ACA health plan outbound calling TCPA restrictions explained

ACA health plan callers face TCPA fines up to $1,500 per call. Learn which rules apply, what consent you need, and how to stay compliant.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Person reviewing outbound call compliance paperwork at a home office desk
Person reviewing outbound call compliance paperwork at a home office desk

TL;DR

Health insurance sellers making outbound ACA calls must follow every TCPA rule covering autodialed calls, prerecorded messages, and Do Not Call registrations. Calling a cell phone without prior express written consent costs $500 to $1,500 per call in statutory damages. No ACA exemption exists. You need the consent before the call, not after.

What TCPA rules actually apply to ACA health plan outbound calls?

All of them. The Telephone Consumer Protection Act, 47 U.S.C. § 227, does not carve out a health insurance exemption for ACA marketplace plans [1]. Sellers, brokers, and lead buyers promoting individual health coverage follow the same rules as any other telemarketer.

Here is what the statute demands at a basic level. You cannot use an automatic telephone dialing system (ATDS) or a prerecorded voice to call a cell phone without the called party's prior express written consent [1]. You cannot call a number on the National Do Not Call Registry unless the consumer gave you permission or has an established business relationship with you. You must honor company-specific Do Not Call requests within 30 days.

The FCC's 2012 amendment tightened the consent standard for telemarketing calls. It requires written consent that is clear and conspicuous and states the consumer agrees to be contacted by autodialer or prerecorded message [2]. Oral consent does not cover autodialed or prerecorded telemarketing calls. A checkbox buried in a health plan enrollment form fails the standard unless it clearly describes who will call and by what method.

One phrase from 47 U.S.C. § 227(b)(1)(A) is worth knowing verbatim. The statute prohibits making "any call (other than a call made for emergency purposes or made with the prior express consent of the called party)" using an ATDS or prerecorded voice to any cell phone [1]. Courts read "any" broadly. The health insurance context changes nothing.

Is there a healthcare or ACA exemption from TCPA for outbound calls?

There is a narrow healthcare exemption, and it almost certainly does not touch outbound ACA sales calls. The FCC created an exemption for certain healthcare-related calls that are non-commercial, carry no marketing, and go to residential lines [2]. Appointment reminders, prescription notifications, and similar calls from a patient's own provider may qualify. Selling a health plan does not.

The FCC's 2015 Declaratory Ruling clarified that the exemption under the Health Insurance Portability and Accountability Act (HIPAA) does not override TCPA consent requirements for any call with a marketing component [2]. If your call or voicemail promotes a plan, compares premiums, or tries to enroll a consumer, it is a telemarketing call under TCPA no matter the subject matter.

Some callers argue that informational calls about subsidies or enrollment deadlines are not telemarketing. That argument has a weak record in court. Judges look at whether the call has a commercial purpose. If you are trying to enroll someone in a plan your company profits from, courts treat that as telemarketing [3].

Do not lean on any healthcare carve-out for ACA outbound sales. Assume full TCPA obligations apply.

Prior express written consent is the standard the FCC requires before you can autodial or send prerecorded telemarketing messages to a cell phone [2]. For ACA health plan calls it has three parts, and all three have to be present.

First, the consent lives in writing. Electronic signatures count under the E-Sign Act, so a web form works. A recorded verbal agreement does not satisfy "written."

Second, the disclosure has to authorize the specific type of contact. The FCC's 2012 rule requires that the agreement "clearly and conspicuously" disclose that the consumer authorizes the seller to deliver telemarketing messages using an ATDS or prerecorded voice [2]. Vague language like "I agree to be contacted" is likely worthless.

Third, consent cannot be a condition of buying anything [2]. This is a common trap on ACA enrollment forms. If a consumer cannot finish an application without checking the consent box, that consent is invalid.

For lead generation, consent obtained by a third-party vendor must name your company, or at minimum describe the category of seller clearly enough that the consumer would recognize your call. The FCC's one-to-one consent rule, adopted in its December 2023 order, required consent for one seller at a time rather than bundled across dozens of buyers [4]. The Eleventh Circuit vacated that rule in January 2025 [5]. So as of mid-2025 bundled consent remains legal under federal rules, though individual states impose tighter standards.

