ACA Consumer Consent vs. Application Review: What Agents Must Document and Store for 10 Years

That distinction matters because CMS rules require both documentation steps when agents, brokers, web-brokers, or agencies assist consumers through Federally-facilitated Marketplaces or State-based Marketplaces on the Federal Platform. The record needs to be created at the right time, include the required elements, and remain retrievable for at least 10 years. See 45 CFR 155.220.

2027/2028 update: CMS is moving to a standard form

For 2026 workflows, CMS still recognizes multiple documentation methods, including electronic signatures, wet signatures, emails, text responses, recorded phone calls, and similar record-producing methods when the record includes the required information. CMS’s model consent materials also state that the current model form is informational and can be tailored to an agent, broker, web-broker, or agency workflow. See the CMS model consent form.

But agents should also know what is coming. In the 2027 Payment Notice final rule fact sheet, CMS said it is finalizing a requirement for agents, brokers, and web-brokers to use an HHS-approved form to meet both consumer consent documentation requirements and eligibility application review documentation requirements for enrollments for plan years beginning on or after January 1, 2028. See the CMS 2027 Payment Notice final rule fact sheet.

The final rule gives agents two practical guardrails. First, the standard HHS-approved form requirement applies to agents, brokers, and web-brokers assisting consumers through Exchanges on the federal platform. State Exchanges retain authority to set their own consent and application-review documentation policies. Second, for federal-platform enrollments beginning with plan year 2028, flexible custom documentation becomes transitional. A custom agency form, text flow, email flow, or recorded phone script should not be treated as the long-term answer unless it uses the HHS-approved form content in the way CMS allows.

That does not mean agents should wait. The practical takeaway is simple: keep building strong consent and application-review records now, but make sure your workflow can adopt the HHS-approved form when the standard form requirement begins.

Quick answer: what should ACA agents store?

Agents should store two separate categories of proof.

A single form, call recording, text workflow, or electronic document can potentially capture both records, but only if it clearly documents both events. Consent should happen before assistance. Application review should happen before submission.

What is ACA consumer consent?

ACA consumer consent is the documented authorization from a consumer or authorized representative allowing the agent, broker, web-broker, or agency to assist with Marketplace-related activity.

That may include collecting personally identifiable information for a Marketplace quote, searching for an existing Marketplace application, helping the consumer shop or apply, completing enrollment, making updates to an application or plan selection, checking coverage or application status, or using an EDE workflow. HealthSherpa’s consent overview separates “Consumer Consent” from “Eligibility Application Review” and lists these types of agent actions as activities that require documented consent before the agent proceeds.

A strong Marketplace consent form for agents should answer:

1. Who gave consent?
2. Who received consent?
3. What was the agent, broker, web-broker, or agency authorized to do?
4. How long does the authorization last?
5. How can the consumer rescind consent?
6. What action did the consumer take to create the record?

CMS regulations require consumer consent documentation to include the scope, purpose, and duration of consent; the date consent was given; the name of the consumer or authorized representative; the name of the agent, broker, web-broker, or agency receiving consent; and a rescission process.

A vague note like “client agreed” is not a strong consent record. The better record is specific, dated, consumer-linked, tied to the agent or agency, and supported by a consumer action that creates maintainable proof.

How to document ACA consent

CMS does not prescribe only one method for documenting consent. The record can be created through different formats if the method captures the required elements and the consumer or authorized representative takes an action that produces a record. Examples include a wet signature, electronic signature, email response, text response, recorded verbal confirmation, or similar documented method.

For agents searching for an “ACA consent form PDF,” “Marketplace consent form for agents,” or “CMS model consent form,” the key point is this: the form is only useful if the finished record includes the required information and can be produced later.

A practical consent workflow should include:

• Consumer or authorized representative name.
• Agent, broker, web-broker, or agency name.
• Agent or agency NPN where appropriate.
• Date consent was given.
• Scope of the authorization.
• Purpose of the authorization.
• Duration of consent.
• How the consumer can revoke or modify consent.
• The consumer’s signature, email response, text response, recorded verbal confirmation, or other record-producing action.
• Any related call recording, screenshot, uploaded document, or message thread.

