ACA Consumer Consent vs. Application Review: What Agents Need to Store

ACA compliance recordkeeping is often described in one phrase: consumer consent.

That phrase is important, but it is incomplete.

For agents assisting consumers with Marketplace coverage through a Federally-facilitated Marketplace or a State-based Marketplace on the Federal Platform, the recordkeeping workflow generally has two separate parts: consumer consent before assistance and eligibility application review before submission. CMS guidance says agents, brokers, and web-brokers must obtain and document consumer consent before assisting with covered Marketplace activity, and must also document that eligibility application information was reviewed and confirmed as accurate before submission.

That distinction matters. Consent shows the consumer authorized the agent to help. Application review shows the consumer reviewed and confirmed the information submitted to the Marketplace. They are related, but they are not interchangeable.

For agents, the practical question is not just: Did I get consent?

It is: Can I show what the consumer authorized, what application information they reviewed, when they reviewed it, and what record supports it?

That is the problem ACA Compliance Vault is built to support: keeping consent records, eligibility review documentation, call recordings, uploaded files, and Marketplace-related records organized in one retrievable place.

The short answer

ACA agents should store both categories of documentation.

The core compliance sequence is simple: consent before assistance; review before submission. CMS FAQ guidance says these records must be maintained for a minimum of 10 years and produced upon request in connection with monitoring, audit, and enforcement activities.

What is ACA consumer consent documentation?

ACA consumer consent documentation is the record showing that the consumer, or the consumer’s authorized representative, gave permission for the agent, broker, web-broker, or agency to assist with Marketplace-related activity.

That can include help with enrollment, applying for advance premium tax credits, applying for cost-sharing reductions, updating an application, facilitating plan selection, or using consumer information in a Marketplace workflow. CMS says Marketplace agents and brokers must obtain and document consent before assisting with or facilitating enrollment through an FFE or SBE-FP, or assisting with APTC or CSR applications.

A strong consent record should answer five questions:

1. Who gave consent?
2. Who received consent?
3. What did the consumer authorize?
4. How long does the authorization last?
5. How can the consumer rescind consent?

CMS guidance explains that consent documentation should include the scope, purpose, and duration of the consent, the date consent was given, the name of the consumer, the name of the agent, broker, web-broker, or agency being granted consent, and a process through which the consumer may rescind consent.

That means a vague note like “client agreed” is not a strong record. The better record is specific, dated, consumer-linked, and tied to the assistance being provided.

What is eligibility application review documentation?

Eligibility application review documentation is different. It is the record showing that the consumer or authorized representative reviewed and confirmed the accuracy of the Marketplace eligibility application information before submission.

This is not just a paperwork formality. Marketplace application information can affect eligibility, advance premium tax credits, cost-sharing reductions, Medicaid or CHIP screening, household information, income projections, and tax reconciliation. CMS has emphasized that review and confirmation should occur before the agent submits the eligibility application or an update on the consumer’s behalf.

CMS FAQ guidance says compliant review documentation is a maintainable record that can be produced to confirm the consumer reviewed and confirmed the accuracy of the eligibility application information. The record should include the date the information was reviewed, the name of the consumer, an explanation of the attestations at the end of the eligibility application, and the name of the assisting agent or broker.

In practical terms, the application review record should answer:

• What application information did the consumer review?
• When did the consumer review it?
• Who reviewed it?
• Who assisted?
• Were the application attestations explained or provided?
• Did the consumer confirm the information was accurate before submission?

This record helps prove the consumer did not merely authorize the agent to help. The consumer also reviewed and confirmed the application information before it was submitted.

Consent and review are related, but not interchangeable

The most common mistake is treating ACA consumer consent and application review as the same thing.

They are not.

Consumer consent authorizes the agent to assist. Application review confirms that the consumer reviewed and approved the accuracy of the Marketplace eligibility information before submission. CMS’s model consent form says CMS regulations require certain content in the documentation but do not prescribe one required method. It also notes that different formats may be acceptable, including recorded phone calls, text messages, emails, electronic documents with digital signatures, or physical documents with wet signatures.

