Compliance May 18, 2026

The CMS TPMO Disclaimer for Insurance Agencies: When, How, and Where to Deploy It

Rachel Nguyen

Sr. Compliance Analyst

For three audit cycles running, TPMO disclaimer failures have ranked as a top-three finding in CMS Medicare marketing audits. The fix is no longer a training memo, an agent script update, or a stricter QA rubric. The TPMO disclaimer is a deployment problem — one that lives at the agency level, across every channel where Medicare conversations happen, and one that needs to be owned by the principal, not the producer. This guide walks an agency operator through what changed, where deployment fails, and how to build a disclaimer program that survives an auditor pulling a random call.

The TPMO Deployment Problem in Numbers

Top 3

CMS audit finding category for marketing material violations, including disclaimer placement

5 sec

Window during which the disclaimer must be read on outbound Medicare sales calls

42 CFR

§ 422.2274 codifies TPMO requirements for MA and Part D marketing

100%

Of in-scope calls, web pages, and ads must carry the disclaimer — no exceptions

Why the TPMO Disclaimer Stopped Being a Script Problem

When CMS first rolled the Third-Party Marketing Organization rule into 42 CFR § 422.2274, most agency operators treated it as an agent-training task. Memo goes out, scripts get updated, supervisors listen to a few calls, done. That worked for a single phone room with one carrier.

It does not work in 2026. The average mid-sized Medicare agency is running multiple inbound campaigns, two or three transfer partners, an outbound dialer floor, a website with multiple landing pages, three Facebook ad accounts, mailers, an email program, a YouTube channel, and a captive of 1099 sub-agents. Every one of those surfaces is a place where the TPMO disclaimer either runs or doesn't. Auditors don't grade your script — they grade your deployment. As we covered in our Medicare compliance guide, the question CMS asks is whether the disclaimer reached the beneficiary, not whether the script said it should.

The Disclaimer Itself

The current required statement, in substance, must inform the beneficiary that "We do not offer every plan available in your area. Currently we represent [X] organizations which offer [Y] products in your area. Please contact Medicare.gov, 1-800-MEDICARE, or your local State Health Insurance Program (SHIP) to get information on all of your options." That language — with the X and Y populated accurately for each carrier list and product line — is what has to land on the beneficiary, in the right format, at the right time, every time.

Where the Disclaimer Has to Be Deployed

Most agencies miss findings not because they ignored the rule, but because they only deployed it in the obvious places. CMS expects coverage across every "marketing" surface, and the definition of marketing is broader than most agency owners assume.

Surfaces Where TPMO Disclaimer Must Appear

Surface	Format	Timing / Placement
Outbound sales call	Spoken, verbatim	Within first minute, before plan discussion
Inbound sales call	Spoken, verbatim	Same window once Medicare-eligibility intent is confirmed
TV / radio / digital ads	Spoken or visible text	In the ad itself, not on a follow-up landing page only
Website pages	Visible text (not collapsed)	Footer of every page that markets MA / PDP
Direct mail / printed pieces	Printed, legible font	On the same panel as the call to action
Email marketing	Visible text	In email body, not only in the footer disclaimer block
SMS / text outreach	Text or linked, accessible	In the message or in a clearly linked landing page

Two surfaces consistently break in audits: paid social ads (where character limits invite the temptation to truncate), and inbound calls from third-party transfer vendors (where the rep "warm transferring" doesn't always read the disclaimer before handing the caller to a licensed agent). Both belong to the agency under TPMO accountability, even when the work is outsourced.

The Five Most Common Deployment Failures

If your auditor finds any of these, expect a corrective action plan

CMS audit responses pull a random sample of calls and content from across your channels. A single missing disclaimer in a representative sample is enough to open a finding and trigger a request for the full corrective action plan, which can pull leadership into months of remediation work.

The Five Failures Operators See Repeatedly

Disclaimer read after benefit discussion — agent jumps into "let me tell you about plans in your area" before the disclaimer. The whole call is now non-compliant, regardless of what comes after.

Wrong carrier count — script says "we represent 12 organizations" but your agency was just terminated by one. The disclaimer is now factually wrong on every call.

Speed-read or muffled delivery — the words came out, technically, but a reasonable beneficiary couldn't have understood them. CMS interprets this as a non-disclosure.

Web disclaimer hidden in modal — site puts the disclaimer behind a "Read more" toggle or in a footer that requires scrolling past the entire CTA. CMS expects "clear and conspicuous."

Transfer partner skipped it — lead vendor or transfer house verbalized the disclaimer in a way that doesn't get captured in your recording. Your agency owns the gap because the call ended on your floor.

A Deployment Framework That Survives Audits

The agencies that consistently pass CMS marketing reviews don't have better agents. They have a deployment framework that doesn't depend on agents remembering the rule. The framework has four pillars, and every pillar is owned by the agency, not the producer.