CMS’s model consent form includes sample language authorizing the agent or agency to search for an existing Marketplace application, complete an eligibility and enrollment application, provide ongoing account maintenance and enrollment assistance, and respond to Marketplace inquiries.

Sample ACA consumer consent wording

Use this as drafting language only. Agents should adapt it to their workflow, state rules, agency policies, carrier requirements, and current CMS guidance.

For phone workflows, the call should be recorded where permitted by state law and should clearly capture the consumer’s identity, the agent or agency receiving consent, the scope and duration of consent, the rescission method, and the consumer’s affirmative authorization.

Is a lead form or website checkbox enough?

Not by itself.

CMS’s advertising and marketing guidance warns that consent and eligibility application review documentation requirements apply even when the consumer came through a purchased lead. CMS also says that when a consumer submits information through an online lead form, website, social media form, or marketing survey, simply checking a box in an online form would likely not be sufficient evidence of consumer consent.

That means a lead source is not the same thing as a compliant consent file.

A lead can start the sales conversation. It does not replace the agent’s obligation to document consent before providing Marketplace assistance.

What is ACA eligibility application review?

Eligibility application review is the record showing that the consumer or authorized representative reviewed and confirmed the accuracy of the Marketplace eligibility application information before submission.

This is often where agents and brokers use the word attestation. CMS says agents, brokers, and web-brokers must explain the attestations that appear at the end of the Marketplace eligibility application, and must document that the consumer reviewed and confirmed the accuracy of the application information before submission.

In practical terms, the application review record should answer:

• What application information was reviewed?
• Who reviewed it?
• When was it reviewed?
• Who assisted the consumer?
• Were the relevant attestations explained or provided?
• Did the consumer confirm the information was accurate before submission?

CMS regulations require application review documentation to include the date the information was reviewed, the name of the consumer or authorized representative, an explanation of the attestations at the end of the eligibility application, and the name of the assisting agent, broker, or web-broker.

Sample ACA application review and attestation wording

Use this as drafting language only.

For a recorded phone workflow, the agent should review the application information with the consumer, explain the relevant attestations, ask whether the consumer has questions, and capture the consumer’s confirmation before submitting the application or update.

CMS’s model eligibility application review script includes the agent explaining the attestations, reviewing the application information, and asking the consumer whether they reviewed the information and confirmed it is accurate.

Consent vs. application review: the timing difference

The easiest way to avoid mistakes is to separate the two checkpoints.

Consumer consent comes first. Capture it before collecting or using consumer PII, searching for an existing Marketplace application, quoting with identifiable information, helping the consumer apply, checking application status, updating an application, or enrolling the consumer.

Application review comes later. Capture it after the relevant application information is complete enough for the consumer to review, but before the agent submits the application, update, change, plan selection, or enrollment submission.

HealthSherpa describes Eligibility Application Review as indicating that application information and plan selection have been reviewed and approved by the consumer, and that attestations have been shared. It also states that Eligibility Application Review must be documented before submitting a new application, submitting updates or changes, submitting a plan selection, submitting updates or changes to a plan selection, or completing or updating an enrollment submission.

Can ACA consent and application review be documented by phone?

Yes, but the phone workflow needs to create a usable record.

CMS recognizes recorded verbal confirmation as one possible way to document consent or application review when the recording captures the required elements. But an unrecorded verbal conversation is not enough by itself. CMS’s FAQ states that unwritten verbal consent must be documented in a record, such as an audio recording or other documentation, and must satisfy the other regulatory requirements.

For plan years beginning on or after January 1, 2028, federal-platform workflows get more specific. CMS finalized that recorded calls may still work, but the agent, broker, or web-broker must communicate the entirety of the HHS-approved form language and capture the consumer’s verbal consent or confirmation. A casual recorded “yes” will not be enough.

