Capstone expects healthcare information technology opportunities in 2026 to be shaped by three converging pressures: litigation, regulatory deadlines, and legislation. Information blocking enforcement and lawsuits should favor analytics vendors, Fast Healthcare Interoperability Resources (FHIR) application programming interface (API) mandates are driving procurement of interoperability solutions, and Medicaid work requirements are creating tailwinds for Eligibility and Enrollment and revenue cycle management (RCM) vendors.
Outlook at a Glance
- Information Blocking Litigation Through State Tort Law and Office of the Inspector General (OIG) Enforcement to Benefit Analytics-Focused Point Solutions
- FHIR-Based API Requirements Take Effect Beginning 2027, Leading Payors to Procure Solutions for Compliance Throughout 2026
- OBBBA-Provided Medicaid Work Requirements Create Complexity for State Medicaid Agencies and Providers; Eligibility and Enrollment (E&E) Vendors Likely to Benefit
Information Blocking Litigation Through State Tort Law and the Office of the Inspector General (OIG) Enforcement to Benefit Analytics-Focused Point Solutions
| Winners | Provider-serving analytics vendors that rely on patient health data maintained in electronic health records |
| Losers | Certified health IT developers (e.g., electronic health records (EHRs)) relying on expansion in markets with existing leading analytics vendors |
Enforcement cracking down on information blocking—when health care entities restrict patients’ engagement in their care by blocking the access, exchange, and use of electronic health information—is accelerating through OIG action and emerging state tort law litigation. This is forcing EHR vendors to share data with analytics-focused point solutions and eliminating historic competitive moats based on data access restrictions. The 21st Century Cures Act (2016) prohibited providers, certified health IT developers, health information exchanges (HIEs), and health information networks (HINs) from ‘information blocking,’ or interfering with access to electronic health information for approved treatment, payment, or healthcare operations (e.g., risk adjustment, quality assessment, care coordination) purposes. This means that certified EHR vendors, that historically had a competitive advantage based on data availability, have to share data with point solutions – which would be business associates with payors or providers. This ultimately limits the typical land-and-expand model of systems of record, instead requiring these vendors to now compete against point solutions on the merits of their analytics, rather than on their ability to limit data access and, consequently, hinder competitor performance.
Information blocking prohibitions took effect in 2021, with official enforcement beginning on September 1, 2023, for HIEs, HINs, and certified health IT developers, and on January 1, 2025, for a select set of providers. To date, OIG has taken no enforcement actions, but on September 4, 2025, OIG and the assistant secretary for technology policy (ASTP, the agency responsible for information blocking regulations) jointly issued an Enforcement Alert one day after the Department of Health and Human Services (HHS) Secretary Robert F. Kennedy Jr. directed the agency to “increase resources dedicated to curbing the harmful practice of information blocking.”
Further, there is no private right of action for information blocking – meaning plaintiffs cannot sue defendants for information blocking violations under the Cures Act. However, an increasing number of plaintiffs are suing defendants for information blocking violations under state tort law – providing an avenue to challenge data access restrictions and seek monetary damages if a company’s information blocking practices harmed relationships or constituted anticompetitive behavior. To date, at least six cases challenge data access restrictions and are building precedent for using this pathway in multiple states.
Taken together, expected decisions in litigation and enforcement from OIG are likely to benefit point solutions, and limit systems of record in 2026 and beyond.
FHIR-Based API Requirements Take Effect Beginning 2027, Leading Payors to Procure Solutions for Compliance Throughout 2026
| Winners | Companies providing FHIR-compliant API solutions to impacted health plans, integration specialists that can bridge legacy payor systems to modern API solutions, or core administrative processing solution (CAPS) vendors offering IT stack replacement to support compliance and help payors compete with more tech-savvy entrants |
| Losers | Legacy payor technology vendors and point-to-point intermediaries whose connections are commoditized by standardized APIs |
The Centers for Medicare & Medicaid Services’ (CMS) 2027 FHIR API requirements will drive 2026 procurement at less tech-forward payors, benefiting API infrastructure and integration vendors, while supporting updates from legacy IT stacks.