Store your consent records with timestamps, the URL of the consent page, the consumer's IP address, and the exact disclosure text shown at the time. If you cannot produce that record in litigation, you effectively have no consent.

TCPA exposure for ACA outbound callers: key numbers Federal statutory figures every health plan caller should know $500 Statutory damages per call (standard) $1,500 Statutory damages per call (willful) $52k FTC civil penalty per DNC violation (2023) $31 DNC scrub frequency (days) Source: 47 U.S.C. § 227; FTC TSR 16 C.F.R. Part 310; FCC RND Order FCC 18-177

What are the TCPA penalties for illegal ACA outbound calls?

Statutory damages run $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones [1]. Each call or text is a separate violation. A single mass-dial campaign with 10,000 unconsented calls can produce $5 million to $15 million in statutory damages before any attorney fees.

There is no cap on aggregated statutory damages in a class action. That is why ACA and Medicare supplement callers keep showing up as TCPA defendants. The statute requires no actual damages, so a consumer who got one illegal robocall can sue for $500 without proving any harm beyond the call [1].

The FTC enforces the Do Not Call rules separately and can seek civil penalties up to $51,744 per violation under its 2023 adjusted figures [6]. State attorneys general can bring TCPA enforcement actions on behalf of residents too.

Settlements in the insurance space have been large. Every case is different, but you can read how courts and defendants structure these outcomes in the cash app tcpa class action settlement and the credit one tcpa settlement. The insurance vertical is not special in how damages stack up.

Violation typeStatutory damages per call
Standard violation$500
Willful or knowingUp to $1,500
FTC DNC civil penalty (2023)Up to $51,744 per call

Willfulness is easier to find than most callers expect. If you got a cease-and-desist letter and kept calling, that is willful. If your compliance policy said one thing and your dialer did another, courts have found willfulness there too [3].

Do ACA callers need to scrub the National Do Not Call Registry?

Yes. Health plan sellers are telemarketers under the FTC's Telemarketing Sales Rule and must scrub against the National Do Not Call (DNC) Registry before dialing residential numbers [6]. The registry covers both landlines and cell phones.

You have to access and scrub the registry at least every 31 days [6]. If a consumer registered more than 31 days before your call, and you called them without consent or an established business relationship, you have a DNC violation on top of any TCPA exposure.

An established business relationship (EBR) can supply a DNC defense if the consumer bought from you or made an inquiry inside specific windows: 18 months after a purchase, 3 months after an inquiry [6]. For ACA plans, an EBR from a prior enrollment year may cover the renewal call. But the moment a consumer tells you to stop calling, the EBR defense is gone regardless of its age.

For a practical guide on accessing the registry, see our article on the do not call list and how to pull lists for your calling area. If you run mobile-focused campaigns, the mobile phone do not call list article covers the cell phone registration angle in more detail.

One thing many ACA callers miss: your internal suppression list is a separate obligation from the DNC registry. If someone tells your agent they never want a call again, that goes on your company's internal DNC list and must be honored within 30 days, independent of what the national registry shows [6].

Does the TCPA apply differently to cell phones vs. landlines for health plan calls?

Yes, and the gap matters. The ATDS and prerecorded voice restrictions in 47 U.S.C. § 227(b)(1)(A) apply specifically to cellular telephone service [1]. Calling a residential landline with a prerecorded message is also restricted, but the consent standard is lower. The FCC allows some informational prerecorded calls to residential landlines without prior consent, while telemarketing prerecorded calls to landlines require prior express written consent [2].

The takeaway for ACA callers is simple. Cell phones get the harshest protection. Most working-age adults in the ACA market use cell phones as their primary line, so assume virtually every number you dial is a cell phone unless your data proves otherwise.

Port analysis tools can classify a number as wireless or wireline at the time of the call. This does not erase risk, because numbers port between carriers and classifications go stale, but it is standard due diligence. Running a wireless carrier lookup before dialing gives you a documented good-faith effort even if a number turns out to be ported.

One more cell phone wrinkle: the "called party" under TCPA is the current subscriber of the number, not the person you think you are dialing. If your list holds reassigned numbers, the new subscriber can sue you even when the original subscriber gave consent [7]. The FCC's reassigned numbers database, launched in November 2021, lets callers check whether a number has been reassigned since consent was obtained [7].

