Laws & Statutes TX TX-SB-1188
SB-1188
TX · State · USA
TX
USA
● Passed
Proposed Effective Date
2025-09-01
Texas SB 1188 — An Act relating to electronic health record requirements; authorizing a civil penalty (Chapter 183, Health and Safety Code)
Imposes comprehensive requirements on covered entities regarding electronic health records (EHRs) in Texas. Requires EHRs to be physically stored in the United States, limits access to authorized personnel, and mandates reasonable safeguards for confidentiality, integrity, and availability. Requires EHRs to include fields for biological sex as observed at birth and sexual development disorders, and mandates that any algorithm or decision assistance tool in an EHR use biological sex data. Permits health care practitioners to use AI for diagnostic purposes if they review AI-generated records consistent with Texas Medical Board standards and disclose AI use to patients. Prohibits storing credit score or voter registration data in EHRs and requires parental access to minors' records. Enforced by the HHSC, regulatory agencies, and the attorney general through investigations, disciplinary actions, injunctive relief, and civil penalties up to $250,000.
Legislative History
2025-02-07 Received by the Secretary of the Senate Received by the Secretary of the Senate
2025-02-07 Filed Filed
2025-02-28 Read first time Read first time
2025-02-28 Referred to Health & Human Services Referred to Health & Human Services
2025-03-18 Scheduled for public hearing on . . . Scheduled for public hearing on . . .
2025-03-18 Considered in public hearing Considered in public hearing
2025-03-18 Testimony taken in committee Testimony taken in committee
2025-03-18 Left pending in committee Left pending in committee
2025-03-27 Considered in public hearing Considered in public hearing
2025-03-27 Vote taken in committee Vote taken in committee
2025-03-31 Reported favorably as substituted Reported favorably as substituted
2025-03-31 Committee report printed and distributed Committee report printed and distributed
2025-04-01 Placed on intent calendar Placed on intent calendar
2025-04-07 Rules suspended-Regular order of business Rules suspended-Regular order of business
2025-04-07 Record vote Record vote
2025-04-07 Read 2nd time Read 2nd time
2025-04-07 Amendment(s) offered FA1 Kolkhorst Amendment(s) offered FA1 Kolkhorst
2025-04-07 Amended Amended
2025-04-07 Vote recorded in Journal Vote recorded in Journal
2025-04-07 Passed to engrossment as amended Passed to engrossment as amended
2025-04-07 Record vote Record vote
2025-04-07 Three day rule suspended Three day rule suspended
2025-04-07 Record vote Record vote
2025-04-07 Read 3rd time Read 3rd time
2025-04-07 Passed Passed
2025-04-07 Record vote Record vote
2025-04-07 Statement(s) submitted Statement(s) submitted
2025-04-07 Reported engrossed Reported engrossed
2025-04-08 Received from the Senate Received from the Senate
2025-04-17 Read first time Read first time
2025-04-17 Referred to State Affairs Referred to State Affairs
2025-05-05 Considered in public hearing Considered in public hearing
2025-05-05 Reported favorably w/o amendment(s) Reported favorably w/o amendment(s)
2025-05-15 Comte report filed with Committee Coordinator Comte report filed with Committee Coordinator
2025-05-15 Committee report distributed Committee report distributed
2025-05-15 Committee report sent to Calendars Committee report sent to Calendars
2025-05-19 Considered in Calendars Considered in Calendars
2025-05-21 Placed on General State Calendar Placed on General State Calendar
2025-05-22 Read 2nd time Read 2nd time
2025-05-22 Point of order withdrawn Rule 4, Section 32(c)(2) Point of order withdrawn Rule 4, Section 32(c)(2)
2025-05-22 Point of order withdrawn Rule 8, Section 1(a)(1) Point of order withdrawn Rule 8, Section 1(a)(1)
2025-05-22 Amended 1-Bonnen Amended 1-Bonnen
2025-05-22 Record vote RV#3224 Record vote RV#3224
2025-05-22 Statement(s) of vote recorded in Journal Statement(s) of vote recorded in Journal
