SalesPulse
Start Free Trial
ComplianceMedicare scope of appointmentMedicare SOA form

Medicare Scope of Appointment (SOA) Rules for 2026

CMS scope of appointment rules trip up more Medicare agents than any other compliance issue. Here's the 2026 rulebook, the 48-hour rule, and how to stay clean.

Kyle Elliott, Founder, SalesPulseJune 1, 202613 min read

If you sell Medicare Advantage or Part D plans, the Scope of Appointment (SOA) form is the single most-violated piece of paperwork in your business. CMS issues hundreds of marketing violations every year tied to SOA failures, and agents lose appointments, get debooked from carriers, and occasionally lose their licenses over what is, on paper, a one-page form.

The rules have also been moving. The 48-hour rule that took effect in 2023, the documentation retention requirements that tightened in 2024, and the prohibited-contact provisions that survived a federal court vacatur in 2025 collectively redefined how Medicare agents are allowed to interact with beneficiaries before, during, and after an appointment. If your SOA workflow hasn't been audited recently, you're almost certainly out of compliance somewhere.

This guide walks through the 2026 SOA rules as currently enforced by CMS, the most common ways agents get caught, and the workflow patterns that keep clean agents clean. For the broader compliance picture, also see our NAIC compliance guide.

What the SOA Actually Is

The Scope of Appointment is a written record documenting that a Medicare beneficiary has agreed, in advance, to discuss specific types of Medicare plans with a specific agent. It exists to protect beneficiaries from being subjected to high-pressure sales of products they didn't ask to hear about.

The form must capture:

  • The beneficiary's name and contact information
  • The agent's name and contact information
  • The specific product types being discussed (Medicare Advantage, Part D Prescription Drug, Medicare Supplement, hospital indemnity, etc.)
  • The date the SOA was completed
  • The date of the planned appointment
  • The beneficiary's signature (electronic or written) authorizing the discussion

Without a valid SOA on file before a marketing appointment, the appointment is non-compliant — regardless of whether it produces a sale.

The 48-Hour Rule

The single biggest 2023 rule change that continues to govern 2026 appointments is the 48-hour rule: an SOA must be completed at least 48 hours before the marketing appointment occurs.

The clock starts when the SOA is fully executed (signed by the beneficiary) and ends when the appointment begins. 47 hours and 59 minutes is non-compliant. Two hours short of the deadline is non-compliant. CMS does not round in your favor.

The exceptions to the 48-hour rule

There are four narrow exceptions where you can hold an appointment with less than 48 hours of SOA lead time:

  1. Beneficiary-initiated walk-ins: The beneficiary walks into your office unannounced and asks to discuss Medicare options. SOA is still required, but can be completed on the spot.

  2. End of valid election period: If the beneficiary is within four days of the end of a valid Medicare election period (AEP, OEP, SEP, IEP), the 48-hour rule is waived. Document the election period and end date on the SOA.

  3. Educational events: Educational events don't require an SOA at all (more on this below). If a beneficiary attends an educational event and then requests a one-on-one follow-up, the SOA can be executed at the educational event itself for an appointment as soon as later that same day.

  4. Inbound calls: If a beneficiary calls you and requests an appointment, the SOA can be completed on that same call for an appointment held within 48 hours.

That's it. Outbound-prospected appointments — door knocks, cold calls, referrals you reach out to, online lead form responses — all require the full 48-hour window. Build it into your scheduling workflow or you'll lose appointments to scope violations.

What Counts as a "Marketing Appointment"

Compliance often hinges on whether a given interaction is "marketing" (SOA required) or "educational" (SOA not required). The line is bright but easy to cross.

Educational events are events that provide objective information about Medicare without referencing specific plans, plan benefits, or premium amounts. You can:

  • Explain how Medicare Parts A, B, C, and D work
  • Discuss general enrollment timing
  • Distribute non-plan-specific Medicare materials (like the official "Medicare & You" handbook)
  • Answer general questions about how Medicare works

Marketing events and appointments involve plan-specific information. You cross the line the moment you:

  • Discuss a specific carrier's plan
  • Quote premiums or benefits for any plan
  • Compare plans (even at a high level)
  • Solicit applications or invite enrollment

If you've ever done a "Medicare 101" seminar and quoted a plan premium during Q&A, you converted an educational event into a marketing event mid-session, and every attendee in the room needed an SOA on file. That's a common audit finding.

