[co-author: Beatrice Edler]
Overview
A new Texas law governing electronic health records (“EHR"), Senate Bill 1188 (“S.B. 1188”), is going into effect September 1, 2025. The bill sets out a number of new requirements and additions to the Texas Health and Safety Code, including: (1) a requirement to store EHR of Texas patients locally in the U.S.; (2) requirements for when artificial intelligence (“AI”) may be used for diagnostic purposes; and (3) requirements related to how biological sex must be documented and entered into EHR systems.
The bill applies to “covered entities,” which includes any entity that “for commercial, financial, or professional gain, monetary fees, or dues, […] engages, in whole or in part, and with real or constructive knowledge, […] in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information […]” and extends to health care facilities, clinics, health care providers, business associates, information or computer management entities, schools, health researchers, health care payers, and governmental units. The definition also includes individual health care practitioners, but does not include facilities such as nursing facilities and continuing care facilities.
Key Provisions
- Local Storage and Security Requirements for Patient Information. The bill introduces new requirements to physically maintain EHR that contains patient information about Texas patients in the U.S. The requirement applies to entities that have control over the health records and that are stored by a third-party or subcontracted computing facility, or cloud computing services providers that are using technology enabling the patient information to be electronically retrieved, accessed, or transmitted.
The local storage requirement applies on or after January 1, 2026, and applies to all EHR entries regardless of when the EHR was made.
- AI Use in Connection with EHR. Under the new law, covered entities may use AI for diagnostic purposes provided that certain criteria are met. AI may be used for recommendations on a diagnosis or for course of treatment, if the recommendation is based on a patient's medical record, provided that “(1) the practitioner is acting within the scope of the practitioner's license, certification, or other authorization to provide health care services in this state, regardless of the use of artificial intelligence; (2) the particular use of artificial intelligence is not otherwise restricted or prohibited by state or federal law; and (3) the practitioner reviews all records created with artificial intelligence in a manner that is consistent with medical records standards developed by the Texas Medical Board.” The use of AI for diagnostic purposes must be disclosed to patients.
- Required Medical History Information and Restrictions. Covered entities must ensure that there is an option for health care practitioners to collect and record communications between covered entities relating to a patient’s metabolic health and diet, in the treatment of such patient for chronic diseases or illness. Covered entities may not store information concerning a patient’s credit score or voter registration status in the EHR. Further, covered entities must allow for parents or legal guardians to minors below the age of 17 to have immediate and unrestricted access to the minor's EHR, unless the access is restricted pursuant to state or federal law, or a court order.
- Requirements to Document Biological Sex. Covered entities must ensure that the EHR contains separate fields for information regarding a patient’s biological sex as either male or female, which shall be based on the patient’s recorded biological sex upon birth. Any information regarding a patient’s sexual development disorder shall also be documented. The bill introduces new definitions to these requirements, including “biological sex," which means “[….] the biological trait that determines whether a sexually reproducing organism produces male or female gametes.” "Female" is defined as “an individual whose reproductive system is developed to produce ova” and “Male” is defined as “an individual whose reproductive system is developed to produce sperm.” Covered entities may only amend EHR as related to a patient’s biological sex if the purpose is to correct a clerical error, or if the patient is diagnosed with a sexual development disorder. Any algorithm or decision assistance tool included in the EHR used for the purpose of helping a health care practitioner making a medical treatment decision must include a patient’s biological sex as recorded in accordance with the above requirements.
The bill’s legislative analysis clarifies that medical records must include vital information such as a patient’s biological sex to enable informed, personalized decisions regarding a patient’s care, and that such information informs about a patient’s anatomy of organ systems, disease prevalence, and drug and toxin tolerance, among other factors. (Bill Analysis to S.B. 1188, Author’s/Sponsor’s Statement of Intent)
- Enforcement and Civil Penalties. The Texas Health and Human Services Commission and other regulatory agencies and licensing boards, such as the Texas Medical Board or the Texas Department of Insurance, may enforce the new law and investigate alleged violations. Covered entities may be subject to disciplinary actions including suspension or revocation of medical licenses, registrations, or certifications, if the covered entity violates the law 3 or more times in the same manner, as if the covered entity violated an applicable licensing or regulatory law. Further, the Texas Attorney General may seek injunctive relief and issue civil penalties for violations of the law, amounting to between $5,000 and $250,000.
The text of the Texas Bill is available here.