A single workflow can document both consent and review, but only if it captures all required elements for both. For example, a well-designed form or recorded call may document consent at the beginning of the workflow and then document application review after the application information has been completed and reviewed. The timing still matters.

The cleanest way to think about it is this:

That sequence is what agents should build into their workflow.

What records should agents store for ACA consumer consent?

A strong ACA consumer consent file should include the consent record itself plus enough supporting information to explain what happened later.

At minimum, agents should store:

• The consumer or authorized representative’s name.
• The agent, broker, web-broker, or agency being granted consent.
• The date consent was given.
• The scope of the consent.
• The purpose of the consent.
• The duration of the consent.
• The rescission process.
• The consumer’s record-producing action, such as an e-signature, email, text response, written response, or audio-recorded verbal confirmation.
• Any related phone recording, if verbal consent was used.
• Any renewal, update, plan-change, or NPN-related authorization.

The record-producing action point is important. CMS guidance explains that consent must involve the consumer taking an action that produces a record the agent can maintain and produce. CMS gives examples such as wet signatures, electronically applied signatures, emails, and recorded verbal conversations.

Agents should be especially careful with lead forms. CMS’s Marketplace advertising and marketing tip sheet states that even when a consumer comes through a purchased lead, agents must document consent and document that the consumer reviewed and confirmed application information before submission. The same CMS tip sheet also warns that simply checking a box in an online form would likely not be sufficient evidence of consumer consent.

The practical takeaway: a lead source is not a substitute for consent documentation. A website checkbox is not the same as a complete consumer consent record.

What records should agents store for application review?

Application review documentation should be stored as its own record, even when it is captured in the same form, phone call, or workflow as consent.

At minimum, the review file should include:

• The date the application information was reviewed.
• The name of the consumer or authorized representative.
• The name of the assisting agent, broker, or web-broker.
• Documentation that the consumer reviewed and confirmed the accuracy of the eligibility application information.
• Documentation that the relevant attestations at the end of the eligibility application were explained or provided.
• The consumer’s record-producing action, such as an electronic signature, recorded verbal confirmation, written response, or other documented method.
• Supporting files showing what application information was reviewed, when available.
• Notes or files related to any updates, corrections, renewals, plan changes, or NPN changes.

CMS says documentation of review must allow CMS to confirm that the consumer reviewed and confirmed the accuracy of the eligibility application information before submission. That applies to new applications and to updates or changes to existing applications.

A simple CRM note may help the agent remember the call, but it may not be enough by itself. The record should show the consumer’s action and the required information.

Can consent and application review be documented by phone?

Yes, but the phone workflow needs to create a usable record.

Federal Marketplace guidance recognizes audio-recorded verbal confirmation as one possible method for documenting both consumer consent and eligibility application review, when the record otherwise meets the requirements. CMS’s current model consent form also includes audio-recording script language for agents, brokers, web-brokers, and agencies.

That does not mean an unrecorded phone conversation is enough. CMS’s FAQ explains that unwritten verbal consent must be documented in a record, such as an audio recording or other documentation, and must satisfy the other regulatory requirements.

A practical recorded-phone workflow should capture:

1. The consumer’s identity or authorized representative status.
2. The agent, broker, web-broker, or agency receiving consent.
3. The scope, purpose, and duration of consent.
4. The rescission process.
5. The date of consent.
6. The application information reviewed.
7. The explanation of relevant attestations.
8. The consumer’s confirmation that the information is accurate before submission.

That is why recorded calls should not live in a disconnected phone dashboard. If a recorded verbal confirmation is part of the ACA record, the recording should be stored with the related consumer file. Agents who want automatic call recording can pair ACA Compliance Vault with a recorded business line for ACA agents.

When does application review need to happen?

Application review needs to happen before the agent submits the eligibility application or update to the Marketplace on the consumer’s behalf.

CMS’s FAQ states that documentation of review and confirmation of accuracy must be obtained prior to submitting the eligibility application. The same timing generally applies when the agent makes changes or updates eligibility application information after an application has already been submitted.