The Cross-Selling Rule

If your SOA authorized you to discuss Medicare Advantage and during the appointment the beneficiary asks about a Medicare Supplement plan, you cannot simply pivot. You need a new SOA covering the additional product type, and the new SOA needs to be executed before the discussion happens. Yes, that means pausing the appointment, having the beneficiary sign a new SOA, and then continuing.

Or — and this is what most clean agents do — your initial SOA captures every product type you might reasonably discuss. Mark every applicable box. It's not over-disclosure; it's foresight.

That said, you can't mark every box just to be safe if you have no intention of selling those products. CMS treats over-broad SOAs as a different kind of violation. The correct practice: mark every product you are licensed and contracted to sell to that beneficiary, leave unmarked the products you cannot sell.

SOA Retention Requirements

Once executed, an SOA must be retained for 10 years, even if no enrollment results from the appointment. That's the 2024-tightened rule that still governs 2026.

The retention requirement applies whether the SOA was signed on paper, executed electronically, or recorded verbally (in some limited circumstances, verbal SOAs are permitted for inbound calls). The carrier you're contracted with may require you to upload SOAs to their portal; that does not relieve you of your own retention obligation. Keep your own copy, indexed and searchable, for the full 10 years.

This is one place where Medicare agents routinely get caught. An agent leaves a carrier, switches FMOs, and loses access to the carrier's SOA archive. Three years later, CMS audits a beneficiary complaint and asks for the SOA. The agent can't produce it. Violation.

Build your own retention system. Cloud storage, a CRM with document attachment, a labeled folder structure — whatever works. The key is that the documents are yours, organized by beneficiary name, and you can pull any SOA in under 30 seconds. If you're using a CRM purpose-built for insurance agents, attach the SOA PDF to the contact record at execution time and you'll never lose one.

Prohibited Contact Provisions

The 2024 CMS Final Rule introduced and the courts ultimately upheld a set of provisions that restrict how agents can contact prospective beneficiaries. As of 2026, the binding rules include:

No unsolicited contact unless the beneficiary has given express consent. This includes:

  • Cold calls to numbers obtained from data lists
  • Door-to-door prospecting without a prior request
  • Approaching beneficiaries in common areas of assisted living facilities or other care settings
  • Sending unsolicited text messages or emails

Consent must be specific and granular. A generic "yes I'd like more information" doesn't authorize the agent to contact the beneficiary about any product or about any plan. CMS-compliant consent identifies the specific agent or agency, the specific topics to be discussed, and the channels of contact authorized (call, text, email).

The 12-month consent window. Express written consent expires 12 months after it was provided. If you obtained a beneficiary's consent in 2024 and haven't talked to them since, you can't legally re-engage in 2026 without obtaining fresh consent.

These rules turned the Medicare lead generation industry upside down. The leads you buy from vendors must be sourced with valid, documented, agent-specific consent. If you're buying $20 Medicare leads from a vendor who can't produce the consent capture page, the consent recording timestamp, and the IP address of the consumer's session, those leads are non-compliant — and the violation flows to you, not the vendor.

For more detail on the contact rules and how they interact with TCPA, see our TCPA compliance guide.

Recording Requirements

In addition to SOAs, agents conducting marketing appointments by phone are required to record the entire call from greeting to end. Recordings must be retained for 10 years alongside the SOA. The disclosure ("This call is being recorded for quality and compliance purposes") must be delivered at the start of every recorded call.

For in-person appointments, recording is not required, but most agents now record kitchen-table appointments using a phone app or compliance-grade hardware. The reason: a recorded appointment is the gold-standard defense against a beneficiary complaint. If a beneficiary later claims they were pressured or misled, the recording resolves the dispute in seconds.

If you use a power dialer or softphone, make sure recording is enabled by default for all outbound Medicare calls. The SalesPulse softphone handles this automatically and stores recordings for the full 10-year retention window without manual intervention.

Common SOA Mistakes That Trigger Audits

After working with thousands of Medicare agents, these are the SOA failures that show up most often in CMS audits and carrier compliance reviews:

Forgetting the 48-hour rule on a scheduled appointment. You called the beneficiary on Tuesday morning, sent them the SOA at 10 AM, they signed at 11 AM, and you held the appointment at 2 PM the same day. Three hours, not 48. Violation, regardless of how well the appointment went.

Using an outdated SOA form. CMS updates the model SOA periodically. Carriers and FMOs distribute updated versions. If you're using a 2023 form template in 2026, you may be missing required language that CMS added in subsequent updates. Refresh your templates annually.

