The work starts now for the first cohort
The headlineThe LEAD Model application window closed May 17, and the program is moving fast. CMS is expected to notify accepted applicants by mid-2026, meaning the first cohort is being selected right now. Those that get in don't wait until go-live to start: accepted ACOs enter a no-risk Implementation Period from September through December 2026 to stand up provider networks and conduct beneficiary outreach, with Performance Year 1 beginning January 1, 2027. The model runs a full decade through 2036, the longest ACO test the Innovation Center has ever run, and it replaces ACO REACH, which sunsets at the end of 2026 (74 ACOs are finishing out REACH in PY2026).
The design idea that matters most: LEAD uses fixed benchmarks that don't rebase over the 10 years. An ACO that keeps lowering its costs sees the gap between its benchmark and its actual spending widen year after year, what CMS calls the "savings wedge." It's the structural opposite of the MSSP rebasing cycle, where your own success ratchets your future benchmark down. LEAD offers two risk tracks (Global at 100%, Professional at 50%), an episode-based specialist-integration pathway, a two-state Medicare/Medicaid integration pilot, and Stark/Anti-Kickback waivers. Eligibility generally requires 5,000+ aligned lives (fewer for high-needs-focused ACOs), Certified EHR Technology, and a financial guarantee in the range of 2 to 4 percent of the ACO's Part A and Part B revenue.
If you're in the cohort being selected now, the implementation period this fall is not a formality. It's the window to get your provider network, beneficiary outreach, and reporting infrastructure working before a dollar of risk is live. One requirement to plan around early: LEAD asks for eCQM reporting on aligned Medicare beneficiaries only, not your whole patient panel. That sounds easier than it is. Most EHRs can't natively filter measure logic to a CMS-supplied beneficiary list, so the real work is aggregating data across participant practices, filtering to the aligned cohort, running the measure logic, and producing CMS-compliant output. It's the same lift MSSP ACOs already shoulder under APP Plus, and it's worth pressure-testing now rather than in Q4.
If you didn't apply, LEAD is off the table until a future cohort, and the strategic question sharpens: is MSSP's rebasing dynamic sustainable for you over the same decade LEAD participants just locked in without it? That's the benchmarking debate to be having internally this year.
This aligned-cohort reporting problem is one we work on every day for the ACOs on our platform, and it's consistently underestimated until the reporting deadline is close.
~$100M in chronic-disease funding, with a 2027 window still open
The opportunityCMS's Innovation Center is funding a new chronic-disease model called MAHA ELEVATE (Make America Healthy Again, Enhancing Lifestyle and Evaluating Value-based Approaches Through Evidence). It puts roughly $100 million behind up to 30 recipients through cooperative agreements of up to three years, for evidence-based interventions that slow or prevent chronic disease in Original Medicare beneficiaries. Each proposal must include a nutrition or physical activity component, and the model explicitly funds services Original Medicare doesn't cover today, including "food as medicine" and dementia-related interventions. ACOs are named as eligible applicants alongside health systems, private practices, FQHCs, RHCs, and community-based organizations.
Cohort 1 applications closed May 15, 2026, with that cohort launching September 1. The live opportunity for ACOs that missed the first round is Cohort 2, which CMS plans to open on a separate cycle in 2027 with its own letter-of-intent call and application window.
This is a different shape of money than shared savings. It's a cooperative agreement that pays you to stand up a defined intervention, not a benchmark you have to beat. For an ACO already managing a high-needs or chronically ill population, it can underwrite the lifestyle and nutrition programs you may be running on thin margins today, and an Anti-Kickback safe harbor is available for the model's patient incentives. Note the application bar early: you have to show prior outcome data from your own program and prove you can collect and report the required beneficiary data with proper protections in place. The ACOs best positioned for Cohort 2 are the ones that start documenting those outcomes now. If chronic-disease prevention is already part of your care model, put Cohort 2 on the 2027 planning calendar.
Go deeper: we've published a dedicated MAHA ELEVATE data-partner overview covering eligibility, reporting requirements, and the Cohort 2 timeline.