That means application review is not just an open-enrollment requirement. It can also matter when an agent:

• Submits a new application.
• Updates household information.
• Updates income information.
• Changes plan selection.
• Revises an application after a life event.
• Changes or restores NPN-related information.
• Assists with an enrollment update after a consumer issue.
• Helps with a Marketplace eligibility application after a renewal or plan change.

The safest workflow is to capture a fresh review confirmation whenever the application information being submitted or updated is materially changed from what the consumer previously reviewed.

What about auto-renewals?

Auto-renewals require careful handling.

CMS’s FAQ states that if an existing consumer’s plan renews automatically and there are no changes being made by the agent, broker, or web-broker to the Marketplace eligibility application, the 2024 Payment Notice documentation requirements are not triggered until there is a need to update the consumer’s Marketplace eligibility application information or the agent actively assists with enrollment, APTC, or CSR activity in a manner not authorized by existing documented consent.

In plain English: a passive renewal is different from active assistance.

But once the agent actively assists with an application update, plan change, or enrollment-related action, the agent should confirm whether existing consent covers that action and whether new application review documentation is required before submission.

That is why storing only the original consent form may not be enough. Agents should store renewal notes, application-update records, plan-change documentation, and any new review confirmation in the same consumer file.

What about AOR or NPN disputes?

ACA agents increasingly need records that can help explain what happened when a consumer’s application, plan selection, or NPN changes.

CMS’s FAQ explains that if an agent believes their or their agency’s NPN was accidentally or intentionally removed from a consumer’s Marketplace eligibility application, the agent should contact the consumer to confirm whether the consumer provided consent to a new agent, broker, web-broker, or agency and requested the NPN change. If the consumer did not authorize the change, the prior agent may need to document review and confirmation of the updated Marketplace eligibility application information before submitting an update to change the NPN back.

That is a practical reason to keep the ACA file organized. In an AOR or NPN dispute, the useful record is not just a consent form. The agent may need:

• The original consumer consent.
• The duration and scope of that consent.
• The rescission process.
• Any later consent or plan-change authorization.
• Application review confirmation.
• Notes from the consumer conversation.
• Call recordings, if used.
• Screenshots or Marketplace records.
• The FFM application ID, where relevant.
• A timeline of what changed and when.

ACA Compliance Vault is positioned around this recordkeeping problem: helping agents keep consent, review, call recordings, uploaded documents, Marketplace files, and historical records together for retrieval when needed.

The 10-year rule: what agents need to remember

For ACA consumer consent documentation and eligibility application review documentation, the basic retention rule is straightforward: keep the records for at least 10 years.

CMS’s FAQ says agents, brokers, and web-brokers must provide documentation of consumer consent and review of eligibility application information to CMS upon request, and that CMS may request documentation at any time during the 10-year window. Agents are not required to proactively provide the documentation for each consumer absent a request.

That creates a simple operating standard for agents:

Do not just capture the record. Store it so you can find it years later.

Ten years is a long time. Agents change CRMs, EDE tools, agencies, phone systems, FMOs, file storage platforms, and email providers. The record needs to survive those changes. For broader retention strategy, see the companion guide to ACA consent requirements and 10-year recordkeeping for agents.

Why generic storage creates problems

Many agents have ACA records scattered across multiple places:

• Consent forms in email.
• Application notes in a CRM.
• Call recordings in a phone system.
• Text-message confirmations on a personal or business phone.
• Screenshots in cloud storage.
• Renewal records in an EDE platform.
• Uploaded documents in desktop folders.
• Dispute notes in a separate help-desk thread.

That may work until the agent needs to produce a record quickly.

The problem with scattered storage is not that the record does not exist. The problem is that the agent may not know where it is, whether it is complete, whether it matches the consumer file, whether it includes the required elements, or whether it can be exported.

ACA Compliance Vault is designed to serve as an independent record layer beside the agent’s existing Marketplace, EDE, agency, CRM, or quoting workflow. The product page describes storage for consent documentation, eligibility review records, call recordings, uploaded documents, Marketplace files, historical records, and exportable records.

