Part 4: From 1 Year to 1 Month: A Proposal for Better VBC Contracts

Value-based care contracts are brutal. They take years to negotiate. Security requirements are intense, taking months or years to implement, and then the contracts are inflexible as the business changes. Still, they are the first step to doing value-based care: improving quality and cutting costs.

This post will explain these contracts and propose how to make them faster and better for all parties. In a time of rapid change at the federal level, multi-year contracts are at a severe disadvantage and I worry they could put our goal of improving outcomes and reducing cost even further out of reach.

Value based contracting today

Working at Cityblock Health and Firsthand Cares, I've seen about 10 of these contracts. They are complex agreements that shift focus from the number of services (fee-for-service) to quality and cost-effectiveness (value-based care). These agreements aim to incentivize holistic, preventative, and efficient healthcare for complex patient populations, mainly those on Medicaid or dually eligible for Medicare. They also include commercial plans from employers or purchased independently.

The main point of a value-based contract is to deliver value-based care. The insurance company wants to buy outcomes, not services. To do this, the value-based care (VBC) company "buys lives" from an insurance company. This means the VBC company gets a set price for the future medical costs of those people, expecting to profit by lowering costs or increasing revenue.

Value-based care involves two main parties:

1. Insurance company: A risk-averse, publicly traded company obligated to provide predictable value to shareholders.
2. Value-based care company: A smaller, risk-tolerant, venture-backed startup. Its main job is to return 5x+ the invested dollars to its shareholders over 5-10 years.

Also, LoL (lots of lawyers)

The key parts of these 100+ page value-based contracts are:

1. Patient Attribution: This clause defines the specific patient group the provider is responsible for. It sets the method for assigning members, clarifying whose costs and outcomes are measured. This usually includes high-need individuals with multiple chronic conditions, behavioral health needs, and social barriers to health.
2. Scope of Services: The contract details the services the provider must deliver. This can include behavioral health, substance use disorder treatment, and social support like housing and food security.
3. Quality and Performance Metrics: Metrics are set to measure the provider's success in improving patient health and managing costs. These focus heavily on outcomes and require significant effort to track and report. Key performance indicators (KPIs) in a contract would likely include:
   1. Fewer Hospitalizations and Emergency Department (ED) Visits: A main goal is proactive, community-based care to prevent costly acute episodes.
   2. Better Management of Chronic Conditions: Metrics track control of conditions like diabetes (e.g., HbA1c), hypertension (e.g., blood pressure), and asthma, usually using specific HEDIS measures.
   3. More Patient Engagement: Measured by frequency of contact, adherence to care plans, and patient satisfaction.
   4. Behavioral Health and Substance Use Outcomes: Metrics might include follow-up rates after mental illness hospitalization or initiation and engagement in addiction treatment.
   5. Preventative Care Measures: Tracking rates of cancer screenings, immunizations, and annual wellness visits.
4. Financial Terms and Risk Arrangement: This section outlines the financial structure. It details the capitated payment rate and shared savings or risk arrangement. This includes the formula for calculating total cost of care, the benchmark for performance, and the percentage of savings or losses the provider is responsible for.
5. Data Sharing and Reporting Requirements: Transparent data exchange is crucial for the value-based model. The contract specifies data types to be shared between the insurance company and provider, including claims data and patient-reported outcomes. It also defines reporting frequency and format.
6. Care Coordination and Collaboration: The agreement sets expectations for how the provider will coordinate care with other healthcare entities, including specialists, hospitals, and community-based organizations—many of which the insurance company may own.

A value-based contract aligns both parties' goals: improving population health while managing healthcare resources.

Consider a patient who recently had expensive surgery. Will they keep having expensive healthcare, or will costs regress to the mean? The answer depends on the surgery type, their history, and demographics.

As a value-based care business, your main customer is a large insurance company. Their problem areas are high-cost or highly variable healthcare costs. These make it harder to deliver predictable returns for their shareholders.

Contract negotiations take about 1-2 years and involve many specialized consultants, lawyers, CEOs, and board members. Single lines in the 100+ page contract can change the company's financial viability. Each contract differs significantly, and every insurance company considers its method "standard." It might be 5 separate documents signed individually to keep the process moving, or one large document.

The first challenge to examine is how this process creates significant financial problems for the value-based care company.

