Texas enacted S.B. 1188 on June 20, joining only a handful of states that regulate artificial intelligence and data offshoring restrictions directly. The law applies to most healthcare providers, all health insurers, and businesses that collect, maintain or store health information of Texas residents.
What happened
Texas implemented regulations for electronic health records and AI use in healthcare through S.B. 1188. The law establishes five requirements: electronic health records must be physically stored in the U.S. or U.S. territories starting January 1, 2026; access to electronic health records must be role-based and limited to those with business or clinical need for records prepared after September 1, 2025; healthcare professionals can use AI for diagnosis but must review AI-generated records and disclose AI use to patients; electronic health records must include specific "observed biological sex at birth" fields with strict amendment restrictions; and parents must receive full, immediate access to their minor children's electronic health records unless restricted by law or court order. The law defines "covered entity" broadly to include any person under Texas jurisdiction who engages in assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information for commercial, financial, or professional gain.
Going deeper
The law's definition of "covered entity" extends beyond traditional healthcare providers. Covered entities include business associates, health care payers, governmental units, information or computer management entities, schools, health researchers, health care facilities, clinics, health care providers, and persons who maintain Internet sites. Non-traditional entities that may fall under the law include employers storing workers' compensation or FMLA documentation, school and university systems maintaining student health center records, mobile health apps tracking health-related data, and life insurance carriers collecting medical information during underwriting. The law provides specific carve-outs for home and community support services agencies, nursing facilities, continuing care facilities, assisted living facilities, intermediate care facilities, day activity and health services facilities, and providers under the Texas home living or home and community-based services waiver programs.
What was said
The article notes that healthcare practitioners can use AI for diagnostic purposes if "The practitioner acts within the authorized scope of their practice or license," "The practitioner reviews AI-generated records in a manner consistent with the medical records standards developed by the Texas Medical Board," and "Use of AI for diagnostic purposes is disclosed to the patient." The law defines observed biological sex as "either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth." Practitioners can only amend biological sex documentation "to amend a clerical error or because the individual is diagnosed with a sexual development disorder."
By the numbers
- Fines range from $5,000 for negligent violations to $250,000 for violations that are intentional and done for financial gain
- License suspension becomes possible after three or more violations
- Electronic health records storage restrictions take effect January 1, 2026
- Role-based access and AI disclosure requirements begin September 1, 2025
- Biological sex documentation requirements start September 1, 2025
- Parental access requirements for minors begin September 1, 2025
In the know
Electronic health records digitize patients' medical histories, consolidating information from diagnoses and treatments to personal details. This shift from paper records to electronic formats streamlines healthcare processes and offers quicker access to information while improving patient care. However, it introduces considerations regarding data security and privacy. The role-based access requirement reinforces HIPAA-like restrictions and signals the state's continued push for privacy by design. The law's AI provisions represent one of the first state-level attempts to regulate artificial intelligence use in healthcare diagnosis and documentation.
The bottom line
Healthcare organizations and businesses handling Texas residents' health information must conduct immediate audits of their data storage locations, vendor agreements, AI tool usage, and access control systems. Entities should engage legal and compliance counsel to review current practices against these new requirements and develop implementation timelines for the staggered effective dates. Organizations relying on offshore data storage have until January 1, 2026, to relocate their electronic health records to U.S.-based storage solutions.
FAQs
Does S.B. 1188 apply to telehealth providers located outside Texas but serving Texas residents?
Yes, the law applies to any entity under Texas jurisdiction handling Texas residents' health data.
How does this law interact with existing HIPAA requirements?
S.B. 1188 builds on HIPAA by adding state-specific restrictions on AI use, biological sex fields, and data storage.
How will the law affect minors’ privacy in sensitive healthcare situations?
Parents will receive default access unless specifically restricted by law or court order.
Do employers storing health-related employee records have to comply?
Yes, employers managing workers' compensation or FMLA health records may be considered covered entities.