Document every element of consent at the moment it is created. This is not about being thorough for its own sake. In TCPA litigation, the burden effectively shifts to the caller once a plaintiff establishes the call happened. You need records that show consent was real, specific, and obtained before the call.

For web-based consent (the most common for ACA lead gen), store the exact text of the disclosure shown to the consumer, a screenshot or server-side render of the page at the time of consent, the consumer's IP address, date and time stamp, the URL, and any pre-filled versus user-entered fields. Your database should tie all of it to the phone number you called.

For consent obtained by a lead vendor, get a written certification that specifies how consent was collected, the disclosure language used, and that the consumer was not offered any incentive that might invalidate consent. Contests, sweepstakes, and prizes tied to consent are red flags under FCC guidance [2]. Audit vendor consent records on a sample basis. If a vendor cannot produce records for a sample you request, stop buying from them.

Retention period: TCPA carries a four-year federal statute of limitations [8]. Keep consent records at least four years from the date of the last call to that consumer. Some state laws reach back further, so check the states where you operate.

LeadCompliant's compliance kit includes a consent record checklist and a vendor certification template you can use before the next ACA open enrollment season. It is free and takes about 20 minutes to work through.

One detail that trips up small teams: if you transfer a lead to a different seller or use the consent to benefit a co-registration partner, the original consent may not cover those downstream calls. Get fresh consent for each separate entity that intends to call.

How do the FCC's 2024 and 2025 rule changes affect ACA health plan callers?

The FCC adopted a one-to-one consent rule in December 2023 that would have forced lead generators to get separate, seller-specific consent for each company that might call a consumer [4]. For ACA lead gen shops selling shared leads to multiple carriers and brokers, that would have been a heavy operational change.

The Eleventh Circuit vacated the rule in January 2025, finding the FCC exceeded its statutory authority [5]. So as of mid-2025, bundled consent obtained for multiple sellers at once stays permissible under federal TCPA rules. The FCC has signaled it may address the issue by other means, and several states, including Florida and Oklahoma, have passed their own mini-TCPA laws that impose one-to-one or similar consent requirements regardless of federal action [9].

Florida's Telephone Solicitation Act, amended in 2021 and again in 2023, is the aggressive one. It covers calls made using any automated system, applies to calls to Florida residents from anywhere, and allows a $500 per call private right of action [9]. ACA callers with any Florida traffic need a state-level analysis separate from their federal TCPA work.

The FCC also adopted rules in February 2024 treating AI-generated voices in robocalls as prerecorded messages under TCPA [10]. If your ACA call center uses voice synthesis or AI agents for outbound calls, those calls carry the same consent requirements as any other prerecorded call.

Keep an eye on the FCC's TCPA docket, CG 02-278, which covers most consumer protection items [2]. The rules here have shifted more in the past three years than in the prior decade.

What is the TCPA risk profile for buying ACA health plan leads?

Buying leads does not move the TCPA risk to the seller. Courts have found lead buyers liable as the party who made or initiated the call even when a third party collected the consent [3]. This is not theoretical. Carriers and insurance marketplaces have been named in class actions precisely because the consent their lead vendor collected was deficient.

The core liability question is whether you "initiated" the call. The FCC reads "initiation" to include parties who take the steps to make a call happen, which can include uploading a purchased list to a dialer [2]. Buying a list of "opted-in" leads and loading them into your autodialer makes you an initiator under that standard.

Before buying any ACA lead, ask the vendor:

  • What disclosure language appeared at the time of consent?
  • Was your company (or category) named specifically?
  • Can you produce a timestamp, IP, and screenshot for each record on request?
  • Are there incentives tied to the consent (sweepstakes, free gift cards)?
  • How old is the consent, and have the records been scrubbed for reassigned numbers?

If the vendor cannot answer those clearly, the lead is not worth the litigation risk. Clean leads cost more up front. Dirty leads cost more in the end.

For a deeper look at cold calling obligations, see our guides on cold calling and cold call practices under TCPA. The consent logic is the same. The ACA context just adds urgency because of high call volume during open enrollment.

What calling hours and disclosure rules must ACA health plan callers follow?

The TCPA and the FTC's Telemarketing Sales Rule both restrict calling hours. Outbound telemarketing calls are prohibited before 8:00 a.m. or after 9:00 p.m. at the called party's local time [1][6]. That means the consumer's time zone, not yours. A call center in Arizona dialing a New York consumer at 8:30 p.m. Arizona time (10:30 p.m. ET) is a violation.

