The HIPAA Security Rule NPRM is a Forensic Document: What 2024's Two Largest Breaches Already Told Us About 2026's Compliance Map

There is a version of the HIPAA Security Rule NPRM that everyone is reading, and then there's a version that almost nobody is reading.

The version everyone is reading is a compliance update.

It's the biggest since 2013, with 4,700+ public comments, a May 2026 finalization target, a 240-day compliance window, industry pushback, all with an uncertain timeline under a new administration. That's the version that generates webinars, vendor checklists, and LinkedIn posts from people who have never configured a DLP policy in their life.

The version almost nobody is reading is the one I want to talk about.

If you read it as a technical document rather than a regulatory one, the NPRM is, to be blunt, an autopsy report. Every new mandate traces to a specific failure mode at a specific organization in 2024.

The regulator of this rule didn't write it in a vacuum.

It was written in a year where a single missing MFA configuration exposed 192.7 million people and a flat network architecture turned one phishing click into a 142-hospital ransomware event. Once you see the NPRM that way, the compliance map writes itself and it doesn't depend on whether the final rule is published in June, January, or never.

"Addressable" is dead. The documentation artifact that saved you for 12 years is now evidence against you.

Before the forensic map, one structural change needs to hit, because everything else downstream depends on this.

Since 2003, the HIPAA Security Rule has distinguished between "required" and "addressable" implementation specifications. "Addressable" wasn't supposed to be synonymous with "optional". It was supposed to mean that you could substitute an equivalent control or document why a specification wasn't reasonable and appropriate for your environment. In practice, that documentation artifact became the compliance strategy for most mid-market payers.

• Couldn't implement encryption everywhere? Write a memo explaining why.
• Couldn't enforce MFA on a legacy portal? Document the compensating control.

The file existed and then the auditor reviewed it and then the organization passed. But, proposed §164.306 eliminates the addressable tier.

Every implementation specification becomes required, with narrow exceptions for legacy technology under a documented migration plan and pre-March 2023 FDA-cleared medical devices with compensating controls. The "we considered it and here's why we didn't" memo, which was the artifact that has functioned as an audit survival tool for over a decade, will stop being a shield. Under the new framework, it becomes a factual record that you knew what was required and chose not to implement it.

That's the definitional threshold for willful neglect, which is the penalty tier that starts at $73,011 per violation after the January 28, 2026 inflation adjustment.

The phrase "every 12 months" appears 28 times in the proposed rule.

• Annual asset inventory review.
• Annual network map update.
• Annual risk analysis.
• Annual compliance audit.
• Annual penetration test.
• Annual BA verification.
• Annual workforce training.
• Annual incident response plan test.

This is not just a simple policy update.

Every mandate is an autopsy finding.

Here is the reading of the NPRM that I haven't seen anyone else publish at this level of specificity. Each major new mandate maps to a named 2024 breach, includes a documented failure mode, and a regulatory response that is designed to prevent that specific failure from recurring. The NPRM is essentially an after-action report with the force of law standing behind it.

Change Healthcare → Universal MFA

In February 2024, the ALPHV/BlackCat ransomware group compromised a Citrix remote access portal at Change Healthcare. The portal lacked multi-factor authentication. CEO Andrew Witty confirmed in Senate and House testimony that MFA was company policy but had not been enforced on that specific system.
The result was the largest healthcare data breach in U.S. history. 192.7 million individuals affected (more than half the U.S. population). UnitedHealth Group disclosed $2.457 billion in total cyberattack impacts through Q3 2024. The full-year 2024 total reached $3.09 billion. Claims processing disruption lasted months. The downstream impact on providers, pharmacies, and patients is still being measured.

The root cause reduced to a single sentence: one authentication failure on one portal.

The NPRM response to this is the proposed MFA requirement under §164.312.

It doesn't say "where reasonable and appropriate", it doesn't say "addressable", it says "required".

If you process ePHI, every access point gets MFA including the Citrix portal, the VPN concentrator, the claims adjudication system, and the PBM connection that your team hasn't touched since 2019 because it works and nobody wants to break it.