That is the practical difference between “I saved something somewhere” and “I can produce the file.”

A practical ACA documentation checklist

Agents can use this checklist before submitting a Marketplace application or update.

1. Create the consumer file first

Before collecting sensitive consumer information or beginning Marketplace work, create a consumer-specific file where consent, review, call recordings, notes, and supporting documents can be stored together.

2. Capture consumer consent before assistance

Document the consumer’s authorization before application, enrollment, update, quote, or other Marketplace-related assistance involving consumer information. The consent record should identify the consumer, the agent or agency receiving consent, scope, purpose, duration, date, and rescission process.

3. Use a record-producing action

The consumer should take an action that produces a record. Examples may include an electronic signature, wet signature, email, text response, written response, or recorded verbal confirmation, as long as the record meets the applicable requirements.

4. Complete the Marketplace application workflow

Use the agent’s approved Marketplace, EDE, agency, CRM, and carrier workflow. Keep supporting files, screenshots, notes, and plan-review documents with the consumer file where appropriate.

5. Review the application information with the consumer

Before submission, review the eligibility application information and relevant attestations with the consumer or authorized representative. Do not assume the consumer has reviewed information just because the agent entered it.

6. Capture eligibility application review documentation before submission

Store documentation showing that the consumer reviewed and confirmed the accuracy of the eligibility application information before it was submitted. Include the review date, consumer or authorized representative name, explanation of attestations, and assisting agent name.

7. Store call recordings with the file when phone confirmation is used

When verbal consent or review confirmation is captured by phone, store the recording with the related consumer file. ACA Compliance Vault can be paired with Business Line + Vault for automatic call recording and storage of ACA consent conversations, eligibility review confirmations, renewal discussions, and enrollment-related calls.

8. Keep updates and renewal activity connected

When the consumer makes changes later, store the new authorization, review confirmation, plan-change notes, and supporting documents with the same consumer file.

9. Preserve records for at least 10 years

The record should remain searchable, retrievable, and exportable for the full retention period. ACA Compliance Vault is built around long-term storage, historical imports, record retrieval, and export.

What agents should not do

Do not treat a lead form as consumer consent

A lead source may start the sales conversation, but it does not automatically satisfy Marketplace consent documentation requirements. CMS specifically reminds agents that consent and review documentation requirements apply even for purchased leads.

Do not rely on an agent-only checkbox

CMS warns that simply checking a box in an online form would likely not be sufficient evidence of consumer consent in click-to-enroll or lead-generator contexts. The consumer needs to take an action that produces a record.

Do not confuse permission to help with review of the application

Consent and application review serve different purposes. Consent authorizes assistance. Review confirms the accuracy of the eligibility application information before submission.

Do not keep recordings separate from the ACA file

A phone recording can be valuable evidence, but only if it is findable and connected to the related consumer record.

Do not assume a CRM note is enough

A CRM note may be useful, but the record should include the required elements and the consumer’s record-producing action.

Do not wait until a CMS request to organize the file

CMS may request documentation at any time during the 10-year window. The best time to organize the file is when the consumer interaction happens.

How ACA Compliance Vault helps

ACA Compliance Vault gives licensed agents a practical place to store the record layer of their ACA workflow.

It is designed to help agents:

• Create and store ACA consumer consent records.
• Store eligibility application review documentation.
• Attach recorded verbal consent or review confirmations.
• Upload historical records, screenshots, PDFs, and supporting files.
• Keep Marketplace-related records in the same consumer file.
• Retrieve and export records for CMS requests, agency reviews, consumer complaints, AOR disputes, or internal compliance questions.
• Maintain an agent-controlled record layer beside existing Marketplace, EDE, CRM, agency, or quoting tools.

ACA Compliance Vault is listed at $9.99/month for agents who want electronic ACA consent records, eligibility application review documentation, secure storage, historical record organization, uploaded documents, Marketplace Plan Finder access, multilingual form workflows, Medicare SOA storage if needed, and record export. Agents who also want a dedicated recorded business line with automatic call recording can use Business Line + Vault pricing.

