The Real Price Tag of Regulation: How Successive Rules Drive Up Health Care Costs

Picture a small Critical Access Hospital in the rural Midwest. Eleven beds, a handful of providers, and an IT budget that makes most sysadmins cringe. It is 2011, the HITECH Act's Meaningful Use incentive program is picking up steam, and management has made the call: we need a certified EHR to keep getting paid.

They looked at the big names. Epic? Out of reach. Cerner? Same story. They evaluated mid-tier options and found platforms that were clunky, overpriced, or weak on the inpatient side. Full implementation quotes were coming in at $1.5 million or more before training and interfaces. For an 11-bed CAH operating on razor-thin margins, that number might as well have been $15 million.

So they went with a smaller vendor. Call them "SmallShop EHR." The price tag: roughly $500,000 to get up and running. That was still a stretch, but it was the only realistic path to Stage 1 attestation and the incentive payments that came with it. They signed, implemented, integrated it into daily workflows, and moved on with their lives.

Then Stage 2 arrived.

The Regulatory Trigger

The Meaningful Use program, created under the HITECH Act in 2009, rolled out in stages designed to push health care organizations toward certified EHR adoption. Stage 1 (2011 to 2013) focused on basic data capture: electronic prescribing, recording demographics, maintaining problem and medication lists, and reporting clinical quality measures. The bar was reachable. Vendors of all sizes could build products that met the certification requirements, and many did.

Stage 2, which CMS originally planned for 2013 but delayed to 2014 specifically to give vendors more development time, was a different animal entirely. The new requirements included patient portals with view, download, and transmit capabilities for more than 5% of patients. Summary-of-care records had to be exchanged electronically during transitions, including at least one successful exchange with a system built by a different EHR developer. Secure electronic messaging between providers and patients became a core objective. Public health reporting requirements expanded to include immunization registries, syndromic surveillance, and cancer registries. Clinical quality measure reporting got more complex. The list went on.

These were not trivial feature additions. They required significant development effort, ONC certification testing, interoperability infrastructure, and ongoing maintenance. For the larger EHR vendors with deep engineering teams and steady revenue streams, it was a heavy lift but a manageable one. For the wave of smaller vendors that had entered the market specifically to capitalize on Stage 1, it was a wall.

CMS delaying Stage 2 by a year was itself an acknowledgment that the market was not ready. The fact that they had to delay it tells you everything about the gap between what the regulation demanded and what the vendor ecosystem could deliver.

What Happened to the Small Vendors

The math was straightforward and unforgiving. Building out patient portal functionality, interoperable data exchange, structured public health reporting, and the rest of the Stage 2 feature set required engineering resources that many smaller vendors simply did not have. Certification testing alone was expensive and time-consuming. Maintaining compliance with evolving ONC certification criteria added a recurring cost that ate into margins.

The result was predictable. Vendors that had rushed products to market for Stage 1 incentives could not keep pace with Stage 2 requirements. Some delayed certification indefinitely. Some were acquired. Some quietly shut down. The market consolidated, and the organizations that had chosen those vendors were left holding the bag.

Back at our 11-bed CAH, SmallShop EHR announces they are closing up shop. They cannot meet Stage 2 certification. The hospital now has a system that will not support the regulatory requirements they need to meet in order to avoid Medicare payment adjustments. They have to migrate.

That migration means going to one of the platforms they could not afford in the first place, except now the price includes data conversion (easily $50,000 to $500,000 or more depending on volume and complexity), new interface builds to lab, radiology, pharmacy, and billing systems, staff retraining, workflow redesign, and the productivity loss that comes with any EHR cutover. The organization that "saved" money by going with the budget option ends up spending significantly more than if they had found a way to finance a scalable platform from the start.

This was not an isolated case. It was a pattern that played out across rural health care.

It is worth noting that the development landscape looks meaningfully different today than it did in 2012. The small vendors that failed during Stage 2 were not necessarily lacking in domain knowledge or dedication to their customers. They were outmatched on raw engineering capacity. Building a patient portal, an interoperable exchange framework, and public health reporting modules from scratch required developer headcount that a small company simply could not fund. Modern AI-assisted development tools have changed that equation. A small, focused vendor with deep knowledge of rural health care workflows and a genuine commitment to the product can now realistically keep pace with feature development and regulatory adaptation in ways that were not possible a decade ago. That does not mean every small vendor is a safe bet. It means the due diligence questions matter more than the size of the company. A dedicated team of ten building purpose-built software for 25-bed CAHs may, in 2026, be a better fit than a 5,000-person enterprise vendor that treats rural as an afterthought. The lesson from the Meaningful Use era is not "never pick a small vendor." It is "understand what the next regulatory wave will demand and verify that your vendor can deliver it."

