Compliance & Regulatory Framework for AI-Assisted Medicare Communication

Executive Summary

MediMatch operates in a compliance-aware, HIPAA-capable posture — but HIPAA scope is determined by whether your organization qualifies as a Covered Entity or Business Associate for the specific data flow, not by the sensitivity of the data alone.^[1] Insurance brokerages collecting Medicare leads directly from consumers typically do not trigger HIPAA for that data.
The binding regulatory framework for AI-assisted Medicare lead generation is state consumer-health privacy law, CCPA/CPRA, TCPA, and CMS Medicare marketing rules — not HIPAA.^[2][3][4][5] Several of these apply regardless of HIPAA status. MediMatch is architected to support all of them.
Transmitting health-related data over SMS is legally permissible with the correct consent, disclosure, and transport framework. HHS/OCR guidance explicitly permits covered entities to communicate via text when the individual is warned and consents to the channel.^[6] Multiple HIPAA-eligible messaging platforms support BAA-backed SMS pipelines commercially.^[7]
MediMatch offers flexible deployment options — including a redact-in-boundary architecture that keeps raw personal health data inside your organization's cloud environment — enabling genuine data sovereignty without sacrificing the platform's AI capabilities.

Section 1

Does MediMatch Need to Be HIPAA Compliant?

It depends on your organization's regulatory role — not on the sensitivity of the data alone. Understanding how HIPAA attaches is the first step to an accurate compliance posture.

1.1 How HIPAA Jurisdiction Attaches

HIPAA, as enacted in 1996^[8] and expanded by HITECH in 2009,^[9] regulates two categories of organizations:

Covered Entities (CEs): Health plans, healthcare clearinghouses, and healthcare providers who electronically transmit individually identifiable health information — including health insurers, hospitals, pharmacies, and clinical laboratories.^[1]
Business Associates (BAs): Any vendor or partner that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity.^[10] A vendor to a BA is a subcontractor business associate, bound by the same rules through a mandatory Business Associate Agreement (BAA).^[11]

Crucially, HIPAA's definition of "Protected Health Information" applies only to health data held by or for a Covered Entity or Business Associate.^[12] The same data held outside that relationship is personal information — regulated by other privacy frameworks but not HIPAA.

1.2 Does Your Brokerage or Carrier Qualify as a Covered Entity for Lead Data?

Three principles apply to most insurance carriers and brokerages:

Insurance agents and brokers are generally not HIPAA Covered Entities. "Health plan" status under HIPAA covers the carriers and issuers themselves — not the intermediaries who market or distribute their products.^[13]
Consumer-volunteered lead data collected before any carrier relationship is not PHI. When a consumer shares health context directly with a non-covered-entity broker in a lead-gen flow, there is no covered entity in the chain and therefore no PHI in the HIPAA sense.^[12]
Business associate status can arise in other lines of business. Organizations that administer group health benefits, handle carrier PHI on a carrier's behalf, or perform claims processing functions may qualify as BAs — and in those contexts, a vendor like MediMatch would require a subcontractor BAA.

MediMatch's Posture

MediMatch operates as a HIPAA-capable platform. Whether your deployment runs in standard mode or full HIPAA scope (BAA + HIPAA-eligible subprocessors) depends on whether your organization's role for the specific data flow requires it. We support both — and we help you make that determination accurately.

1.3 Why Carriers and Brokers Elect "HIPAA-Capable" Vendors Regardless

Even when strict HIPAA compliance is not legally required, healthcare-adjacent organizations typically require HIPAA-aligned controls from technology vendors because:

Enterprise security and compliance teams contractually require BAAs as a baseline vendor qualification.
HIPAA's Security Rule technical safeguards serve as the minimum floor for the controls state consumer-health laws independently require.
A "BAA available when your role requires it" posture removes a common procurement blocker while accurately representing the platform's default compliance scope.

Section 2

What Compliance Does Your Organization Own?

In the MediMatch relationship, your organization is the data controller and owner; MediMatch is the data processor and technology vendor. Your obligations extend well beyond HIPAA — and several of the most important ones apply regardless of HIPAA status.

Primary Exposure

WA My Health My Data Act

Broad consumer health data definition. Affirmative opt-in required. Private right of action. Applies to any entity targeting WA consumers — HIPAA status irrelevant.

Primary Exposure

TCPA — Texting Consent

Prior express written consent required for marketing texts. Per-message penalties. Plaintiff-bar active. The primary SMS compliance gate — not encryption.

