to spread out drug costs.

Checkpoint 3: Post-call documentation

Finalizing the audit trail is the most critical part of the CMS call recording requirements.

• Link Recording to CRM: Ensure the audio file is automatically associated with the client’s unique ID.
• Summarize Recommendation: Enter a note explaining why a specific plan was chosen based on the client’s specific doctor and drug list.  
• Confirm Retention: Verify the file is stored in your 10 year archive. This post call discipline is what separates a compliant agency from one that falls during a CMS sweep.

Data Retention and Security: The CMS Storage Requirements

As a CEO, I view data as both an asset and a liability. Storing a decade's worth of audio files is a massive technical undertaking that requires strict adherence to the CMS call recording requirements regarding security and format.

Minimum 10-year retention rule

• The 10 year mandate is absolute. CMS requires this duration to match the statute of limitations for federal healthcare fraud investigations. If an agency closes or an agent moves to a different FMO, the responsibility for those recordings does not disappear. 
• You must ensure that your technology platform provides data sovereignty, meaning you own and can access those files even if you terminate your service with the vendor.

Acceptable storage formats & systems

CMS does not require a specific audio format, but they do require a system that ensures integrity.  

• WORM Storage: Write Once, Read Many, storage ensures that a file cannot be edited or deleted once it is created.
• Cloud Redundancy: Avoid local hard drives. Use cloud based UCaaS systems (like RingCentral or Phone.com) that offer geo redundant storage, ensuring a local disaster doesn't wipe out your compliance files.
• Searchability: During an audit, you may have only 30 days to produce a specific record. Your system must allow you to search by beneficiary name, phone number, or date.

Access controls & audit trail requirements

To comply with HIPAA alongside the CMS call recording requirements, you must implement Role Based Access Control (RBAC). 

Agents should only be able to access their own recordings, while compliance officers have broader oversight. 

Additionally, your system must maintain an immutable audit log that records every time a file is played, downloaded, or shared, providing a complete Chain of Custody for federal investigators.  

Penalties for Non-Compliance with CMS Call Recording Requirements

Ignoring the CMS call recording requirements is a gamble with the survival of your agency. CMS has streamlined its enforcement to be swifter and more punitive than at any point in history.

Civil Monetary Penalties (CMPs)

The fines for 2026 are tiered based on the duration of the violation.

• $250 per record/day: For records reported 1 to 2 years late.  
• $500 per record/day: For records reported 2 to 3 years late.  
• $1,000 per record/day: For any record missing for more than 3 years.  
• Annual Cap: CMS caps total CMPs at $365,000 annually per organization, but this is adjusted for inflation and can be applied per instance of systemic failure.  

Plan termination risk

• The largest carriers in the country are under immense pressure from CMS to police their downstream agents. 
• If your agency is found to have a high rate of missing SOAs or failed CMS call recording requirements, the carrier will protect its own Star rating by terminating your contract. 
• This Intermediate Sanction can happen almost overnight, cutting off your primary revenue stream without a lengthy appeal process.

Agent certification revocation

• For individual producers, the consequences are personal. CMS has the authority to revoke your enrollment in the Medicare program entirely. 
• In cases of willful neglect of the CMS call recording requirements, CMS may also refer the case to the Office of Inspector General (OIG) for criminal investigation if fraudulent intent is suspected.

How AI Tools Automate CMS Compliance (Without Extra Work)

In 2026, the volume of data is too large for manual human oversight. This is where AI becomes a strategic partner. AI tools are the only way to ensure 100% adherence to the CMS call recording requirements while allowing your agents to focus on closing sales.

Automatic call recording + transcription

• Platforms like Thunai automate the most tedious parts of the CMS call recording requirements like how AI agents for insurance handle compliance, recording, and monitoring end to end:. 
• By integrating directly with your dialer, these tools automatically start the recording and generate a real time transcript. 
• This creates a searchable index of your entire Chain of Enrollment, allowing you to find any conversation in seconds.  

Compliance disclosure triggers

• AI can now listen for the required disclosures. 
• If an agent forgets the TPMO disclaimer or the CMS call recording requirements consent language, the AI can flag the call as at Risk immediately. 
• This real time detection allows for instant coaching, fixing compliance gaps before they ever reach an auditor’s desk.  