Ascension → Network segmentation

On May 8, 2024, a single workforce member at Ascension downloaded a malicious file. Black Basta ransomware operators used that initial foothold to move laterally across an inadequately segmented network. The blast radius reached 142 hospitals across 19 states and the District of Columbia, forcing facilities to revert to paper-based operations for weeks. 5.6 million individuals were affected. Ascension reported an FY2024 operating loss of $1.8 billion, a figure significantly worsened by the ransomware event. Prior to the May attack, Ascension had narrowed its operating losses to $332 million through the first ten months of the fiscal year.

The root cause: flat network architecture that allowed a single-user compromise to propagate as an enterprise-wide event. The lateral movement path that should have been blocked at the first network boundary wasn't blocked at any network boundary.

As a result, the NPRM introduces a new standard at proposed §164.312 requiring policies and procedures to segment ePHI and, this is the exact language, "limit access and prevent lateral movement by intruders." Network segmentation has been best practice since at least 2016, but the NPRM makes it a mandate. For healthcare providers, this is the hardest control to deliver because of IoMT and legacy clinical devices. For payers, the challenge is different but real and includes claims processing zones, clearinghouse connections, PBM integrations, and member portal infrastructure that will all need segmentation boundaries that most payer environments don't currently have.

Montefiore → 1-hour workforce access termination

An insider at Montefiore Medical Center stole the ePHI of 12,517 patients over a six-month period and sold it to an identity theft ring. OCR settled for $4.75 million. The organization lacked mechanisms to monitor system activity, detect unauthorized access patterns, or revoke access when a workforce member's authorization should have changed.

Delayed detection and response to insider access maps to the NPRM's proposed one-hour termination clock: access to ePHI must end no later than one hour after a workforce member's employment or other arrangement ends.

Not end of day, not next business day, and certainly not when IT gets around to it. For most payer environments, this requires an HRIS-to-identity-platform integration that doesn't exist yet. If your HR system and your identity provider aren't connected by an automated lifecycle workflow that triggers on employment status change, you cannot meet this clock.

MOVEit → 24-hour cross-entity notification

The Cl0p exploitation of the MOVEit Transfer zero-day in mid-2023 cascaded through 2024 as breach notifications continued to surface.

The eight largest healthcare-specific MOVEit breaches alone (Welltok, Maximus, Delta Dental, CMS, Arietis Health, PH Tech, Sutter Health, Blue Shield of California) account for more than 41 million exposed PHI records, with dozens of smaller healthcare breaches on top of that. The defining characteristic of the MOVEit impact was the notification gap. Covered entities didn't know their data was exposed because their business associates didn't tell them quickly enough. By the time downstream organizations learned about the breach, the exposure window had been open for weeks.

The NPRM response: other covered entities or business associates must be notified within 24 hours when a workforce member's authorization to access ePHI maintained by that other entity changes or terminates.

Business associates must also notify covered entities within 24 hours of activating their contingency plans. The problem that defined MOVEit is addressed by making silence a violation.

Industry-wide recovery failures → 72-hour restoration

Change Healthcare's claims-processing disruption lasted for months. Ascension's hospitals operated on paper for weeks. Across the 2024 breach landscape, the consistent pattern was that healthcare organizations could not restore critical systems fast enough to maintain patient care and business continuity.

Proposed §164.308 requires system restoration of critical relevant electronic information systems within 72 hours of loss.

This is without a doubt the most operationally demanding clock in the entire NPRM. Meeting this mandate requires immutable backups, tested recovery procedures, and a restoration architecture that has actually been validated (read: not a disaster recovery plan that sits in a SharePoint folder and gets updated once a year by someone who has never executed it).

OCR's own enforcement findings → Asset inventory, network map, risk analysis

This one maps to a pattern rather than a single breach. Every major OCR enforcement action under the Risk Analysis Initiative (more than a dozen and counting) cites the same provision: §164.308(a)(1)(ii)(A), the risk analysis requirement. Organizations don't know what assets they have, they don't know where ePHI flows, and to top it off they can't articulate threat-vulnerability pairs tied to specific systems.