Primary Exposure

CMS Medicare / TPMO Rules

Standard disclaimer language, 10-year call recording retention, Scope-of-Appointment requirements. Independent of privacy law.

Primary Exposure

CCPA / CPRA (California)

Health data = sensitive personal information. Opt-in/limit-use rights. Data Processing Agreement with vendor required.

Expanding

Nevada SB 370 & Multistate

Washington-model consumer health data law. AG-enforced. Additional states enacting similar frameworks — map required for your marketing footprint.

Conditional

HIPAA / BAA

Applies only if your organization is acting as a CE or BA for the specific data flow. MediMatch BAA available when required.

Regulatory Deep-Dive: State Consumer Health Privacy Laws

The most significant emerging compliance exposure for Medicare lead generation is not HIPAA — it is state consumer health privacy legislation designed specifically for non-HIPAA-covered entities:

Washington My Health My Data Act (MHMDA), enacted 2023:^[2] Covers any data that identifies a consumer's health condition, diagnosis, or the fact that they sought health services. Medicare intake data qualifies. Requires affirmative opt-in consent, a published consumer-health-data privacy policy, and the right to request deletion. Carries a private right of action — the same enforcement mechanism as TCPA.
Nevada SB 370, enacted 2023:^[3] Parallels the Washington framework (opt-in consent, privacy notice, data minimization). Attorney General enforcement; no private right of action.
Connecticut, Colorado, Virginia, and a growing multistate list^[14] treat health data as sensitive personal information requiring affirmative consent under their comprehensive privacy laws. Organizations marketing into multiple states need a mapped compliance program, not a single-state analysis.

TCPA — The Real SMS Gate

The operationally urgent SMS compliance issue is consent architecture, not transport encryption. The Telephone Consumer Protection Act^[5] requires:

Prior express written consent (PEWC) for any marketing or solicitation message.^[15]
At minimum, prior express consent for informational or transactional messages.
Immediate honoring of STOP / opt-out requests, with per-message penalty exposure of $500–$1,500.

MediMatch enforces TCPA-compliant opt-in capture, opt-out processing, and consent logging at the platform level.

CMS Medicare Marketing Rules & TPMO Classification

CMS's Medicare Communications and Marketing Guidelines (MCMG)^[17] and Third-Party Marketing Organization (TPMO) requirements^[16] operate independently of privacy law and may directly classify the parties involved in a Medicare lead-gen flow:

TPMO status triggers: required standard disclaimer language in all consumer-facing communications; audio recording of telephonic and virtual sales/marketing/enrollment calls retained for 10 years; and Scope-of-Appointment (SOA) documentation before any plan discussion. The audio recording mandate covers phone and web-based calls — not SMS. SMS enrollment conversations are subject to the separate 10-year general records retention requirement under Chapter 11 of the Medicare Managed Care Manual.
MediMatch's conversational flow supports compliant disclaimer insertion and retention of required records.

Responsibility Allocation Summary

Obligation	Regulation	Responsibility
Affirmative opt-in consent capture for health data	WA MHMDA, NV SB 370, CCPA/CPRA	Insurer + Platform
Consumer health data privacy notice / policy	WA MHMDA, CCPA/CPRA	Insurer
Prior express written consent for marketing SMS	TCPA	Insurer + Platform
STOP/opt-out processing and logging	TCPA	Platform (MediMatch)
TPMO disclaimer language in consumer flows	CMS MCMG	Insurer + Platform
10-year call/interaction recording retention	CMS TPMO	Insurer + Platform
Data Processing Agreement (DPA) execution	CCPA/CPRA	Insurer (with MediMatch)
BAA execution (when CE/BA role is triggered)	HIPAA	Insurer (with MediMatch)
Access controls, audit logs, encryption at rest/in transit	HIPAA Security Rule / best practice	Platform (MediMatch)
Breach notification to affected individuals	HIPAA Breach Notification Rule	Insurer (primary)

Section 3

Is Transmitting Health Data Over SMS Legally Permissible?

Yes — with the correct framework in place. The concern that "health data over SMS is a compliance failure" is a reasonable security instinct, but it is not an accurate statement of law.

