When the Change Healthcare ransomware attack went public in February 2024, it did more than knock pharmacy claims offline for weeks. It exposed how a single intermediary — a UnitedHealth Group subsidiary processing roughly a third of US patient records — could become a national chokepoint. Hospitals delayed surgeries. Independent pharmacies missed payroll. The breach was ultimately reported to have compromised the protected health information of around 100 million Americans, one of the largest health data exposures in US history.
That incident is the political backdrop for the most significant rewrite of the HIPAA Security Rule since 2013. In late December 2024, the HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking aimed at hardening the cybersecurity floor for covered entities and business associates. Published in the Federal Register in January 2025, the NPRM is now being debated alongside the Cybersecurity and Infrastructure Security Agency's parallel CIRCIA rulemaking — the implementation of the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Together, these two proceedings will define the cyber compliance perimeter for the entire US healthcare sector for the next decade.
What the NPRM actually does
The most consequential change is structural: the proposed rule would eliminate the long-standing distinction between "required" and "addressable" safeguards. Under the existing 2013 framework, controls such as encryption have been technically addressable — meaning a regulated entity could decline to implement them with documented justification. In practice, this gave smaller providers cover for decades of weak posture. The NPRM would, in effect, make a baseline of modern controls mandatory.
OCR's proposal includes:
- Encryption of electronic protected health information at rest and in transit, with limited exceptions
- Multi-factor authentication for systems handling ePHI
- Network segmentation to limit lateral movement after an initial compromise
- Mandatory vulnerability scanning and annual penetration testing
- Written incident response plans with a 72-hour restoration-of-critical-systems target
- Annual compliance audits and written verification from business associates
OCR's own regulatory impact analysis estimates the cumulative cost to the regulated industry at roughly $9 billion in the first year and several billion annually thereafter — figures that have drawn sharp comment from hospital associations and rural-health groups.
The case for action — and the case for restraint
The case for raising the floor is strong. The healthcare sector remains the most-attacked critical infrastructure vertical in the United States. According to HHS's own reporting, the number of large breaches affecting 500 or more individuals has grown sharply over the past five years, with ransomware and hacking incidents now driving the overwhelming majority of exposed records. A patient whose oncologist's EHR is encrypted by Conti or BlackCat does not care about regulatory subtlety; they care that their treatment was delayed.
At the same time, prescriptive rulemaking carries real costs that the NPRM does not fully reckon with. Three deserve attention.
1. Fragmentation between HIPAA and CIRCIA
CISA's CIRCIA NPRM, published in April 2024, will require covered entities — including most hospitals and health systems — to report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The HIPAA Breach Notification Rule and state breach laws already impose overlapping obligations on similar facts. A community hospital that suffers a ransomware event in 2027 may face three to five concurrent reporting clocks running to different agencies with different definitions. Congress's intent in CIRCIA was harmonization; without active reconciliation between OCR and CISA, the practical effect will be the opposite.
2. Cost falls on the entities least able to absorb it
Large integrated delivery networks already run most of what the NPRM mandates. The marginal compliance burden falls hardest on rural hospitals, independent physician practices, and small business associates — the same entities that the FTC and HHS have repeatedly identified as already struggling under consolidation pressure. A rule that pushes another wave of small providers into selling to larger systems would not improve cybersecurity outcomes; it would simply move more records into the same too-big-to-fail processors that produced Change Healthcare.
3. Checklist compliance can crowd out real security
Annual penetration testing, written attestations, and audit logs are necessary but not sufficient. Sophisticated ransomware actors do not fail at the perimeter; they exploit identity, supply chain, and unpatched edge devices. Outcome-based rules — measured by, for example, time-to-detect and time-to-recover — would align regulatory effort with the metrics that actually determine patient harm.
A proportionate path
The right response is not to weaken the NPRM but to sharpen it. OCR and CISA should publish a joint reporting template that satisfies HIPAA, CIRCIA, and state obligations from a single submission. The rule should include a meaningful tiered compliance schedule — perhaps 18 months for large systems, 36 months for small providers — paired with HHS funding under the existing 405(d) program for safe-harbor implementation. And the final rule should explicitly recognize that entities adopting recognized frameworks such as the HHS HICP and NIST CSF 2.0 satisfy the corresponding technical requirements, rather than forcing duplicative documentation.
Ransomware operators in 2026 are not waiting for a Federal Register comment cycle. But the difference between a rule that genuinely reduces patient harm and one that simply expands the compliance industrial complex will be decided in the next twelve months. The Change Healthcare breach gave Congress and the agencies a rare political mandate to act. The discipline now is to use it to fix the security gap — not to build another regulatory silo around it.