2025-05-22 Amendment tabled 2-Wu Amendment tabled 2-Wu
2025-05-22 Record vote RV#3225 Record vote RV#3225
2025-05-22 Amendment tabled 3-J. González Amendment tabled 3-J. González
2025-05-22 Record vote RV#3226 Record vote RV#3226
2025-05-22 Amendment tabled 4-Howard Amendment tabled 4-Howard
2025-05-22 Record vote RV#3227 Record vote RV#3227
2025-05-22 Amendment tabled 5-Reynolds Amendment tabled 5-Reynolds
2025-05-22 Record vote RV#3228 Record vote RV#3228
2025-05-22 Amendment tabled 6-J. Garcia Amendment tabled 6-J. Garcia
2025-05-22 Record vote RV#3229 Record vote RV#3229
2025-05-22 Amendment tabled 7-J. González Amendment tabled 7-J. González
2025-05-22 Record vote RV#3230 Record vote RV#3230
2025-05-22 Amendment tabled 8-J. Jones Amendment tabled 8-J. Jones
2025-05-22 Record vote RV#3231 Record vote RV#3231
2025-05-22 Passed to 3rd reading as amended Passed to 3rd reading as amended
2025-05-22 Record vote RV#3232 Record vote RV#3232
2025-05-23 Read 3rd time Read 3rd time
2025-05-23 Passed Passed
2025-05-23 Record vote RV#3317 Record vote RV#3317
2025-05-23 Statement(s) of vote recorded in Journal Statement(s) of vote recorded in Journal
2025-05-23 House passage as amended reported House passage as amended reported
2025-05-28 House amendment(s) laid before the Senate House amendment(s) laid before the Senate
2025-05-28 Read Read
2025-05-28 Senate concurs in House amendment(s) Senate concurs in House amendment(s)
2025-05-28 Record vote Record vote
2025-05-28 Reported enrolled Reported enrolled
2025-05-29 Senate concurs in House amendment(s)-reported Senate concurs in House amendment(s)-reported
2025-05-30 Signed in the Senate Signed in the Senate
2025-06-01 Signed in the House Signed in the House
2025-06-01 Sent to the Governor Sent to the Governor
2025-06-20 Signed by the Governor Signed by the Governor
2025-06-20 Effective on 9/1/25 Effective on 9/1/25
Mapped Requirements
D-01 Automated Processing Rights & Data Controls HC-02 AI in Licensed Professional Practice Restrictions T-01 AI Identity Disclosure
Entry Last Reviewed
2026-04-04
AI generated
Summary

Imposes comprehensive requirements on covered entities regarding electronic health records (EHRs) in Texas. Requires EHRs to be physically stored in the United States, limits access to authorized personnel, and mandates reasonable safeguards for confidentiality, integrity, and availability. Requires EHRs to include fields for biological sex as observed at birth and sexual development disorders, and mandates that any algorithm or decision assistance tool in an EHR use biological sex data. Permits health care practitioners to use AI for diagnostic purposes if they review AI-generated records consistent with Texas Medical Board standards and disclose AI use to patients. Prohibits storing credit score or voter registration data in EHRs and requires parental access to minors' records. Enforced by the HHSC, regulatory agencies, and the attorney general through investigations, disciplinary actions, injunctive relief, and civil penalties up to $250,000.

Enforcement & Penalties
Enforcement Authority
The Health and Human Services Commission (HHSC) or the appropriate regulatory agency shall investigate credible allegations of violations. The attorney general may institute actions for injunctive relief and civil penalties. Enforcement is agency-initiated; no private right of action is created. Disciplinary action (including license suspension or revocation) is available after three or more violations by a covered entity.
Penalties
Civil penalties up to $5,000 per negligent violation per year; up to $25,000 per knowing or intentional violation per year; up to $250,000 per violation involving knowing or intentional use of protected health information for financial gain. Injunctive relief is available. Disciplinary action including license, registration, or certification suspension or revocation is available after three or more violations.