A strong recorded call should capture:

• Today’s date.
• The consumer or authorized representative’s identity.
• The agent, broker, web-broker, or agency receiving consent.
• The scope, purpose, and duration of consent.
• How the consumer may rescind consent.
• The consumer’s affirmative authorization.
• The application information reviewed.
• The attestation explanation.
• The consumer’s confirmation that the information is accurate before submission.

If the call recording is part of the compliance record, it should not sit disconnected in a phone dashboard. Store it with the consumer’s ACA file so it can be found years later. Agents who want a dedicated recorded line can use a recorded business line for ACA agents.

How long are agents required to maintain ACA consent records?

ACA consumer consent and eligibility application review documentation must be maintained for at least 10 years and produced to CMS upon request in connection with monitoring, audit, and enforcement activities. CMS also says it may request this documentation at any time during the 10-year window and that agents are not required to proactively submit the documentation absent a request.

The 10-year rule does not disappear just because the consumer stops working with the agent. CMS FAQ guidance says the documentation must be maintained for 10 years following the enrollment or application submission even if the consumer rescinded consent, the consent expired, the consumer left the Marketplace, or the consumer chose to work with another agent, broker, or web-broker.

That is why “I saved it somewhere” is not enough. Agents need records that remain searchable, retrievable, and exportable after CRMs, EDE tools, phone systems, uplines, agencies, and storage platforms change. For broader retention strategy, read the companion guide to ACA 10-year record storage.

What about auto-renewals?

Auto-renewals require a practical distinction.

CMS FAQ guidance says the documentation requirements adopted in the 2024 Payment Notice are not triggered for a passive auto-renewal when the agent, broker, or web-broker is not making changes to the Marketplace eligibility application and is not actively assisting in a way that is outside the existing documented consent.

But once the agent actively helps with an application update, plan change, plan selection change, income update, household update, NPN update, or other Marketplace submission, the agent should confirm whether existing consent covers the action and whether new eligibility application review documentation is required before submission.

Passive renewal is not the same as active assistance.

Beginning with PY 2028 enrollments and re-enrollments on the federal platform, previously obtained consent forms and application-review documentation will no longer satisfy the new HHS-approved form requirement. Agents should treat fall 2027 as the process-change window, not as the time to discover that every renewal script, PDF, phone prompt, and EDE handoff needs work.

What should agents do if their NPN is removed from a Marketplace application?

This is one of the highest-anxiety ACA compliance issues for working agents.

CMS FAQ guidance says that if an agent, broker, or web-broker believes their NPN or agency NPN was accidentally or intentionally removed from a consumer’s Marketplace eligibility application, they should contact the consumer to confirm whether the consumer gave consent to another agent, broker, web-broker, or agency and requested the NPN change. If the consumer did not authorize the change, the prior agent may need to document the consumer’s authorization and obtain new review and confirmation of the updated eligibility application information before submitting an update to change the NPN back.

CMS also implemented system changes in 2024 to help stop unauthorized agent and broker Marketplace activity. CMS stated that agents and brokers not already associated with a consumer’s FFM enrollment must take additional steps, such as a three-way call with the Marketplace Call Center or directing the consumer to make the change themselves through HealthCare.gov or an approved DE/EDE consumer pathway.

In an NPN or AOR dispute, the useful record is not just the original consent form. The agent may need a full file:

• Original consumer consent.
• Duration and scope of consent.
• Application review confirmation.
• Attestation confirmation.
• Plan-selection notes.
• Consumer messages.
• Call recordings.
• Screenshots or Marketplace records.
• FFM application ID where appropriate.
• Notes showing what changed and when.
• Proof that the consumer authorized any correction.

CMS reported substantial complaint volume around unauthorized plan switches and unauthorized enrollments in 2024 and suspended hundreds of agents and brokers for suspected fraud or abusive conduct related to unauthorized activity.

That is why organized ACA documentation is not just an audit issue. It can become a commission, consumer complaint, NPN, or coverage-repair issue.