CY2026 PFS changes are live, and the runway just got shorter
The headlineSeveral CY2026 PFS final-rule changes are now live for the current performance year. The health equity adjustment has been removed from ACO quality scores. New ACOs get a shorter runway in one-sided risk before they're pushed toward downside. There's a new mid-year reporting requirement when a participant undergoes a change of ownership that produces a new TIN. And the definition of primary care services used for beneficiary assignment was updated, notably dropping the SDOH risk-assessment code (G0136) from the set that triggers alignment.
For context on where the program sits: the most recent results CMS published (Performance Year 2024, released last fall) were the strongest in the program's history, with roughly three-quarters of 476 ACOs earning performance payments and about $2.5 billion in net savings to Medicare. PY2025 results won't land until later this year, but the trajectory is the backdrop for everything above. The program is expanding, and CMS is tightening participation mechanics as it does.
The shorter one-sided-risk window matters most for newer ACOs still building the muscle for downside risk; the runway to get your cost and quality infrastructure right is now shorter than it was. The CHOW/TIN reporting rule is an easy one to miss operationally and an easy one to get dinged on. If your participant roster shifts mid-year, that's now a reportable event, not a year-end cleanup item.
This is exactly the kind of attribution-accuracy plumbing we watch closely across the ACOs on our platform. A single unreported TIN change can quietly distort your assigned population.
On the radar: the CY2027 PFS proposed rule typically drops in mid-July; last year's landed July 14. Expect the next round of MSSP methodology proposals with it, and we'll break down what's in it when it hits.
ONC's HTI-5 reset awaits a final rule
The headlineONC's HTI-5 proposed rule, the largest deregulatory reset of the Health IT Certification Program in years, finished its comment period on February 27 and is now awaiting a final rule. As proposed, it removes 34 of the program's 60 certification criteria, revises 7, and retains 19, reorienting the whole program around FHIR-based APIs. ONC estimates it would save certified developers roughly 1.4 million compliance hours. It also rewrites parts of the information-blocking framework and proposes eliminating the TEFCA Manner Exception.
One housekeeping note that signals more than housekeeping: as of March 31, the office is officially ONC again. HHS reversed the ASTP/ONC dual-branding reorganization. If your vendors or internal docs still say "ASTP/ONC," they're out of date.
This is the layer most ACO leaders don't track closely, since it's vendor territory, but it sits underneath everything you do, including the LEAD eCQM reporting above. The certification criteria being stripped out are the floor for what your certified EHR and registry vendors are required to support. Less mandated means more discretionary: the data-exchange capabilities you rely on for quality reporting and gap closure increasingly depend on your vendor's roadmap rather than a federal requirement. The right question to take to your platform partners this quarter is simple. Which capabilities are you keeping regardless of what HTI-5 finalizes, and which were you only doing because the rule made you?
As an ONC-certified platform, that's a question we think every ACO should be asking its vendors, including us.
The breach pattern of 2026 runs through your vendors
The headlineRXNT, an electronic health record software vendor, disclosed in May that an attacker had access to one of its systems for two days in early March and exfiltrated patient data, including, it later emerged, the prescription information of members of Congress. It's the latest in the dominant breach pattern of 2026: the damage is coming through business associates and third-party vendors, not direct attacks on providers. The single largest healthcare breach reported this year so far was TriZetto Provider Solutions, a claims clearinghouse, at roughly 3.4 million individuals. March alone saw 66 reported breaches affecting more than 8.7 million people.
On the enforcement side, OCR's long-running HIPAA risk-analysis initiative is expanding in 2026 to also cover risk management, not just whether you identified your risks, but whether you did anything about them.
An ACO is a data aggregation point. You pull PHI from every participant TIN, run analytics on it, and route it through vendors. That makes your exposure largely a function of your weakest business associate, and the RXNT and TriZetto breaches show the pattern: organizations that did nothing wrong directly still had their patients' data stolen through a vendor. Two concrete moves. First, inventory which of your vendors hold or touch PHI and confirm your Business Associate Agreements actually obligate timely breach notification. Second, make sure your own HIPAA risk analysis has a documented risk management follow-through, because that's now what OCR is looking for.
We hold PHI for the ACOs on our platform, so we'll say plainly what we'd want to hear from any vendor: ask us how we segment data, how fast we'd notify you, and what our last risk assessment found.