A number of updates to the Health Insurance Portability and Accountability Act (HIPAA) have been proposed since the 2013 Final Omnibus Rule. Only the Privacy Rule, however, has been updated and was limited to patient access to test reports.

HIPAA “has mostly been locked in amber since 2009,” said Roy Wyman, Nelson Mullins partner and privacy and security industry group chair.

But a “second wave” of privacy and security rules is coming, Wyman said. In some cases, it’s already arrived through global game changers such as the European Union’s General Data Protection Regulations and strong state efforts such as the California Consumer Privacy Act (CCPA). Nationwide, U.S. changes are suggested by two Senate bills and proposed changes to the HIPAA Privacy Rule, released in December with the comment period now extended to May 2021.