Who Is Covered
"Covered entity" has the meaning assigned by Section 181.001. The term includes a health care practitioner. The term does not include: (A) a home and community support services agency licensed under Chapter 142; (B) a nursing facility licensed under Chapter 242; (C) a continuing care facility regulated under Chapter 246; (D) an assisted living facility licensed under Chapter 247; (E) an intermediate care facility licensed under Chapter 252; (F) a day activity and health services facility licensed under Chapter 103, Human Resources Code; or (G) a provider under the Texas home living (TxHmL) or home and community-based services (HCS) waiver program.
Compliance Obligations 13 obligations · click obligation ID to open requirement page
Other · Deployer · Healthcare
Health & Safety Code § 183.002(a)
Plain Language
Covered entities must ensure that all electronic health records containing patient information are physically stored in the United States or a U.S. territory. This applies regardless of whether the records are stored by the entity itself, a third-party data center, a cloud provider, or any other technology that allows electronic retrieval or transmission. This is a data residency requirement that extends to all subcontracted storage. Per Section 2(b) of the Act, this storage requirement applies to all EHRs on or after January 1, 2026, regardless of when the record was originally prepared.
Statutory Text
A covered entity shall ensure that electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a territory of the United States. This subsection applies to: (1) electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and (2) electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted.
Other · Deployer · Healthcare
Health & Safety Code § 183.002(b)-(c)
Plain Language
Covered entities must restrict access to Texas residents' EHR data to individuals who need it for treatment, payment, or health care operations — a minimum-necessary-access standard. Additionally, entities must implement reasonable administrative, physical, and technical safeguards to protect EHR data confidentiality, integrity, and availability. These are ongoing operational security obligations that parallel but are distinct from HIPAA's Security Rule.
Statutory Text
(b) A covered entity shall ensure that the electronic health record information of this state's residents, other than open data, is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations. (c) Each covered entity shall implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information.
Other · Deployer · Healthcare
Health & Safety Code § 183.003
Plain Language
Covered entities must ensure their EHR systems include functionality allowing practitioners to record inter-provider communications about a patient's metabolic health and diet as part of chronic disease treatment. This is a system capability requirement — the entity must make the feature available, though use is at the practitioner's discretion.
Statutory Text
A covered entity shall ensure each electronic health record maintained for an individual includes the option for a health care practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in the treatment of a chronic disease or illness.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
Health & Safety Code § 183.004
Plain Language
Covered entities are categorically prohibited from including credit score or voter registration data in any individual's EHR. This applies to collection, storage, and sharing — entities may not add this data to the record at any stage. This is a data minimization requirement specific to EHRs, prohibiting inclusion of data types that have no legitimate healthcare purpose.
Statutory Text
A covered entity may not collect, store, or share any information regarding an individual's credit score or voter registration status in the individual's electronic health record.
HC-02 AI in Licensed Professional Practice Restrictions · HC-02.1 · Professional · Healthcare
Health & Safety Code § 183.005(a)
Plain Language
Health care practitioners are permitted to use AI for diagnostic purposes — including AI-generated diagnosis recommendations and treatment course suggestions based on patient records — subject to three conditions: (1) the practitioner must be acting within the scope of their professional license; (2) the specific AI use must not be otherwise prohibited by law; and (3) the practitioner must review all AI-generated records in accordance with Texas Medical Board medical records standards. This establishes an affirmative authorization framework with a mandatory human review requirement — practitioners bear full responsibility for reviewing AI outputs before relying on them.
Statutory Text
A health care practitioner may use artificial intelligence for diagnostic purposes, including the use of artificial intelligence for recommendations on a diagnosis or course of treatment based on a patient's medical record, if: (1) the practitioner is acting within the scope of the practitioner's license, certification, or other authorization to provide health care services in this state, regardless of the use of artificial intelligence; (2) the particular use of artificial intelligence is not otherwise restricted or prohibited by state or federal law; and (3) the practitioner reviews all records created with artificial intelligence in a manner that is consistent with medical records standards developed by the Texas Medical Board.
