New research puts hard numbers on the convener question
The headlineA peer-reviewed study in the June issue of Health Affairs, from a Brown University team led by Adam Markovitz, puts hard numbers on something ACO leaders have watched anecdotally for years: the rise of third-party "convener" firms in the MSSP. Conveners recruit clinicians into ACOs and supply the capital and analytic infrastructure to run them. Using national program data from 2012 through 2021, the researchers find that a growing share of MSSP beneficiaries now sit in convener-organized ACOs, and that some of these networks are large, geographically dispersed, and assembled in part by aggregating lower-cost clinicians rather than by building clinically integrated local care. Their policy recommendation is to require clearer disclosure of convener relationships and to revisit how the program defines a network, so that "ACO" keeps describing coordinated care rather than a financial roll-up.
It is worth being precise about the term, because "convener" gets used loosely. The study's concern is with firms that organize an ACO and often take an equity-style share of its savings, not with the reporting registries, EHRs, and analytics vendors an ACO contracts for specific services. Those are different relationships with different incentives.
If you work with a convener or enabler, the practical question is the one the study points at: how aligned are their economics with yours across the full agreement, and how much of your shared savings actually reaches the practices doing the work. If you organize your own ACO and buy services à la carte, the value of that structure is that you can answer those questions line by line. Either way, expect convener transparency to stay on CMS's radar after research like this, and expect it to surface in the rulemaking conversation.
We sit on the services side of that line, not the convener side. We provide the analytics and reporting infrastructure; we do not assemble your network or take a percentage of your savings, and we think any ACO should be able to see exactly what each partner is paid and for what.
On the radar: The CY2027 Physician Fee Schedule proposed rule is due in mid-July and will carry the next round of MSSP methodology proposals. We walked through the ACPT benchmarking stakes last issue; when the rule lands, we will break down what is actually in it, with the operational implications rather than the press-release version.
The savings advance almost no eligible ACO is using
The headlineThere is a cash-flow tool sitting in the MSSP that almost no eligible ACO is using. Prepaid shared savings lets a qualifying ACO draw its earned savings forward as quarterly payments rather than waiting until the following fall, money you can put toward staffing, care management, and infrastructure during the performance year instead of after it. The catch is the qualification bar. By one Health Affairs analysis, of roughly 400 ACOs eligible to request prepaid savings in 2026, only four actually qualified under CMS's rules. The mechanism exists; the guardrails around how the money can be requested and spent have made it nearly unusable.
Eligibility is meaningful but not exotic: it is aimed at renewing ACOs that take on downside risk, have a track record of earning shared savings, and carry no outstanding balance owed to CMS. Plenty of established ACOs clear that bar and still never get the cash, because the operational requirements layered on top are heavy enough that most do not pursue it.
Two things. First, if you are a renewing, risk-bearing ACO with a savings history, prepaid shared savings is worth a hard look now rather than treating it as paperwork no one can actually complete. The cash-flow difference between October of next year and quarterly payments this year is real, especially for an ACO funding care-management staff out of thin margins. Second, watch the July rule. A CMS that has said plainly it wants to reduce the friction in value-based care has an obvious target here, and if it loosens the prepaid-savings requirements, the math changes for a lot more than four ACOs.
Qualifying is largely a function of a clean savings history and clean reporting, which is the part we work on every day. The friction our ACOs hit is the regulatory hoops around the request, not whether they are eligible.
FHIR gets a date, and value-based care finally gets named
The headlineThe FHIR conversation moved from "someday" to a date this summer. Under the CMS Interoperability Framework announced last year, more than sixty companies that signed on, including major EHR vendors, payers, and health information networks, set a target of July 4, 2026 for the first wave of "CMS Aligned Networks" to expose patient data through FHIR APIs built on US Core and USCDI v3 and to stand up a record locator service. The detail that matters for you is who CMS wrote into it: requests to that record locator can be initiated by patients, providers, and value-based care organizations, and ACOs and payers are explicitly allowed to query it for the quality data elements and claim-linked clinical data they need for payment and operations. For the first time, the national data-sharing plumbing names value-based care as a first-class user rather than an afterthought.
