Brown & Sullivan
VOL · II · CH · IITHE COMPLIANCE PROGRAM6 · PROGRAMS · ACTIVEAUDIT · MMXXVI · IV

The perimeter under which we operate.

Six programs, no exceptions. Each is a separate body of law and each issues its own evidence. Brown & Sullivan organizes these into a single, indexable directory so that a question from any examiner returns the same answer.

TelephonePROG · 01 · TCPACMSPROG · 02 · CMSHIPAAPROG · 03 · HIPAAFTCPROG · 04 · FTC · TSRStatePROG · 05 · DOISOCPROG · 06 · SOC2
PROG · 01 · TCPA
T
47 USC §227 · 47 CFR §64.1200

Telephone Consumer Protection Act

  • Prior express written consent — including the FCC's 2024 one-to-one consent rule — captured at the lead source and re-resolved on every dial.
  • Caller identification and time-of-day restrictions enforced at the dialer, not at the script.
  • Internal DNC, federal DNC, state DNC, and reassigned-number scrubs applied in series; failure of any gate halts the call.
  • 5-year retention of consent receipts following revocation; revocation honored in all reasonable channels.
PROG · 02 · CMS
C
42 CFR §422.2260–2274 · MCMG (Current Year)

CMS Medicare Communications & Marketing Guidelines

  • TPMO disclosure read verbatim within the first minute of every Medicare-eligible call and captured as a discrete recording span.
  • Scope of Appointment captured 48 hours in advance of plan presentation, or contemporaneously where permitted by the inbound exception.
  • All calls regarding Medicare beneficiaries recorded in their entirety and retained for ten (10) years.
  • Marketing material file-and-use process tracked against carrier and CMS approval calendars.
PROG · 03 · HIPAA
H
45 CFR §§160, 162, 164 · HITECH

HIPAA Privacy & Security Rules

  • Covered-entity status maintained for the firm's enrollment workflows; BAAs in force with carriers, RingCentral, Box.com, and HealthSherpa.
  • Minimum necessary standard applied to access and export of PHI from the directory.
  • Encryption in transit and at rest; key rotation tracked to the audit ledger.
  • Breach notification thresholds and timelines documented and rehearsed annually.
PROG · 04 · FTC · TSR
F
16 CFR §310

FTC Telemarketing Sales Rule

  • Prompt disclosures within the call's opening sequence — caller identity, purpose, recording.
  • Caller ID transmission with truthful display of seller or telemarketer name and number.
  • Abandoned-call rate held below the 3% safe harbor and reported quarterly.
  • Recordkeeping of all telemarketing calls per §310.5, retained against the directory.
PROG · 05 · DOI
D
NAIC Models · State Insurance Codes

State Department of Insurance Rules

  • Producer state license, line of authority, and renewal tracked in the Agent Registry.
  • Marketing-material approval status maintained where filing is required.
  • Anti-rebating, anti-twisting, and replacement statutes coded into the script-approval workflow.
  • Two-party-consent recording regimes applied per the call's destination state.
PROG · 06 · SOC2
S
AICPA Trust Services Criteria

SOC 2 — Type II

  • Type II report current; Common Criteria CC1–CC9, plus Availability and Confidentiality categories in scope.
  • Audit ledger satisfies CC7 monitoring criteria: append-only, time-bounded, examiner-exportable.
  • Access provisioning, change management, and incident response runbooks under continuous evidence collection.
  • Annual penetration test and quarterly vulnerability scan results filed to the directory.
EXHIBIT · CE · ENGINE
SIGNED · TOKENS · ONLY

The Compliance Engine.

The Engine collapses six bodies of law into a single decision: a signed token, issued or refused, in the moment before dial. No token, no call. No exceptions, no judgment calls, no humans in the loop.