What happens after the consumer selects a Marketplace plan?

Plan selection is not the end of the workflow.

After a consumer enrolls in a Marketplace plan, coverage generally does not start until the consumer pays the first premium directly to the insurance company. HealthCare.gov tells consumers that premiums are paid to the insurer, not the Marketplace, and that coverage will not start until the first premium is paid.

For agents, this is not usually part of the CMS consent record itself, but it is good file hygiene. Keep plan-selection notes, payment reminders, application review documentation, and follow-up records connected to the consumer file.

Should agents rely only on HealthSherpa, SnapHealth, an EDE platform, or a CRM?

HealthSherpa and other EDE or consent tools can be useful inside the enrollment workflow. HealthSherpa’s help center says its tools help agents collect and manage both Consumer Consent and Eligibility Application Review, and its Consent Library allows agents to view, search, download, resend, mark revoked, or delete consent documentation stored in the HealthSherpa account.

The separate question is whether that should be the only place your 10-year record lives.

If you change agencies, FMOs, CRMs, phone systems, or quoting platforms, you still need to be able to retrieve the consent, application review confirmation, call recording, uploaded documents, screenshots, notes, and dispute records. The safest operating model is to treat your EDE platform as the enrollment engine and maintain an independent record layer for long-term storage and export.

For a deeper comparison, read HealthSherpa vs. independent ACA record vault.

ACA consent and application review checklist

Before submitting a Marketplace application, update, plan selection, or enrollment submission, use this checklist.

Before assistance

• Create or locate the consumer file.
• Confirm whether the person is the consumer or authorized representative.
• Capture consumer consent before collecting or using PII for Marketplace assistance.
• Include scope, purpose, duration, date, consumer name, agent or agency name, and rescission process.
• Use a record-producing method: e-signature, wet signature, email, text response, recorded verbal confirmation, or similar documentation.
• For federal-platform PY 2028 enrollments, prepare to use the HHS-approved form or the exact permitted HHS-approved form content in the workflow.
• Store the consent record with the consumer file.

Before submission

• Review eligibility application information with the consumer.
• Explain or provide the relevant application attestations.
• Give the consumer an opportunity to ask questions.
• Capture the consumer’s confirmation that the application information is accurate.
• Record the review date, consumer name, assisting agent name, and attestation explanation.
• Store the application review record with the consumer file.

After submission

• Keep plan-selection notes and relevant supporting files.
• Store call recordings with the related consent or review record.
• Keep screenshots, uploaded documents, complaint notes, NPN/AOR records, and Marketplace correspondence where applicable.
• Keep the complete record searchable and exportable for at least 10 years.

How ACA Compliance Vault helps

ACA consent and eligibility review tools in ACA Compliance Vault are built for the record layer of ACA work.

ACA Compliance Vault does not need to replace your EDE, Marketplace, quoting, agency, or CRM workflow. The point is to give agents one organized place to keep the proof that tends to get scattered across emails, texts, phone recordings, PDFs, desktops, CRMs, and enrollment platforms.

ACA Compliance Vault helps agents store:

• ACA consumer consent records.
• Eligibility application review documentation.
• Attestation confirmations.
• Recorded verbal consent or review confirmations.
• Uploaded PDFs, screenshots, and supporting documents.
• Marketplace-related files.
• NPN, AOR, complaint, or dispute support records.
• Historical records that need to remain retrievable.
• Exportable files for CMS requests, agency reviews, consumer complaints, or internal compliance questions.

The best workflow is not “save something somewhere.” It is “create the record, connect it to the consumer file, and be able to produce it later.”

For related workflows, compare the ACA Marketplace operations for agents guide, the recorded business line for ACA agents, and the agent compliance vault for Medicare and ACA records.

Bottom line

ACA consumer consent and eligibility application review are two different records.

Consent proves the consumer authorized the agent, broker, web-broker, or agency to help. Application review proves the consumer reviewed and confirmed the accuracy of the Marketplace eligibility application information and relevant attestations before submission.