The Advancing Interoperability and Improving Prior Authorization Processes final rule (2024) required CMS-regulated payors (i.e., Medicare Advantage plans, Medicaid, and CHIP managed care and fee-for-service plans, most Affordable Care Act (ACA) plans) to implement three FHIR-based APIs: 1) Provider Access API; 2) Payor-to-Payor API; and 3) Prior Authorization API. Combined, the APIs must enable 1) in-network providers to access claims, encounters, and clinical data of patients they have a treatment relationship with; 2) payors to access historical patient data from a previous payor, helping create a longitudinal health record; and 3) streamlined prior authorization processes, supporting automated prior authorization requests and responses. CMS—recognizing that payors would need time to upgrade legacy systems and Implementation Guides would need to be further tested—set a three-year implementation window. It is unlikely that the agency will further delay implementation.
To meet the 2027 deadline, payors will be in procurement and implementation mode throughout 2026. While it is unlikely that large, tech-forward plans (e.g., UnitedHealthcare) will need to procure solutions, less tech-forward plans (e.g., Humana, regionals) are likely to buy over build. Further, since plans are making this investment for their CMS-regulated plans, likely, these capabilities will also be utilized for commercial plans. API infrastructure vendors – either those providing a layer between legacy payor systems and FHIR-compliant APIs or those replacing legacy tech stacks and offering integrated APIs – will benefit in 2026.
OBBBA-Provided Medicaid Work Requirements Create Complexity for State Medicaid Agencies and Providers; Eligibility and Enrollment (E&E) Vendors to Benefit
| Winners | Eligibility and enrollment (E&E) vendors serving State Medicaid Agencies and specialty revenue cycle management (RCM) vendors, in specialties with limited work requirement exposure, that have advanced front-end solutions to support eligibility verification and scheduling workflows |
| Losers | RCM vendors over-exposed to safety-net hospitals and Medicaid payments |
Capstone expects 2026 – 2027 state procurement of E&E systems, with many states likely requesting good-faith implementation delays.
The One Big Beautiful Bill Act (OBBBA) requires states with expanded Medicaid programs to impose work requirements on able-bodied adults without dependents (ABAWD) unless they meet specific exemptions (e.g., pregnant woman, medically frail, under 19 or over 65, etc.) – which Capstone expects will lead to 4.5 million beneficiaries disenrolled from the program. These requirements go into effect on January 1, 2027, allowing approximately 1.5 years for states and providers to prepare for the changes.
To comply with these changes, states must procure new systems or update current systems responsible for eligibility verification. OBBBA directs HHS to issue an interim final rule implementing work requirements by June 1, 2026, which will provide clarity on which individuals meet the medically frail definition. By September 30, 2026, states must notify individuals of new requirements, suggesting that procurement is likely to take place in the first half of 2026. However, HHS can delay implementation for states experiencing difficulty if they are making a good faith effort to comply – potentially delaying implementation until December 31, 2028, at the latest. Capstone expects many states to apply for good-faith delays based on previous trends (i.e., 41 states applied for good-faith effort exemption requests for electronic visit verification requirements for Home Health Care Services), likely pushing procurement into late 2026 and early 2027. Regardless, for the next two years, states will be focusing on procuring new E&E capabilities, benefiting those vendors.
On the provider side, hospitals and practices must ensure the items and services they provide are covered. As part of broader revenue cycle management (RCM) practices, Capstone expects RCM vendors with advanced front-end processes serving specialties with stable Medicaid volume will outperform their peers as a result of provider willingness to pay to prevent uncompensated care. Based on typical revenue models (i.e., percent-based fees), RCM vendors with an overexposure to Medicaid payments are likely to face headwinds; however, vendors focusing on specialties that are uniquely insulated from work requirements (e.g., substance use disorder, other behavioral health, maternal services), but are still facing heightened administrative burden (e.g., ensuring patients are maintaining coverage via exemption status) will need to more deeply invest in systems integrating eligibility determination and support into the scheduling workflow.