3.1 What the Regulations Actually Require

HIPAA does not prohibit SMS or email communication of PHI. HHS Office for Civil Rights guidance^[6] is explicit: a covered entity may communicate with an individual via unencrypted text or email if the individual is warned of the risk and still chooses that channel. Patients have a statutory right to receive communications by their preferred method. The obligation is to warn, document, and honor the preference — not to refuse.
The Security Rule's transmission-encryption standard is "addressable," not mandatory.^[18] Organizations may implement an equivalent alternative — such as documented consent and risk acknowledgment — where encrypting the specific channel is unreasonable or inappropriate. This distinction is frequently misunderstood in security reviews.
Platform-side safeguards carry the substantive obligations. The vendor storing and processing messages bears access control, audit logging, and breach notification requirements. The unencrypted carrier-network SMS hop is a disclosed, consented risk — not a legal disqualifier.

3.2 The Right Design Pattern for SMS Health Engagement

1

Consent + Risk Disclosure First Explicit opt-in and channel-risk acknowledgment before any health-related SMS exchange. Satisfies HIPAA addressable standard, TCPA, and state health consent requirements simultaneously.
2

Minimize Sensitive Data Over SMS Route low-sensitivity interaction (eligibility screening, appointment confirmation, general plan questions) through SMS. Keep the channel appropriate to the data sensitivity.
3

Redirect Heavy PII to a Secure Web Channel Fields like full date of birth, SSN, medication lists, and detailed diagnosis history are routed to a TLS-encrypted web form or in-app experience — not collected over SMS.
4

BAA-Backed Transport for Any PHI in Scope Any PHI that does transit SMS flows through a HIPAA-eligible messaging provider under a signed BAA. Multiple vendors support this at commercial scale (see §3.3).

3.3 HIPAA-Eligible SMS Infrastructure: Industry Landscape

Texting personal and health data under a BAA-backed framework is established industry practice. Both the messaging infrastructure layer and entire product categories are built on this model.

Vendor	Category	HIPAA Status
Twilio^[7]	CPaaS / Messaging Infrastructure	BAA Available
Sinch^[22]	CPaaS / Messaging Infrastructure	BAA Available
AWS End User Messaging / SNS^[23]	Cloud Messaging Infrastructure	AWS BAA Covers
Artera (formerly WELL Health)^[24]	Patient Engagement Platform	HIPAA-Compliant
Klara^[26]	Clinical Messaging Platform	HIPAA-Compliant
Relatient^[30]	Patient Engagement Platform	HIPAA-Compliant

Industry Context

Health insurers, PBMs, and pharmacies routinely send refill reminders, enrollment confirmations, and benefit information via SMS under BAA-backed frameworks. The differentiator for any platform is not SMS avoidance — it is the combination of documented consent, HIPAA-eligible transport, and appropriate channel routing by data sensitivity level.

Section 4

How MediMatch Supports Your Compliance Program

MediMatch is designed to serve as a compliant technical layer — one that reduces your regulatory burden, not adds to it. The following describes the platform's compliance support capabilities.

Consent Architecture

MediMatch's conversational intake flow is built around a consent-first model. The platform captures, timestamps, and logs documented opt-in events at the point of collection — covering TCPA prior express written consent for SMS marketing, Washington MHMDA affirmative opt-in requirements, and CCPA/CPRA sensitive personal information consent. Opt-out signals (STOP, unsubscribe, withdrawal) are processed immediately and logged for the consent record.

CMS TPMO Compliance Support

MediMatch supports insertion of the CMS-required standard TPMO disclaimer in all consumer-facing conversational flows. Scope-of-Appointment workflow triggers can be configured based on the conversation topic.^[16][17]

On record retention: the CMS call recording mandate (audio) applies specifically to telephonic and virtual sales/marketing/enrollment calls — not to SMS transcripts. However, the broader 10-year records retention requirement under Chapter 11 of the Medicare Managed Care Manual applies to all Medicare marketing and enrollment records. SMS conversations that are part of the chain of enrollment (lead intake, plan discussion, enrollment steps) should be retained under that general obligation. MediMatch logs and stores interaction records in a format retrievable for compliance review.

HIPAA Technical Safeguards (Security Rule)

When operating in HIPAA scope under a signed BAA, MediMatch implements the technical safeguards required by 45 CFR Part 164:^[18] role-based access controls, audit logging, encryption at rest and in transit, automatic session termination, and incident response procedures aligned with the Breach Notification Rule.^[19]

Data Minimization & Channel Routing

The platform's channel routing logic is configurable to minimize the sensitive data collected over SMS. High-sensitivity fields can be automatically redirected to a TLS-secured web form or web-chat session, with the SMS conversation maintaining only the low-sensitivity thread. This design satisfies both HIPAA's addressable transmission-security standard and state consumer-health-data minimization requirements.

