On June 20, Texas enacted S.B. 1188, joining only a handful of states that are taking artificial intelligence (AI) and data offshoring restrictions into their own hands. The law applies to most healthcare providers and all health insurers, as well as a long list of businesses that collect, maintain or store health information (HI) of Texas residents.
Here's What You Need to Know
- Offshore storage of electronic health records is prohibited. Started Jan. 1, 2026, all electronic health records must be physically stored in the U.S. or a U.S. territory.
- Access to electronic health records must be role-based and limited to those with a business or clinical need. This applies to any electronic health record prepared on or after Sept. 1, 2025.
- Use of AI in diagnosis is permitted but must be regulated. Healthcare professionals must review AI-generated records and disclose AI use to patients.
- Biological sex fields in electronic health records are strictly defined. “Observed biological sex at birth” must be recorded separately, and can only be amended in limited and specific circumstances.
- Parents must be able to gain immediate access to their child’s full electronic health record. Unless restricted by law or court order, proxy access must be full and immediate.
- Penalties for violations can be severe. Fines range from $5,000 for negligent violations to $250,000 for violations that are intentional and done for financial gain, along with the potential for license suspension after repeated violations.
- The law applies broadly. Not just healthcare providers, but schools, insurers, and vendors handling Texas residents’ health information may be subject to the law.
It’s Not Just Healthcare Providers: What Businesses Are Subject to the Law
The law is not confined to those engaged in the traditional medical practice or entities covered by the Health Insurance Portability and Accountability Act (HIPAA). For purposes of this law, a “covered entity” subject to the law is any person (under the jurisdiction of Texas) that:
(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
(B) comes into possession of protected health information;
(C) obtains or stores protected health information under this chapter; or
(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
Texas Health and Safety Code, Sec. 181.001. The law also provides a carve-out for the following types of entities:
- a home and community support services agency licensed under Chapter 142;
- a nursing facility licensed under Chapter 242;
- a continuing care facility regulated under Chapter 246;
- an assisted living facility licensed under Chapter 247;
- an intermediate care facility licensed under Chapter 252;
- a day activity and health services facility licensed under Chapter 103, Human Resources Code; or
- a provider under the Texas home living (TxHmL) or home and community-based services (HCS) waiver program.
Texas Health and Safety Code, Sec. 181.001(2)(A-G). Given the broad definition of “covered entity” that extends to persons and businesses not usually subject to health regulations, Texas businesses of all types should consider whether they are subject to this law – particularly the portion of the law related to off-shore storage of health records.
Non-traditional covered entities that may be subject to the law:
- Employers that store workers’ compensation or FMLA documentation;
- School and university systems that maintain student health center records;
- Mobile health apps that allow users to track health-related data;
- Life insurance carriers collecting medical information during the underwriting process.
Key Implications for Covered Entities
1. Electronic Health Records Must Be Stored in the US
Covered entities are required to ensure that all electronic health records that are controlled by the entity and contain patient information are physically stored in the U.S. or a U.S. territory. The law does not apply only to health records stored in a database, such as an electronic medical record. Thus, entities subject to the law must consider their storage practices for documents like workers’ compensation documentation, employee insurance claims, student health center records and similar documents that exist in email, fax/scanner servers and file folders.
Notably, the law does not restrict access to electronic health records from outside of the U.S. as other rule sets (like that of the Centers for Medicare & Medicaid Services). Covered entities can thus continue to use offshore vendors that need access to U.S.-based electronic health records. However, covered entities should ensure that controls are in place so that those offshore vendors are unable to save and store the electronic health records they access.
This part of the rule applies to all health records, regardless of when they were created. Thus, entities subject to the rule should ensure that they have their data storage issues resolved by Jan. 1, 2026.
2. Access Is Strictly Role-Based
Access to Texas residents’ electronic health records must be limited to individuals whose job duties are directly related to treatment, payment or healthcare operations. As discussed above, the law’s definition of “covered entity” extends to persons and businesses that do not fall within the traditional healthcare industry. Businesses subject to this law that do not provide treatment, conduct payment activities or have healthcare operations should still ensure that access to all electronic health records is properly limited to individuals who have a business reason to access the information. This reinforces HIPAA-like access restrictions and signals the state’s continued push for privacy by design.
This section is applicable to any records “prepared” on or after Sept. 1, 2025; entities are therefore not required to find and restrict access to older records. However, to the extent entities maintain a record application or otherwise update a record containing HI, such records would be subject to the law.
3. Use of AI in Diagnosis
Healthcare practitioners may use AI under the law for diagnostic purposes if:
- The practitioner acts within the authorized scope of their practice or license.
- The practitioner reviews AI-generated records in a manner consistent with the medical records standards developed by the Texas Medical Board.
- Use of AI for diagnostic purposes is disclosed to the patient.
While the explicit allowance of AI could encourage innovation, it also introduces new compliance risks and transparency expectations that organizations must manage. Healthcare providers should take stock of what treatment-related tools already in use incorporate AI on which practitioners rely, as vendors’ AI integration is often a blind spot for compliance departments. Risk officers should consult the Texas Medical Board standards and ensure that an AI diagnosis tool policy is created and provide training to healthcare practitioners to ensure the review process is standardized and conducted. Privacy and compliance officers should assess how and when AI disclosures to patients are necessary, in light of the AI inventory. Finally, innovations and procurement departments should ensure that any new AI tool set implementation is presented to the compliance office to ensure that any necessary updates to patient disclosures occur.
Again, this section is only applicable to records prepared on or after Sept. 1.
4. Health Record Structure and Content Requirements Related to ‘Biological Sex’
Starting Sept. 1, 2025, covered entities must ensure that their electronic health record systems include:
- A space for documenting “observed biological sex as either male or female based on the individual’s observed biological sex recorded by a health care practitioner at birth.”
- Where applicable, fields for sexual development disorders – defined as “congenital condition associated with atypical development of internal or external genital structures. The term includes a chromosomal, gonadal, or anatomic abnormality.”
- Documentation of the practitioner’s use of “any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions includes an individual’s…observed biological sex” at birth.
Practitioners are only permitted to amend the “biological sex” noted in the individual’s health record if it is to amend a clerical error or because the individual is diagnosed with a “sexual development disorder.” If the amendment is made to address a sexual development disorder, the field can only be changed to the opposite sex as was previously noted and only if a “sexual development disorder” is also documented.
In other words, Texas is prohibiting deference to the patient’s nonbinary gender identity and a transgender person’s transition when documenting their “biological sex.” The law does permit notations of information related to the individual’s biological sex or gender identity in other areas of the record, however. Given the enforcement mechanisms and penalties discussed below, healthcare entities should ensure that their workforce members understand and comply with this section.
5. Parental Access to Minors’ Electronic Health Records
Covered entities must grant parents and guardians full, immediate access to a minor’s electronic health records unless restricted by state/federal law or court order as of Sept. 1, 2025. This deviates significantly from the standard practice in the industry. When patients turn 12, most health systems transition parent/guardian access to their children’s electronic health records from full proxy access to a more limited proxy access. The more limited access is restricted to only the child’s growth chart and information regarding allergies and immunizations. This is to ensure that the child can confidentially share with their provider sensitive issues that could inform treatment – topics like issues with self-harm, eating disorders and sexual activity. In most states, children 12 and older are able to direct and consent to their own healthcare, and some states use that authority as a demarcation line of when parental access is no longer appropriate.
This may require providers to work with their electronic medical record application to update workflows and permissions for proxy access to minor patients. To the extent that a provider’s HIPAA Notice of Privacy Practices, patient portal or website terms of service indicate that access to minor records will be limited beginning at a certain age, those documents should be updated to reflect the new law’s requirements.
6. Enforcement Mechanisms and Penalties
The risks of noncompliance with the new law are significant.
First, the commissioner of Texas Health and Human Services, or any appropriate regulatory agency, can investigate a covered entity if any “credible allegation of a violation” is made to the agency. If an entity is found to have violated the law three or more times, the disciplinary actions available are the same as those available if the entity violated an applicable licensing or regulatory law. This includes suspension of licenses, registrations or certifications for a period determined appropriate by the agency.
Additionally, the Texas attorney general can:
- Institute an action for injunctive relief to restrain continued violations
- Institute an action for civil penalties as follows:
- Up to $5,000 per violation per year if the violation was negligent
- Up to $25,000 per violation per year that is committed knowingly or intentionally
- Up to $250,000 per violation where the entity knowingly/intentionally used the health information for financial gain
Preparing for Compliance
Covered entities should begin reviewing their data storage practices, vendors with access to health records, AI tools and policies, and corresponding training to prepare for these new requirements. As the law imposes new obligations on top of (and not in conflict with) existing HIPAA and state law privacy obligations, covered entities should not rest on current compliance programs. Covered entities should strongly consider engaging legal and compliance counsel to assist in necessary audits as well as policy and training revisions to help minimize the risk of violations.
[View source.]