Required disclosures at the start of every telemarketing call include the identity of the individual caller, the identity of the company on whose behalf the call is made, and a phone number or address where the company can be reached [6]. Prerecorded messages must carry these disclosures and give the consumer an automated opt-out mechanism during the call [2].

For ACA specifically, CMS (Centers for Medicare and Medicaid Services) has its own marketing guidelines for Medicare Advantage plans, but individual ACA marketplace plans answer more to state insurance department rules than to CMS marketing rules. Some states require agents to identify themselves as insurance agents and disclose the carriers they represent at the start of the call. Check with your state insurance department before assuming federal disclosures alone are enough.

Text messages (SMS) for ACA marketing carry the same ATDS-based consent requirements as calls when sent using an autodialer. Written consent is required for marketing texts. See our overview of tcpa and text message marketing obligations for the SMS side.

How should a small ACA brokerage build a compliant outbound call process?

Small teams carry the same legal exposure as large carriers. TCPA plaintiffs and class action lawyers do not sort by company size. A brokerage with two agents and a predictive dialer can face the same $1,500-per-call exposure as a national insurer.

Here is a practical framework:

1. Never load a purchased list into a dialer without verifying consent documentation first. Build a checklist that requires a consent record review before any number becomes dialable.

2. Scrub every list against the National DNC Registry no more than 31 days before calling [6]. Scrub against your internal DNC list too. Document both scrubs with timestamps.

3. Use a reassigned numbers check. The FCC's Reassigned Numbers Database (RND) costs little and reduces the risk of calling a number that ported to a new subscriber after your consent was obtained [7].

4. Train agents to document any consumer request to stop calling on the spot, and confirm that request lands on your internal DNC list the same day.

5. If you use any automated dialing technology, get a written opinion from a TCPA-informed attorney on whether your system qualifies as an ATDS under the Supreme Court's 2021 Facebook v. Duguid ruling [11]. That case narrowed the ATDS definition. It did not erase it.

6. Review your lead vendor contracts every year. Include an indemnification clause requiring the vendor to defend you if the consent they collected turns out to be defective.

LeadCompliant's free compliance checklist covers each step on one page for teams without a legal department. You can grab it without creating an account.

The do not call telemarketer list and how do i get the do not call list articles explain the mechanics of DNC access in plain terms if you have never subscribed.

Frequently asked questions

Can an ACA health plan seller call a consumer who filled out a health insurance quote form online?

It depends on what the form said. If the disclosure clearly named your company and stated the consumer agrees to receive autodialed or prerecorded calls, you likely have valid consent. If the form used vague language like "I agree to be contacted," or listed dozens of possible callers, consent may be deficient under FCC standards. Always review the exact disclosure text before calling. Vague forms have cost companies millions in TCPA class actions.

Does TCPA apply to calls made by a licensed insurance agent manually dialing on a cell phone?

Manual one-at-a-time dialing without any automated element generally falls outside ATDS restrictions under the Supreme Court's Facebook v. Duguid decision from 2021. The call is still subject to Do Not Call Registry rules, calling hours restrictions, and required disclosures. Manual dialing is not a free pass. DNC violations from manual calls are just as real as ATDS violations.

You stop calling immediately. TCPA lets consumers revoke consent at any time by any reasonable means. The FCC's 2024 revocation rules, effective April 2025, confirm that consumers can revoke via text reply, verbal request during a call, or written request, and callers must honor revocation within 10 business days. Calling after revocation is a willful violation subject to $1,500 per call in statutory damages.

Are ACA open enrollment calls subject to any different rules than calls made year-round?

No federal TCPA rule creates a seasonal exception for open enrollment. The same consent requirements, calling hours, and DNC obligations apply whether or not open enrollment is active. Some callers assume urgency justifies looser practices during enrollment. That assumption has produced heavy TCPA liability. Call volume spikes during enrollment actually increase exposure, because more calls mean more potential violations.

Can a health insurance carrier be held liable for TCPA violations committed by an independent broker calling on its behalf?