The Key Compliance Question to Answer First

Before any compliance program design, your organization should confirm: (1) Is your role in this specific data flow that of a Covered Entity, Business Associate, or neither? (2) Which states are in your marketing footprint — and are WA MHMDA, NV SB 370, or similar laws active there? (3) Does your Medicare engagement program make you or your technology vendor a TPMO under CMS rules? MediMatch can support your counsel's analysis with technical documentation of our data flows and subprocessor chain.

Sources & Footnotes

U.S. Department of Health & Human Services. Covered Entity Charts. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
Washington State Legislature. Washington My Health My Data Act, HB 1155 (2023). RCW Chapter 19.373 (effective March 31, 2024). https://apps.leg.wa.gov/rcw/default.aspx?cite=19.373
Nevada Legislature. Senate Bill 370 (2023) — Consumer Health Data Privacy (Chapter 525, effective March 31, 2024). Nevada Legislative Information System. https://www.leg.state.nv.us/App/NELIS/REL/82nd2023/Bill/10323/Overview
California Attorney General. California Privacy Rights Act (CPRA), Proposition 24 (2020). https://oag.ca.gov/privacy/ccpa
Federal Communications Commission. Telemarketing, Robocalls, and the Telephone Consumer Protection Act (TCPA). https://www.fcc.gov/general/telemarketing
HHS Office for Civil Rights. Do individuals have the right under HIPAA to have copies of their PHI transmitted to them by unencrypted email or text? — FAQ 2060. https://www.hhs.gov/hipaa/for-professionals/faq/2060/do-individuals-have-the-right-under-hipaa-to-have/index.html
Twilio. HIPAA Compliance and Eligible Services. https://www.twilio.com/en-us/hipaa
Public Law 104-191. Health Insurance Portability and Accountability Act of 1996. https://www.hhs.gov/hipaa/index.html
Public Law 111-5, Title XIII. Health Information Technology for Economic and Clinical Health (HITECH) Act, 2009. HHS Enforcement Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
HHS Office for Civil Rights. Business Associates. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
HHS Office for Civil Rights. Business Associate Contracts. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
45 CFR § 160.103. Definitions — Protected Health Information. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
HHS Office for Civil Rights. Health Plans — Covered Entity Guidance. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
International Association of Privacy Professionals (IAPP). US State Privacy Legislation Tracker. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
Federal Communications Commission. FCC Report and Order — Prior Express Written Consent for Telemarketing Calls (FCC 12-21, 2012). https://www.fcc.gov/document/fcc-strengthens-consumer-protections-against-telemarketing-robocalls
Centers for Medicare & Medicaid Services. TPMO Call Recording & Disclaimer FAQs (Oct. 2022). Official CMS Agent/Broker Marketing FAQ. https://www.cms.gov/files/document/agent-broker-marketing-faqs-10-19-2022.pdf
Centers for Medicare & Medicaid Services. Medicare Communications and Marketing Guidelines (MCMG). https://www.cms.gov/medicare/health-drug-plans/managed-care-marketing/medicare-guidelines
U.S. Department of Health & Human Services. Summary of the HIPAA Security Rule. 45 CFR Part 164, Subpart C. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
U.S. Department of Health & Human Services. Breach Notification Rule. 45 CFR Part 164, Subpart D. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Sinch. HIPAA-Compliant Cloud Communications. https://www.sinch.com/hipaa/
Amazon Web Services. HIPAA Eligible Services Reference. https://aws.amazon.com/compliance/hipaa-eligible-services-reference/
Artera (formerly WELL Health). Security & Compliance. https://www.artera.io/security
Klara. HIPAA-Compliant Patient Communication. https://klara.com/hipaa
Relatient. HIPAA Patient Communications. https://relatient.com/hipaa

Legal Disclaimer: This white paper is published by Side Nerd / MarTech Connect LLC for general informational purposes only. It does not constitute legal, compliance, or regulatory advice, and should not be relied upon as a substitute for consultation with qualified privacy, healthcare, or telecommunications counsel. Regulatory frameworks cited — including state consumer-health privacy laws, HIPAA, TCPA, and CMS Medicare marketing guidelines — are subject to amendment, agency interpretation, and state-specific variation. Organizations should conduct independent compliance analysis for their specific regulatory footprint, role, and data flows before deploying any AI-assisted consumer engagement platform. The vendor information in this document is based on publicly available sources as of June 2026 and should be independently verified prior to reliance.