Agents should document both, use a record-producing method, keep related call recordings and supporting files connected, and store the records so they can be found and exported for at least 10 years.

For 2028 federal-platform enrollments, the message gets sharper: do not build around fully custom consent and review forms unless CMS later permits that path. Build around a workflow that can carry the HHS-approved form cleanly, whether the consumer signs electronically, responds by email, or completes a recorded phone process.

Sources

• 45 CFR 155.220: eCFR Accessed 2026-05-30.
• CMS Model Consent Form for Marketplace Agents, Brokers, Web-brokers, and Agencies: Centers for Medicare & Medicaid Services Accessed 2026-05-19.
• HHS Notice of Benefit and Payment Parameters for 2027 Final Rule: Centers for Medicare & Medicaid Services Accessed 2026-05-30.
• Federal Register: HHS Notice of Benefit and Payment Parameters for 2027: Federal Register Accessed 2026-05-30.
• Frequently Asked Questions: Consumer Consent & Application Review Requirements: Centers for Medicare & Medicaid Services Accessed 2026-05-19.
• Agent, Broker, and Web-broker Guidelines for Compliant Marketplace Advertising and Marketing: Centers for Medicare & Medicaid Services Accessed 2026-05-19.
• CMS Statement on System Changes to Stop Unauthorized Agent and Broker Marketplace Activity: Centers for Medicare & Medicaid Services Accessed 2026-05-19.
• CMS Update on Actions to Prevent Unauthorized Agent and Broker Marketplace Activity: Centers for Medicare & Medicaid Services Accessed 2026-05-19.
• Complete your enrollment and pay your first premium: HealthCare.gov Accessed 2026-05-19.
• Consent Overview: HealthSherpa Accessed 2026-05-19.

Frequently Asked Questions

What are the required components of documented consumer consent?

Documented ACA consumer consent should include the scope, purpose, and duration of consent; the date consent was given; the consumer or authorized representative's name; the agent, broker, web-broker, or agency receiving consent; a process for rescinding consent; and a consumer action that produces a maintainable record.

What should an agent do before discussing a consumer's Marketplace application?

Before collecting or using consumer PII, searching for an existing Marketplace application, providing Marketplace assistance, helping with an application, enrolling the consumer, checking status, or making updates, the agent should obtain and document consumer consent.

What are acceptable methods to document ACA consumer consent?

Acceptable methods may include a wet signature, electronic signature, email response, text response, recorded verbal confirmation, or similar method, as long as the record includes the required elements and can be maintained and produced later.

What is the difference between ACA consent and application review?

ACA consent documents permission to assist. Eligibility application review documents that the consumer reviewed and confirmed the accuracy of the Marketplace eligibility application information, including the relevant attestations, before the agent submitted the application or update.

How long are agents required to maintain consumer consent records?

Agents, brokers, and web-brokers must maintain consumer consent and eligibility application review documentation for at least 10 years and produce it to CMS upon request for monitoring, audit, or enforcement activities.

Can ACA consent be documented by phone or recorded call?

Yes. A recorded verbal confirmation can support ACA consent or application review documentation if the recording captures the required elements and is maintained. An unrecorded verbal conversation by itself is not enough.

Is a lead form or website checkbox enough to prove ACA consumer consent?

Not by itself. CMS has warned that simply checking a box in an online form would likely not be sufficient evidence of consumer consent, and agents must still document consent and application review for consumers received through leads.

Do agents need application review documentation for ACA auto-renewals?

Not always. For a passive auto-renewal with no agent-made changes and no active assistance outside existing documented consent, the documentation requirements are not triggered until there is a need to update the Marketplace eligibility application or the agent actively assists in a way not authorized by existing documented consent.

What attestations do I need to explain to the consumer?

Agents, brokers, and web-brokers need to explain the attestations that appear at the end of the consumer's Marketplace eligibility application. The actual attestations may vary depending on the application.