Pillar 1: Single source-of-truth disclaimer text

Your compliance team owns one canonical disclaimer document. The carrier count, product count, and any state-specific clauses live in that one file. Every channel pulls from it. When a carrier appointment changes — agencies in growth mode have this happen monthly — one update propagates everywhere. No more chasing scripts, landing pages, mailers, and ad copy individually.

Pillar 2: Channel-by-channel deployment checklist

Every Medicare-touching channel is mapped to an owner, a deployment mechanism, and a verification cadence. The marketing director owns paid ads. Operations owns inbound and outbound call routing. The web team owns site placement. Compliance owns the audit log that proves it's all in place.

Pillar 3: 100% call coverage, not sampling

Manual QA samples 1–3% of calls. CMS samples randomly — sometimes targeting the exact agent who skipped the disclaimer. The math doesn't work. AI-driven 100% call review, integrated with your call recording infrastructure, catches the misses before the auditor does. The framework requires that every Medicare-coded call be scored for disclaimer presence, timing, and clarity.

Pillar 4: Marketing approval workflow

Nothing carrying the agency's name goes live without compliance sign-off. That includes social posts, agent-purchased lead funnel pages, sub-agency mailers, and webinar slides. The Medicare marketing approval workflow is where the deployment lives or dies, because it's the only chokepoint that catches new content before distribution.

Audit-Ready Verification: What to Measure Weekly

Deployment without verification is faith. The agencies that hold up well in audits run a small dashboard of disclaimer-deployment metrics on a weekly cadence and trigger interventions when any number slips.

Weekly TPMO Deployment Metrics

Disclaimer-present rate by agent — should be 99%+; anyone below 97% goes into immediate coaching or off the floor.
Disclaimer timing distribution — how many seconds in does it land? Should cluster under 60 seconds across the floor.
Transfer-source pass rate — for inbound transfers, did the upstream party verbalize the disclaimer? If not, your agent has to repeat it.
Web/landing page audit — an automated weekly crawl confirms the disclaimer appears on every Medicare-marketing URL.
Carrier-count accuracy check — appointments list reconciled to the disclaimer text monthly, or whenever a contracting change happens.
Marketing-piece approval log — zero pieces went live without sign-off; every piece has a date-stamped approval record.

When the Disclaimer Has to Update Mid-Year

TPMO disclaimer language is not static. Carrier appointments shift, CMS guidance gets refreshed in updated versions of the Medicare Communications and Marketing Guidelines (MCMG), and state DOI overlays sometimes add language requirements. The principal needs a documented change-management process: when does the disclaimer get re-issued, who signs off, how does the change reach every channel, and what's the proof-of-deployment artifact for the audit file.

Annual cadence to plan for

CMS typically issues updated MCMG drafts in spring with finalization in summer. Agencies should build a deployment sprint into July–August every year so the new language is live across every channel before AEP marketing periods open. Anchoring the update to a calendar block, not "when we get around to it," is what separates the principals who are ready from the ones scrambling in October.

Owning the Sub-Agency and Lead-Vendor Surface

For agencies running 1099 sub-agency structures, captive call rooms in different states, or buying transferred calls from third parties, the TPMO accountability does not transfer with the work. The parent agency owns the disclaimer obligation on every surface where its name, brand, or appointed-carriers list shows up. That is true even when the agency didn't produce the page, didn't write the script, and didn't make the call.

The operational implication: you need contractual language with every downstream and upstream partner that requires the disclaimer, gives you the right to audit, and gives you takedown rights if a partner refuses to comply. Without those clauses, your agency is buying liability with every transferred call and every sub-agency landing page.

Key Takeaways for Agency Operators

TPMO is a deployment problem, not a script problem — the principal owns the surfaces, not the agent.
Map every channel — calls, web, ads, mail, email, SMS, sub-agency, transfer partners. Owner and verification for each.
Sample-based QA does not work for TPMO — auditors don't sample, they pull randomly. Aim for 100% call coverage.
Single source of truth disclaimer text — one file, every channel pulls from it, change-managed when carriers shift.
Weekly disclaimer dashboard — treat it as an operating metric, not a once-a-year compliance review.
Contractual coverage with partners — the parent agency carries the liability for sub-agency and transfer-vendor surfaces.

TPMO disclaimer compliance does not have to be the audit finding that pulls leadership into a corrective action plan. Treated as a deployment program owned at the agency level — with a single source of truth, mapped channels, real-time verification, and a documented approval workflow — it becomes a stable, low-friction part of how the agency runs Medicare. The principals who internalize this shift early are the ones whose carrier relationships strengthen heading into AEP, while their less-prepared peers are still rewriting scripts.

Catch Missed TPMO Disclaimers Before CMS Does

AgentTech Dialer's AI compliance scoring reviews every inbound and outbound Medicare call and flags any conversation where the TPMO disclaimer wasn't read — or wasn't read in the required timeframe — so principals can intervene before audits, not after.

Try AgentTech Dialer Now

References & Authoritative Sources

The information on this page is supported by the following official and authoritative sources.