By Regan Pennypacker, MSL, SVP, Compliance Solutions

The Centers for Medicare & Medicaid Services released the CY2027 Final Rule on April 2, 2026. For compliance officers, three key areas carry operational weight: sales and marketing, eligibility for Special Supplemental Benefits for the Chronically Ill (SSBCI), and debit card supplemental benefit administration. Each requires action before the 2027 benefit year begins. 

Sales and marketing: requirements eased, scrutiny remains 

CMS relaxed several provisions that have long been operational burdens. The Third Party Marketing Organization disclaimer no longer needs to reference SHIP counselors, it no longer needs to be delivered in the first minute of a call, and call recording retention drops from 10 years to 6. Non-quantifiable superlatives in advertising are now permissible. 

These are genuine reliefs. Plans should update agent contracts and monitoring protocols accordingly. 

But the CMS oversight infrastructure isn’t going away. Call recordings are still being reviewed. The OIG’s Medicare Advantage Segment-Specific Compliance Program Guidance identifies sales and marketing as a compliance risk area. Relaxed requirements don’t mean reduced scrutiny. They mean the rules changed and you need to document the new ones. 

SSBCI: enforcement has already started 

For each SSBCI, plans will now be required to list all written policies and objective criteria on their public-facing website. Both the criteria for determining a beneficiary has met the definition of chronically ill and the criteria for determining SSBCI eligibility must be posted. 

CMS has already issued enforcement actions against plans using self-attestation to confirm SSBCI eligibility. The agency has been explicit: self-attestation is not objective. Plans need a documented, objective process to confirm the three-prong chronically ill test is met, for example through a Health Risk Assessment, a claims review, or other similar means. 

Before bid submission, compliance teams should evaluate current policies, ensure eligibility criteria will be detailed in the Evidence of Coverage, and coordinate with website teams on mandatory posting requirements. 

Debit card administration: OIG is already auditing 

In March 2026, before the Final Rule was even published, the Office of Inspector General announced an audit of selected MA organizations to assess whether over the counter (OTC) benefits are being accurately reported to CMS and administered in accordance with federal requirements. 

CMS clarifies proper administration of supplemental benefits through debit cards by codifying existing guidance and adding new guardrails. Plans must disclose all supplemental benefits, including conditions and limitations, eligible OTC items, and benefits accessible through debit cards. Plans must also have an alternative process for reimbursement when the debit card is unusable at the point of sale. 

MA organizations that use a debit card to administer mandatory supplemental benefits must ensure the card can only be used toward plan-covered items and services. If a plan’s debit card is not effectively linked to covered items and services and does not have monitoring controls to verify only covered benefits are approved, it may be in violation of CMS requirements. 

 

The Through Line

We put together a focused briefing covering each of these three compliance areas in detail: what changed, the strategic implications, and the specific actions to take before the 2027 benefit year begins.

Complete the form below to download the PDF.
Name(Required)
Email
Company

Also in The Through Line Series

This briefing is part of ATTAC’s CY2027 Final Rule series covering every dimension of Medicare Advantage operations.

On May 18, 2026   /   Compliance, Medicare Advantage