The point is not to replace every system an agent already uses. The point is to keep the compliance evidence organized and portable. Agents who also need broader Medicare and ACA record storage can review the agent compliance vault for Medicare and ACA records.

The bottom line

ACA consumer consent documentation and eligibility application review documentation are not the same thing.

Consent shows the consumer authorized the agent, broker, web-broker, or agency to assist. Application review shows the consumer reviewed and confirmed the accuracy of the eligibility application information before submission. Both records need to be captured through a record-producing action, maintained for at least 10 years, and produced to CMS upon request when required.

For agents, the winning workflow is simple: capture consent before assistance, document review before submission, keep call recordings with the related file when phone confirmation is used, and store everything in a place that can be searched, retrieved, and exported.

That is what ACA Compliance Vault is built to support: a practical recordkeeping vault for ACA agents who need consumer consent documentation, eligibility application review records, call recordings, uploads, Marketplace files, and historical records in one organized place.

Sources

• Frequently Asked Questions: Consumer Consent & Application Review Requirements: Centers for Medicare & Medicaid Services Accessed 2026-05-11.
• CMS Model Consent Form for Marketplace Agents, Brokers, Web-brokers, and Agencies: Centers for Medicare & Medicaid Services Accessed 2026-05-11.
• Agent, Broker, and Web-broker Guidelines for Compliant Marketplace Advertising and Marketing: Centers for Medicare & Medicaid Services Accessed 2026-05-11.
• ACA Consumer Consent and Eligibility Review Tools for Agents: Informed + Choice

Frequently Asked Questions

What is ACA consumer consent documentation?

ACA consumer consent documentation is the record showing that the consumer or authorized representative authorized the agent, broker, web-broker, or agency to assist with Marketplace-related activity. The record should include the scope, purpose, duration, date, consumer name, agent or agency being granted consent, and rescission process.

What is ACA application review documentation?

ACA application review documentation is the record showing that the consumer or authorized representative reviewed and confirmed the accuracy of eligibility application information before the application or update was submitted to the Marketplace. It should include the review date, consumer name, attestation explanation, and assisting agent name.

Are consumer consent and application review the same thing?

No. Consent authorizes the agent to assist. Application review documents that the consumer reviewed and confirmed the accuracy of the Marketplace eligibility application information before submission. One workflow may capture both, but it must satisfy the requirements for both categories.

How long do ACA agents need to keep consent and review records?

ACA consumer consent documentation and eligibility application review documentation generally must be maintained for at least 10 years and produced to CMS upon request for monitoring, audit, or enforcement activities.

Can ACA consent be documented by phone?

Yes, a recorded verbal confirmation can be used when the recording or related documentation satisfies the applicable requirements. An unrecorded verbal conversation by itself is not a strong Marketplace compliance record.

Is a lead form enough to prove consumer consent?

Not necessarily. CMS reminds agents that consent and application review documentation requirements apply even for purchased leads, and CMS has warned that simply checking a box in an online form would likely not be sufficient evidence of consumer consent.

Do agents need application review documentation for auto-renewals?

Not always. CMS says the 2024 Payment Notice documentation requirements are not triggered for a passive auto-renewal when the agent, broker, or web-broker does not make changes to the Marketplace eligibility application and does not actively assist in a way not covered by existing documented consent.

What should agents store with ACA consent and review records?

Agents should store the consent record, application review confirmation, call recordings when used, application or update notes, plan-selection records, screenshots, consumer communications, renewal notes, uploaded documents, and any AOR, NPN, complaint, or dispute-related records in the same consumer file.

Does ACA Compliance Vault replace my EDE, CRM, or Marketplace workflow?

No. ACA Compliance Vault is designed to work beside an agent's existing Marketplace, EDE, CRM, quoting, agency, or enrollment workflow by helping organize consent documentation, eligibility review records, call recordings, uploaded documents, and supporting files.