Of course, the large vendors have access to the same AI development tools, and they are using them. Oracle built an entirely new AI-native EHR from the ground up and had ambulatory functionality available by mid-2025, with acute care planned for 2026. That kind of development speed was unthinkable five years ago. But here is the part that matters to the person writing the check at a rural hospital: lower development costs for the vendor do not translate to lower prices for the customer. When a company that spent $28 billion acquiring Cerner builds a next-generation product faster and cheaper using AI, those efficiency gains flow to the vendor's margins, not to your invoice. The same dynamic applies across the vendor ecosystem. AI reduces the cost to build, maintain, and update software for every vendor in the market. Virtually none of that savings is showing up as reduced pricing for health care organizations.

It is another layer of the cost stack that rarely gets talked about, and it is worth understanding when your vendor explains why their annual maintenance fees went up again.

The Numbers Tell the Story

A 2025 survey by Black Book Research covering 202 rural hospitals across 41 states paints a clear picture of where things stand more than a decade after Meaningful Use began. Among the key findings: 55% of surveyed rural hospitals are planning to reassess or replace their current EHR systems by the end of 2026. Among Critical Access Hospitals specifically, that number climbs to 60%. Sixty-eight percent of respondents are still running EHR systems that are eight or more years old, many of them the same platforms purchased during the Meaningful Use incentive era. Nearly half (47%) have not upgraded to their vendor's current software release due to prohibitive costs, inadequate support, or limited internal IT resources.

The single biggest pain point? Total cost of ownership, cited by 85% of respondents as unsustainable. Hidden integration fees, costly upgrades, and rising support expenses were the primary drivers.

As Black Book Research president Doug Brown put it in the January 2026 survey release: rural hospitals are not small urban systems. They need rural-fit products, rural-fit implementation models, and rural-fit support. What they have been getting, in many cases, are enterprise platforms designed for large integrated delivery networks, repackaged with a "rural-ready" label and sold at prices that assume staffing and budgets that do not exist in a 25-bed CAH.

The irony is thick. A regulatory program designed to modernize health care through technology adoption created a temporary vendor boom, followed by consolidation that left the most vulnerable organizations paying the highest price.

The Next Wave Is Already Here

If you are working in health care IT and think the cost pressure from regulation peaked with Meaningful Use, the proposed update to the HIPAA Security Rule should get your attention.

In late 2024, HHS's Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) representing the first major overhaul of the HIPAA Security Rule since 2013. The comment period closed in March 2025 with nearly 5,000 comments submitted, many of them critical. A coalition of more than 100 signatories, including hospital systems, provider organizations, and provider associations, sent a joint letter to HHS in December 2025 calling for the proposed rule to be withdrawn entirely, arguing it places unsustainable financial burdens on providers. As of early 2026, the final rule remains on OCR's regulatory agenda with a target finalization date of May 2026, but OCR has not confirmed whether a final rule will actually be issued. The rule could be finalized as proposed, scaled back significantly, or shelved altogether.

The proposed changes are substantial. The NPRM would eliminate the current distinction between "Required" and "Addressable" implementation specifications under the Security Rule (45 CFR 164.306(d)), making all specifications mandatory with limited exceptions. For context, the current rule allows covered entities to evaluate Addressable specifications against their environment and either implement them, or document why an equivalent alternative measure is in place. Under the proposed rule, that flexibility largely goes away.

Beyond the Addressable-to-Required shift, the NPRM proposes mandatory multi-factor authentication (not limited to remote access), encryption of ePHI at rest and in transit, technology asset inventories updated at least annually, network maps illustrating the movement of ePHI, vulnerability scans at least every six months, annual penetration testing, written documentation of all Security Rule policies and procedures, compliance audits at least every 12 months, and a 72-hour security incident restoration requirement.

HHS estimates the first-year compliance cost across all regulated entities at approximately $9 billion, with recurring annual costs of roughly $6 billion for years two through five. If the rule is finalized as proposed, organizations would have 240 days to comply.

Those costs do not land only on the covered entities themselves. Every vendor selling products and services to health care organizations, from EHR platforms to medical device manufacturers to managed service providers, will face increased engineering, testing, compliance, and support obligations. Those costs get passed through to the organizations writing the checks. For a CAH with a two-person IT team and a budget that barely covers what they have today, the downstream price increases from vendor compliance alone represent a meaningful hit.