Two shifts are worth tracking alongside it. On the regulatory side, HTI-5's certification rollback is still awaiting a final rule, ASTP/ONC has signaled an HTI-6 proposal that could push EHRs to exchange data with wearables, and information-blocking enforcement that the prior administration declined to pursue is now signaled to carry consequences, with HTI-5 proposing that interfering with automated and AI-driven data access counts as blocking. On the product side, the EHR vendors are racing to embed AI natively. Epic has well over a hundred AI features in flight and put ambient documentation and AI agents into live use this year, athenahealth made an ambient scribe free to all its customers, and Oracle is rebuilding its EHR from scratch for what it calls the agentic-AI era. Ambient documentation went from differentiator to table stakes in a single cycle.
Two practical threads. First, the CMS Aligned Networks record locator is a potential new pipe for exactly the data you fight to assemble today, the cross-practice clinical detail behind gap closure and quality reporting. It is voluntary and early, so the move this quarter is to find out whether the networks and payers you depend on are among the early adopters, because if they are, the querying path opens to you as a value-based care organization. Second, the ambient-AI wave is a risk-adjustment story as much as a documentation one. Richer AI-generated notes can surface chronic conditions that would otherwise go uncoded, which helps HCC capture, but the same richness is drawing payer scrutiny and downcoding, so the documentation still has to be clinically defensible, not just complete.
As an ONC-certified registry, the FHIR-first direction is the road we are already on. The question worth asking any data partner, us included, is which querying and exchange capabilities they will actually support as CMS Aligned Networks come online, and how AI-generated documentation flows into the risk and quality logic without importing noise.
A 1.8 million-record breach, while the federal rulebook stalls
The headlineThe vendor-driven breach pattern that has defined 2026 just produced one of its largest cases, and it is a clean illustration of where ACO data risk actually sits. NYC Health and Hospitals, the largest public health system in the country, disclosed that attackers reached its network through a third-party vendor and held access from late November 2025 into February, copying data on about 1.8 million people. What was taken went past the usual names, Social Security numbers, and medical and insurance records to include fingerprint and palm-print biometrics, the one category of stolen data that can never be reset. The case has since drawn congressional attention, with Senator Bill Cassidy, who chairs the Senate health committee, writing to the system's CEO in early June for answers on its scope.
The breach lands while the federal response to exactly this kind of incident is stuck. The HIPAA Security Rule overhaul the sector has been bracing for has stalled. OCR proposed the first major update in two decades in early 2025, took in more than 4,700 comments, and set a spring-2026 target to finalize it that has now passed with nothing published. Under a deregulatory administration the rule could still be narrowed or withdrawn, and a coalition of more than a hundred provider groups has asked HHS to pull it. The stall does not mean the bar is holding still. OCR keeps enforcing the current rule, under which an inadequate risk analysis is still its single most-cited deficiency, and in April it formally widened its enforcement initiative from risk analysis to risk management, meaning not just whether you found your risks but whether you acted on them. Separately, CMS is expected to move some cybersecurity requirements into the Conditions of Participation for hospitals, a vehicle that would tie security directly to program eligibility.
NYC's situation is the one every ACO should sit with, because an ACO is the same shape of target. The health system did not have to make an obvious mistake. A vendor it had granted access was compromised, and its patients paid for it. Do not wait on the stalled overhaul, and do not re-architect around a proposed rule that may not land as written. The enforceable bar today is the current Security Rule plus your business associate agreements, and what OCR is actually testing is documented risk management, not a risk analysis sitting in a drawer. For ACOs with hospital participants, the CMS Conditions of Participation track is the one to watch, since a security requirement attached to program participation is not optional the way a best practice is.
We hold PHI for the ACOs on our platform, so the things we would want you to confirm with any vendor are concrete: a current risk analysis with a documented risk-management follow-through, multi-factor authentication on privileged access, and a written answer to how fast you would be notified of a breach.