Retention & audit trail automation

• AI tools eliminate the human error of forgetting to save. 
• By linking your VoIP system to your CRM, the AI automatically maps every recording to the correct beneficiary profile, timestamps the file, and archives it in your 10 year secure vault. 
• This creates a set and forget compliance infrastructure.

How Thunai creates an automated 'safe harbor' workflow

• Thunai provides what I call a Digital Compliance Officer. 
• By using its Brain to ingest the latest 2026 CMS guidelines, the system performs a Gap Analysis on 100% of your agency's calls. While human managers can only listen to about 2% of calls, Thunai audits every single interaction, scoring them against the CMS call recording requirements. 
• If a systemic error is found, you are notified instantly, allowing you to remediate the issue and maintain your Safe Harbor standing with CMS.  

The 2026 CMS Compliance Quick Reference Checklist

Distribute this list to your team. It is the tactical baseline for surviving the 2026 AEP and remaining in step with the CMS call recording requirements.

Pre-call checklist (5 items)

1. SOA signed? Must be 48 hours old and signed for the correct plan types.
2. Licensed & Certified? Ready to sell status verified for the specific carrier.  
3. Recording active? Verify the VoIP system is engaged.
4. Privacy ensured? Call conducted in a secure, HIPAA-compliant area.  
5. Script loaded? Disclaimer and consent language ready for use.

During-call checklist (6 items)

1. Identity: State your name and Licensed Agent status.  
2. Consent: Obtain verbal agreement to the CMS call recording requirements.
3. TPMO Disclaimer: Read the Not every plan script within 60 seconds.  
4. Non-Affiliation: Clarify you are not the government.  
5. Accuracy: Use only CMS approved brochures and benefit summaries.  
6. MPPP Discussion: Explain the 2026 prescription payment plan options.  

Post-call checklist (4 items)

1. Confirm Storage: Verify the file is in the 10 year vault.
2. Tag CRM: Map the recording and SOA to the beneficiary record.  
3. Recommendation Note: Log the rationale for the plan choice.  
4. Retention Audit: Ensure the audit log captures the call metadata.  

Using AI to Meet CMS Call Recording Requirements Better

As CMS call recording requirements in 2026 become stricter under the oversight of the Centers for Medicare & Medicaid Services, agencies need more than good intentions, they need structured systems. 

Thunai helps turn compliance into a repeatable framework with built in features designed for Medicare sales teams.

• Thunai Reflect monitors 100% of calls in real time, ensuring the first minute disclaimer is read correctly and flagging missed scripts instantly.
  
• Thunai Brain delivers verified plan data during conversations, reducing the risk of misinformation.
  
• With multilingual support in over 200+ languages thunai also allows healthcare providers the luxury of being able to record and transcribe all calls in the language of their choice (no matter how many are spoken on call).

With these features, compliance becomes proactive, measurable, and scalable so your agency stays protected while growing confidently.

Book your Thunai demo today and see how effortless CMS call recording compliance can be.

FAQs on CMS Call Recording Requirements

What are the CMS call recording requirements for Medicare agents?

All TPMOs, including independent agents, must record the audio portion of all marketing, sales, and enrollment calls in their entirety. This mandate covers traditional phone calls and virtual platforms like Zoom.  

How long must Medicare call recordings be retained?

Under the medicare call recording requirements, all sales and enrollment audio files must be retained for at least 10 years. They must be stored in a searchable, HIPAA compliant environment.  

Do I need to inform callers that calls are being recorded?

Yes. You must obtain verbal consent at the very start of the interaction. If the beneficiary refuses to be recorded, the CMS call recording requirements dictate that you must terminate the call immediately.  

What are the penalties for violating CMS recording requirements?

Penalties include Civil Monetary Penalties of up to $1,000 per record per day, suspension of all enrollment activities, and the potential permanent revocation of your Medicare certification.

What is the CMS permission to contact rule?

CMS prohibits cold calling and door to door visits. Agents must have prior, express, one to one written consent before contacting a beneficiary for marketing purposes.

Are independent Medicare agents required to record calls?

Yes. CMS makes no distinction between a large call center and a solo independent agent. All parties must adhere to the CMS call recording requirements.