Yes. The FCC's vicarious liability standard holds sellers liable for calls made by agents acting with actual or apparent authority, or where the seller ratified the agent's conduct. If a carrier hands brokers leads, scripts, or dialing tools and does not supervise their calling, courts have found the carrier vicariously liable. Carrier compliance programs have to reach their distribution networks, more than internal staff.

What is the statute of limitations for a TCPA claim against an ACA caller?

Four years under the federal catch-all statute, 28 U.S.C. § 1658. A consumer can sue for a call received up to four years ago. Some state TCPA analogs run on different clocks. Florida's Telephone Solicitation Act, for example, has its own framework. Keep consent and calling records at least four years from the date of the last call to each consumer.

Does the CMS Medicare marketing rule also apply to ACA marketplace plans?

CMS marketing rules under 42 C.F.R. Part 422 and 423 govern Medicare Advantage and Part D plans, not individual ACA marketplace plans. ACA marketplace plans answer to state insurance departments and the ACA's own market rules. If your team sells both Medicare Advantage and ACA plans, you operate under two separate marketing regimes and need to keep the compliance frameworks separate.

Is there a safe harbor if a caller relied on a lead vendor's assurance that consent was valid?

No statutory safe harbor exists for relying on a vendor's representations, but good-faith reliance based on documented due diligence can cut willfulness findings and reduce damages from $1,500 to $500 per call. That mitigation requires you to have actually reviewed the vendor's consent documentation, more than accepting a verbal assurance. Courts have not been kind to callers who took no steps to verify consent quality.

Do ACA callers need to register with the FTC to access the National DNC Registry?

Yes. Telemarketers must register at telemarketing.donotcall.gov and pay access fees based on the area codes they call. As of 2023, the fee is $70 per area code per year, with the first five area codes free. Organizations that call only consumers who gave express consent or have an established business relationship still need to register. They are not exempt from the registration requirement itself.

If the text goes out on an autodialer and promotes enrollment or a specific plan, it requires prior express written consent under TCPA no matter how the sender labels it. An informational text that also benefits the sender commercially is marketing. Only texts with no commercial purpose, sent by a healthcare provider to its own patients, may qualify for a narrower healthcare exception, which does not cover sales outreach.

What should an ACA brokerage do if it receives a TCPA demand letter or lawsuit?

Call a TCPA defense attorney immediately. Do not delete any calling records, consent records, or communications with lead vendors. Preserve everything. Assess whether the consent documentation supports a defense and whether the calls used an ATDS. Early settlement is common because TCPA cases are expensive to litigate and statutory damages aggregate fast. Proactive consent documentation makes these situations far easier to resolve.

How does the FCC's reassigned numbers database help ACA callers reduce TCPA risk?

The FCC's Reassigned Numbers Database (RND), available since November 2021, lets callers check whether a number was permanently disconnected and reassigned to a new subscriber since they obtained consent. Calling a reassigned number exposes you to liability from the new subscriber. Checking the RND before each campaign and removing reassigned numbers is a concrete, low-cost risk reduction step courts have recognized as responsible due diligence.

Sources

  1. U.S. Congress, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits using an ATDS or prerecorded voice to call a cell phone without prior express consent; $500 per violation, up to $1,500 for willful violations
  2. U.S. Supreme Court, Campbell-Ewald Co. v. Gomez, 577 U.S. 153 (2016): Lead buyers can be held liable as the party who initiated a TCPA-violating call even when a third party collected the consent
  3. Eleventh Circuit, Insurance Marketing Coalition v. FCC, No. 24-10277 (January 2025): Eleventh Circuit vacated FCC one-to-one consent rule in January 2025, finding the agency exceeded its statutory authority
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires DNC scrubbing every 31 days, calling hours 8am-9pm local time, required disclosures, and civil penalties up to $51,744 per violation as of 2023
  5. U.S. Code, 28 U.S.C. § 1658, Federal catch-all statute of limitations: Four-year federal statute of limitations applies to TCPA claims
  6. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA amended in 2021 and 2023 applies to any automated calling system, covers Florida residents regardless of caller location, and provides $500 per call private right of action
  7. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition in 2021, requiring a system to use a random or sequential number generator to qualify; manual one-at-a-time dialing generally falls outside this definition
  8. FTC, National Do Not Call Registry: Telemarketers must register and pay $70 per area code per year to access the DNC registry; first five area codes are free

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit