Privacy & Information Security Law Blog

Texas Governor Greg Abbott recently signed into law S.B. 1188, a bill that regulates the security and storage of electronic health record data and the deployment of artificial intelligence (“AI”) in the health care context.  The law creates a data localization requirement, obligating covered entities to physically maintain electronic health records in the United States.  In addition, the law permits health care practitioners to use AI for diagnostic purposes in connection with electronic health records only in accordance with specified requirements.  The law also introduces a definition of “biological sex” and sets forth rules governing when an individual’s biological sex as recorded in an electronic health record may be amended.  Further, the law addresses parents’ access to minors’ electronic health records, the facilitation of communication between covered entities, and restrictions on covered entities’ access to certain types of electronic health record information.

Applicability

The law applies to “covered entities” and “health care practitioners.” “Covered entity” has the definition found in Tex. Code Sect. 181.001(b)(2) – an entity that assembles, collects, analyzes, uses, evaluates, stores or transmits “protected health information” (as defined under HIPAA) – and includes health care practitioners. “Health care practitioner” is defined as an individual who is licensed, certified or otherwise authorized to provide health care services in Texas, with certain enumerated exceptions (e.g., nursing and continuing care facilities).  

Data Localization and Data Security

The law requires covered entities to physically maintain in the U.S. all electronic health records of Texas patients.  This data localization requirement applies to (1) electronic health records that are stored by a third-party or subcontracted computing facility or entity that provides cloud computing services; and (2) electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed or transmitted.

The law also requires covered entities to ensure that Texas patients’ electronic health record information is accessible only to personnel who require the information to perform relevant employment duties related to treatment, payment or health care operations.  In addition, the law requires covered entities to implement reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic health record information.

Use of AI

The law allows health care practitioners to use AI for diagnostic purposes (including for recommendations, diagnosis and treatment decisions) based on a patient’s medical record, provided that the practitioner meets the following criteria:

• the practitioner discloses to patients their use of AI for diagnostic purposes;
• the practitioner uses AI within the scope of their license, certification or authorization;
• the use of AI is not otherwise restricted or prohibited by applicable state or federal law; and
• the practitioner reviews all records created with AI in a manner consistent with medical records standards developed by the Texas Medical Board.

Biological Sex Information in Electronic Health Records

The law defines “biological sex” as “the biological trait that determines whether a sexually reproducing organism produces male or female gametes,” and defines “male” and “female” based on their reproductive systems.  The law requires electronic health records to include fields to record an individual’s biological sex at birth and information on any sexual development disorder of the individual, whether identified at birth or later in the individual’s life.  Under the law, a covered entity may amend an individual’s recorded biological sex information only if the amendment is to (1) correct a clerical error or (2) account for a sexual development disorder diagnosis received by the individual.  The law also requires that any algorithm or decision assistance tool used in connection with medical treatment decisions made about an individual include the individual’s biological sex.

Miscellaneous Provisions

The law further requires covered entities to facilitate the collection and recording of communications between multiple covered entities regarding a patient’s metabolic health and diet in the treatment of a chronic disease or illness, within the patient’s electronic health record. Additionally, the law prohibits covered entities from collecting, storing or sharing any information regarding an individual’s credit score or voter registration status that is contained in the individual’s electronic health record. The law also requires covered entities to allow parents or legal guardians of minors (under 17) to have immediate, unrestricted access to their minor child’s electronic health records.

Enforcement

The law empowers the Texas Health and Human Services Commission and other appropriate regulatory agencies (e.g., the Texas Medical Board, the Texas Department of Insurance) to investigate alleged violations of the law. The appropriate regulatory agency may take disciplinary action against a covered entity that violates the law three or more times in the same manner as if the covered entity violated the applicable licensing or regulatory law (e.g., suspension or revocation of a covered entity’s license, registration or certification).

Additionally, the Texas attorney general may seek injunctive relief and impose civil penalties against covered entities found to be in violation of the law in the range of $5,000 to $250,000 per violation, depending on the nature and degree of the violation.

Effective Date

Most of the law’s requirements and restrictions take effect on September 1, 2025. The data localization provisions requiring electronic health records to be physically maintained in the U.S will take effect retroactively beginning January 1, 2026, and will apply to all electronic health records stored on or after that date, regardless of the date on which the record was prepared.