SOAs without all required signatures or dates. The single most common failure: agent forgets to sign, or the date field is left blank, or the appointment date is missing. CMS auditors check every box. A missing date is a missing date.

Discussing products not authorized on the SOA. Covered above. Mark all relevant boxes upfront, or you'll trip yourself up.

Lost SOAs at audit time. Covered above. Keep your own copy, indexed.

Verbal SOAs without recording. A verbal SOA is permissible for inbound calls in specific circumstances, but it must be recorded. If the call wasn't recorded, the verbal SOA didn't happen as far as CMS is concerned.

Failing to provide the SOA to the beneficiary. The beneficiary is entitled to a copy of the executed SOA. After signing, you must provide it to them either at the appointment, by email, or by mail. Failure to provide it is a violation even if every other element of the SOA is correct.

A Compliant Workflow That Doesn't Slow You Down

The agents who manage 200+ Medicare appointments per AEP without SOA violations all run a version of the same workflow:

  1. Lead comes in. Whether from a vendor, a referral, or a permission-based campaign, the lead is tagged with the consent source, consent date, and consent type.

  2. Initial call. The beneficiary expresses interest in a marketing appointment. On the call, the agent describes the product types they'll cover and asks the beneficiary to authorize via SOA.

  3. SOA sent immediately. Within minutes of the call, the SOA is sent via e-signature platform. Carriers and FMOs distribute their own templates; many agents standardize on a carrier-neutral SOA they fill out and customize per appointment.

  4. SOA signed. Beneficiary completes the SOA. The system timestamps the signature.

  5. Appointment scheduled at least 48 hours after the signature timestamp. Not 47 hours. Build the buffer into your calendaring tool.

  6. Reminder sent to beneficiary 24 hours before appointment with a copy of the executed SOA attached.

  7. Appointment held. Recording begins immediately on connect. The agent confirms the SOA verbally at the start ("I have your scope of appointment authorizing us to discuss Medicare Advantage and Part D today, correct?").

  8. Application submitted (or not). Regardless of outcome, the SOA, the call recording, and any application materials are filed in the contact record.

  9. 10-year retention. Documents remain accessible, indexed, and searchable for the full retention period.

The whole workflow takes about three minutes of agent time per appointment when supported by a CRM that handles e-signature, document attachment, calendaring, and recording in one platform. Most violations happen because agents are stitching together five tools and the SOA falls through the cracks.

How a Modern CRM Reduces SOA Risk

SOA compliance is fundamentally a documentation and timing problem. A modern CRM solves both. Specifically, a Medicare-aware CRM should:

  • Generate carrier-compliant SOA forms with the agent's contact info pre-filled
  • Send SOAs for e-signature directly from the contact record
  • Block appointment scheduling within 48 hours of the SOA signature timestamp (with override for the four exception categories)
  • Automatically attach the executed SOA and the appointment recording to the contact record
  • Maintain a 10-year retention archive that survives carrier and FMO changes
  • Surface lead consent metadata so you know which leads can be legally contacted and which can't

The SalesPulse platform handles each of these, and the AI follow-up engine is configured to respect Medicare contact restrictions — it won't text or call a beneficiary unless the consent on file authorizes that channel. For more on the AI side, also see AI prompts for insurance agents.

The Bottom Line

SOA compliance isn't optional and it isn't a paperwork problem to push to the end of the day. It's the foundation of a defensible Medicare practice. The 48-hour rule, the 10-year retention requirement, the contact restrictions, and the recording mandates collectively raise the operational bar for Medicare agents — and they raise it most steeply for solo agents who can't afford a dedicated compliance officer.

The good news: every one of these requirements is easy to comply with when your workflow is built right. The bad news: every one of them is also easy to violate when your workflow is built wrong.

Audit your SOA process this week. Pull the last 20 SOAs you executed and check them against the criteria above. If any of them are missing a date, a signature, the appointment time, or the recorded call, fix the gap before AEP. Your future self — and your CMS auditor — will thank you. To plan ahead for AEP season more broadly, see our AEP preparation guide. Start a SalesPulse trial and build a compliant Medicare workflow that holds up to audit.

Start for free — no credit card required

Ready to Transform Your Insurance Sales?

Join thousands of insurance agents using SalesPulse to automate follow-ups, power their dialers, and close more deals — all in one platform for $79/month.

Start Your Free TrialView Pricing
Share:TwitterLinkedIn