The NPRM puts into code what OCR has been enforcing informally, which is a written technology asset inventory identifying every asset that touches ePHI (§164.308(a)(1)(i)), a written network map illustrating ePHI movement (§164.308(a)(1)), and a risk analysis that must include both artifacts plus identification of all reasonably anticipated threats, identification of vulnerabilities, and assignment of likelihood, impact, and risk level for each threat-vulnerability pair. All of it needs to be written, reviewed annually, and auditable.

The penalty math after January 28, 2026.

I'll make this brief because this is the part everyone already knows, but most published penalty tables are pre-adjustment.

HHS published an inflation adjustment effective January 28, 2026. For Tier 4 violations (willful neglect that is not corrected within 30 days) the range is $73,011 per violation up to $2,190,294 per violation, with a $2,190,294 annual cap. The elimination of "addressable" makes Tier 4 mechanically easier to establish. If a specification is mandatory, and you didn't implement it, and you have no documented migration plan for a qualifying exception, the "willful" element reduces to a factual finding.

But the headline penalty is the smallest part of the exposure. The real cost is found in the Corrective Action Plan (which is typically a two-year monitored program), state attorney general parallel actions (a HIPAA breach in New York typically also triggers SHIELD Act liability), class action litigation (the Change Healthcare MDL alone has more than 60 consolidated actions), and for publicly traded payers SEC 8-K disclosure obligations and Delaware Caremark-doctrine board liability.

The compliance map that doesn't depend on the final rule.

Here's where I stand regarding all this.

As of today OCR has not published the final rule. Director Paula Stannard told the HIMSS 2026 audience in Las Vegas that OCR is still working through the 4,700+ comments, and she made no commitment to a finalization date. Three outcomes are plausible:

• Slimmed-down finalization in late 2026 or early 2027
• Re-proposal with an extended compliance window
• Shelving

None of this, however, changes the compliance map.

OCR is already enforcing NPRM-level expectations under the existing rule through the Risk Analysis Initiative and Phase 3 HIPAA compliance audits. In 2025 and early 2026 alone, enforcement actions citing risk analysis failures hit:

• Comstar ($75,000 for a ransomware attack affecting approximately 585,000 individuals)
• BayCare ($800,000)
• Deer Oaks ($225,000)
• Syracuse ASC ($250,000)
• Health Fitness Corporation ($227,816)
• Top of the World Ranch ($103,000)

Nick Heesters, OCR's Senior Advisor for Cybersecurity, released a guidance video in April 2026 formally expanding the initiative beyond risk analysis to include risk management, meaning, what organizations actually do about the risks they identify. The 50-entity Phase 3 audit scope is a pilot. OCR's FY 2026 budget request is signaling expansion.

The mandates in the NPRM are not speculative requirements from a future regulatory regime. In fact, they codify what the regulator is already looking for when they open an investigation:

• MFA
• Encryption at rest and in transit
• Segmentation
• Asset inventory
• Network map
• Risk analysis with threat-vulnerability pairs
• Incident response with a defined restoration timeline
• Annual evaluation

The only thing the final rule adds is the elimination of the documented excuse. Stannard put it plainly at HIMSS:

"There's a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties."

A payer CISO who reads the NPRM as a compliance update will wait for the final rule, scope a budget request, and start planning in Q1 2027. A payer CISO who reads it as an autopsy report will start building controls now because the regulator already told you exactly what they're going to ask for, and they told you why.

In the next post, I'll explain why the data that matters most to payers (member IDs, claims records, prior authorizations, EOBs) doesn't look like what most classification tools expect, and what that means for any CISO trying to build the asset inventory and data flow map the NPRM now requires.

Matt Silcox is the founder of Severian Technology Group and 1 of 3 U.S.-based Microsoft MVPs in Purview Data Security. He works exclusively with healthcare payers on Purview implementation, data classification, and HIPAA Security Rule compliance. More at severiansecurity.com