Contracting challenges: The J curve

Startups need money and time. Insurance companies have seemingly unlimited money and are slow. Not a good match.

A startup needs to know:

• How long will contract signing take?
• When will the contract start?
• How long will the contract last?
• How long from contract start until that operation profits?

Answering these questions is almost impossible.

The bottom of the J curve

Due to the large investment in just getting the contract, you start in a hole of roughly 30-60 "person months," whatever that costs, before your team performs as expected.

Here is a rough estimate of contract-specific resources (likely very wrong):

The line must go up

Value capture is complex. You don't do something and get paid for it immediately. There are various important dates and payment tranches. For example:

• HEDIS and other quality measures are finalized once a year.
• Monthly capitation payment or PMPM fee is based on active patient enrollment.
• Quarterly performance-based incentives exist.
• Annual shared savings reconciliation occurs.

This payment uncertainty creates significant financial uncertainty that a value-based care company must factor in when raising capital. This, along with many unanswered questions, often starts these contracts deep in the red financially.

Predicting these payments is hard because insurance claims data is at least 3 months old. Due to this timing, you are essentially fronting the insurance company 3+ months of work before getting paid.

Deploying Venture dollars

Venture capital is high-risk, high-reward money for innovation.

With external constraints like the time to sign a contract, set up a market, and get paid, capital takes a long time to be used. It often sits frozen in the company, only becoming active once a new contract is signed.

For the startup, timing your J curve around these contracts, revenue, and when to raise venture funding is extremely difficult.

Large, billion-dollar+ companies simply run many of these processes concurrently, so all teams are maximally utilized, and uncertainty matters less. For smaller companies with less cash, this time uncertainty is existential.

Contracting challenges: Every contract is their own special flower

All this makes it very hard to build a consistent, measurable, and scalable business. After major breaches like Change Healthcare in 2024, insurance companies are more reluctant to share data. They have all developed vastly different standards:

• Different patient populations (more medically complex, more urban or rural).
• Different security requirements (Firsthand, only a few years in, needed both HITRUST R2 and SOC 2 type 2).
• Different data formats for insurance claims and patient contact information.
  • Some insurance companies send paid amounts, others don't.
  • Variable coverage for the designated patient population (60-80%).
  • Different insurance claims formats (no consistent standard).
  • Different data exchange methods, usually manual SFTP file uploads at a set time, with formats that can change monthly.
• Custom files for opt-outs, exclusions, mobile/telemed, updating contact info.
• Custom integrations with providers owned by the insurance company or state Medicaid programs.

Contracting challenges: Data security post-Change Healthcare

In 2024, Change Healthcare, a UnitedHealth Group subsidiary, suffered the most significant cyber incident in US healthcare history. Attackers are believed to have taken a huge amount of sensitive data; estimates suggest personal and health information for one in three Americans may have been compromised. UnitedHealth Group reported the attack would cost over a billion dollars in 2024 alone, including ransom, system restoration, and financial aid to affected providers.

This attack shocked the healthcare insurance industry and drastically changed data exchange standards—a key part of value-based contracts. More recently, insurance companies have blocked downstream vendors from using AI on their insurance claims—tools they likely use internally.

Before Change Healthcare, the contracts I worked on had a relatively small security exhibit. Even the most demanding contracts might require completing a security standard in two years. Today, however, Firsthand, a small team, must be compliant with both HITRUST R2 and SOC 2 Type 2 before it can even receive data to evaluate if a contract could work.

There is no official certification for HIPAA compliance, so frameworks like HITRUST and SOC have emerged.

What is HITRUST?

“HITRUST is the Health Information Trust Alliance…healthcare acronyms like to be on the nose. HITRUST is a more healthcare specific security framework and takes the greatest hits from the many different security standards that healthcare companies will typically encounter like HIPAA, NIST, ISO 27001, PCI, and other capitalized letters that sound like loud noises.” - Nikhil

HITRUST changed significantly from version 9 to version 11, adding hundreds of controls for cloud security that were previously minimal. The certification process takes two years and involves hundreds of individual "controls."

To achieve HITRUST, a company must provide three things for each control: a policy, a procedure, and sample evidence.

For example, for the control, "The leadership team is trained on their roles and responsibilities," the first step is to write a policy about the type and frequency of training. Then, create a "procedure" document specifying what training applies to which people. Finally, to prove implementation, provide sample records showing that the required people received the training outlined in the policy and procedure. This process repeats for over 300 controls.