Connecting the Dots on Cost

None of this is an argument against regulation itself. The HIPAA Security Rule exists because electronic protected health information needs to be protected. Meaningful Use existed because the health care industry was dangerously behind on health IT adoption. The intent behind both programs is sound.

But intent does not pay invoices. And there is a direct, traceable line between each new regulatory requirement and the costs that health care organizations bear to meet it.

When Stage 1 of Meaningful Use was announced, a wave of vendors entered the market. When Stage 2 raised the bar, many of those vendors could not keep up, and the organizations that had relied on them paid for it twice. When the HIPAA Security Rule is updated, vendors across the ecosystem will invest in compliance, and those investments will show up in the prices health care organizations pay for software, devices, and services. When medical device manufacturers must meet more prescriptive security requirements, the per-unit cost of those devices goes up.

This is not a conspiracy. It is basic economics. More regulation means more compliance overhead. More compliance overhead means higher costs for the vendors who must meet it. Higher vendor costs mean higher prices for the health care organizations that buy their products. Higher organizational costs eventually show up somewhere in the cost of delivering care.

The people who express frustration about the cost of health care in the United States are not wrong to be frustrated. But the conversation is incomplete if it does not account for the regulatory cost stack that every health care organization carries. Every mandate, every new reporting requirement, every compliance specification adds weight. Individually, many of them are reasonable and necessary. Collectively, they represent a significant and growing portion of what it costs to operate a health care organization's technology infrastructure.

What IT Leaders Can Do About It

You cannot control the regulatory environment, but you can plan for it. Here are practical steps for IT leaders at organizations of any size.

Treat regulatory compliance as a known operating expense, not a surprise. New rules will come. Budget lines for compliance should be standing items, not emergency requests. If your annual budget does not include a line for regulatory adaptation, you are planning to be surprised.

Get a seat at the table when vendor decisions are being made. Let's be honest: in many rural and small health care organizations, the IT leader does not pick the EHR. That decision gets made by administration, the board, or clinician leadership, and IT gets handed the result. But you can influence the conversation, and you should. When your organization is evaluating a new EHR or any major platform, bring the TCO question to the table before the contract is signed. Ask the vendor for a five-year product roadmap. Ask how they plan to address the proposed HIPAA Security Rule changes. Ask about their certification track record and what happens to your data if they exit the market. Leadership may still choose the cheapest option on the sticker, but if you have put the total cost picture in front of them in writing, you have done your job. And if that vendor folds in three years, nobody can say they were not warned.

Build your documentation posture now. Whether or not the HIPAA Security Rule NPRM is finalized as proposed, the direction is clear: more documentation, more structured evidence of compliance, more frequent review cycles. Starting your asset inventory, network map, and written policies and procedures now means you are building incrementally instead of scrambling against a 240-day compliance clock.

Know what hardship and exception provisions exist. CMS has historically provided hardship exceptions and reporting flexibility for CAHs and small rural hospitals facing legitimate barriers. These do not make the underlying costs go away, but they can provide breathing room on timelines. Staying informed on available exceptions is part of the job.

Do not absorb regulatory costs in silence. Health care organizations, especially rural ones, cannot afford to simply accept each new mandate without making sure the people writing those mandates understand what they actually cost. Your state hospital association, your legislators, your county commissioners, and your community all need to hear the operational math. When a proposed rule carries a $9 billion industry price tag and your 25-bed CAH's share of that lands as higher vendor prices, new tooling requirements, and consulting fees you did not budget for, someone in your organization needs to be putting those numbers in front of the people who influence policy. This is not about being for or against regulation. It is about making sure the people creating requirements for health care organizations understand the real-world cost of implementation at the facilities that can least afford it. A CAH CEO who can walk a state legislator through what an unfunded compliance mandate actually costs a small rural hospital is doing more for their community than any lobbying firm. If leadership at rural health care organizations stays silent, the only voices policymakers hear are the ones from organizations with budgets large enough to absorb whatever comes next.

The organizations that navigate regulatory waves most effectively are not the ones with the biggest budgets. They are the ones that see each new rule as a known variable in their planning process rather than a bolt from the blue. Regulations do not lower costs. They raise the floor on what every vendor and every organization must deliver. The sooner that reality is built into your planning, the less painful each successive wave will be.

This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.