Contracting challenges: What do words mean anymore?

It's unclear who "the leadership team" refers to: technical leadership, the board, or the C-suite? Interpret it wrong and you might be on a corrective action plan, which must be disclosed to all existing payer partners.

The controls are often short, generally worded sentences. Our head of L&D, a former English teacher, found them…deeply problematic.

Debating data security questions can be confusing. Here's an example from an exchange (PC refers to the "Professional Corporation," a clinician-run entity legally able to provide healthcare services with an arrangement with the startup):

Q: We receive some data from the insurance company and augment it with information gathered while caring for patients. Does the data transmission security requirement in the agreement apply to that augmented data?

Lawyers: We analyzed the data flow from a HIPAA perspective. Our view is that the data the non-PC entity receives for Engaged Members is shared in its capacity as a business associate of the PC (a covered entity with a patient-provider relationship with the Engaged Member). This differs fundamentally from a HIPAA perspective when data is shared with the PC about non-Engaged Members, where the non-PC is a business associate to [Insurance Company].

For Engaged Member data, from a HIPAA perspective, it's equivalent to data being shared with the PC, which then shares it with the non-PC to support the PC's performance of services under the Provider Agreement. The parties will simply skip sharing Engaged Member data directly with the PC since the non-PC is its authorized business associate. Consequently, the [Contract document] would not govern the transmission of data about Engaged Members to the non-PC because it falls under the Provider Agreement's covered entity pathway.

If you understand that, you might have a future in the healthcare business.

Here is a security requirement I struggled to interpret. I asked five CTO/CSOs, and received ten different answers on how to set up systems to conform to it:

"Logical controls, virtual machine zoning, virtualization security, and segregation must be in place to help prevent attacks and exposure in multi-tenancy environments. This may be accomplished with tenant isolation, data isolation patterns, database per tenant, or application instances.”

It's a real challenge.

Contracting challenges: Inflexibility

One less discussed challenge with healthcare contracting is its inflexibility.

In Part 3, we've shown how insurance companies and value-based care operate with limited information. It is difficult to know what is truly happening before signing the contract, so new information emerges as you iterate. However, the contract often remains fixed, sometimes based on what the insurance company promised the state in its RFP to operate Medicare and Medicaid.

At a recent company, we developed a more efficient care model. However, the specifics of our old model were in both the contract with the insurance company and their agreement with the state for Medicaid. This meant we could not switch to the new model until the insurance company re-bid Medicaid in that state.

Your care model can change, but the contract often cannot.

Who does this well?

If value-based contracting is to continue, contracts must be signed in one month, not twelve. What would that require?

Efficiency usually comes from fully opening something up or fully centralizing it. Currently, we have neither; it is both opaque and distributed. This needs to change.

A centralized approach would involve creating a sanctioned VBC contact broker. This broker would act as a middleman, providing standard terms to both sides, with blanks for exact cohort definition and financial terms. Crucially, this broker would host all required data in an isolated, compliant warehouse. Insurance companies would upload files, and VBC companies could read those files via an API without copying the underlying data, reducing risk. This could also be a federal initiative.

Another approach would be to fully open source both the contract and the data interchange formats. Contracts are currently confidential, but I wonder if they could be opened and standardized at the federal level. Data exchange is finally getting the benefits of open-source through The Tuva Project, which aims to open source the data transformations needed to parse insurance claims. Currently, every insurance company handles their claims differently, and every VBC company implements these transformations on their own with no real reference. Both the contract and data interchange process could be much more efficient.

I believe payers primarily care about favorable terms and data protection which is satisfied in both. Either of these directions would advance the industry. I don’t know if these changes would get us to 1 month, but it would be much less than 12.

What could the future hold

Today, in 2025, value-based contracts are largely only accessible to extremely large players in healthcare due to challenges with financing, consistency, and data security. By the time a value-based contract is secured, the care model is essentially set in stone – blocking the iteration that makes startups successful.

With millions of people losing Medicaid coverage and hospitals still bearing the cost of their care, hospitals could contract with value-based care providers to reduce losses on that population. I am concerned that these contracts take too long to adapt to policy changes from Washington, which disadvantages all of us.