T-01 AI Identity Disclosure · T-01.1 · Professional · Healthcare
Health & Safety Code § 183.005(b)
Plain Language
When a health care practitioner uses AI for diagnostic purposes (including diagnosis recommendations or treatment suggestions based on patient records), the practitioner must disclose that AI use to the patient. The statute does not specify the timing, format, or content of the disclosure — only that it must occur. This creates a patient-facing transparency obligation on the individual practitioner, not the entity or AI vendor.
Statutory Text
A health care practitioner who uses artificial intelligence for diagnostic purposes as described by Subsection (a) must disclose the practitioner's use of that technology to the practitioner's patients.
Other · Deployer · HealthcareMinors
Health & Safety Code § 183.006(a)-(b)
Plain Language
Covered entities must ensure their EHR systems provide a minor's parent, managing conservator, or guardian with immediate, complete, and unrestricted access to the minor's electronic health record. Access may be restricted only where state or federal law or a court order limits it. 'Minor' means an individual 17 or younger who has not been emancipated. This is a system capability and access rights requirement — the EHR system itself must support this access.
Statutory Text
(a) In this section, "minor" means an individual 17 years of age or younger who has not had the disabilities of minority removed for general purposes. (b) A covered entity shall ensure each electronic health record system the entity uses to store electronic health records of minors allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record immediately, unless access to all or part of the record is restricted under state or federal law or by a court order.
Other · GovernmentDeployer · Healthcare
Health & Safety Code § 183.007(a)-(b)
Plain Language
Three state agencies (HHSC, Texas Medical Board, and Texas Department of Insurance) must jointly ensure two things: (1) every EHR maintained by a covered entity in Texas includes a dedicated field for documenting the individual's biological sex (male or female, as observed at birth) and any sexual development disorder; and (2) any algorithm or decision assistance tool embedded in an EHR that assists practitioners in treatment decisions must use the biological sex data from that field as an input. Subsection (b) clarifies that EHRs may also include additional fields for other biological sex or gender identity information — the mandatory fields do not preempt optional ones. The AI-adjacent obligation here is that clinical decision support tools must incorporate biological sex data.
Statutory Text
(a) Notwithstanding any other law, the commission, the Texas Medical Board, and the Texas Department of Insurance shall jointly ensure that: (1) each electronic health record prepared or maintained by a covered entity in this state includes a separate space for the entity to document: (A) an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth; and (B) information on any sexual development disorder of the individual, whether identified at birth or later in the individual's life; and (2) any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions includes an individual's biological sex as recorded in the space described by Subdivision (1)(A). (b) This section does not prohibit an electronic health record from including spaces for recording other information related to an individual's biological sex or gender identity.
Other · Deployer · Healthcare
Health & Safety Code § 183.008(a)-(b)
Plain Language
Covered entities may only change the biological sex field in an EHR under two circumstances: (1) to correct a clerical error, or (2) when the individual is diagnosed with a sexual development disorder, in which case the sex may be changed to the opposite sex. If the amendment is made under the sexual development disorder exception, the entity must also document the disorder in the designated EHR field. This effectively prohibits amending the biological sex field for any other reason, including gender transition.
Statutory Text
(a) A covered entity may amend on an electronic health record an individual's biological sex as recorded in the space described by Section 183.007(a)(1)(A) only if: (1) the amendment is to correct a clerical error; or (2) the individual is diagnosed with a sexual development disorder and the amendment changes the individual's listed biological sex to the opposite biological sex. (b) If an individual's biological sex is amended under Subsection (a)(2), the covered entity shall include in the individual's electronic health record information on the individual's sexual development disorder in the space described by Section 183.007(a)(1)(B).
Other · Healthcare
Health & Safety Code § 183.009
Plain Language
The HHSC or the appropriate regulatory agency must investigate any credible allegation that a covered entity has violated this chapter. Investigations must comply with all applicable laws, including HIPAA. This provision authorizes and obligates government agencies to investigate — it does not impose a new compliance obligation on covered entities.
Statutory Text
The commission or the appropriate regulatory agency shall conduct an investigation of any credible allegation of a violation of this chapter by a covered entity. The commission or agency shall ensure the investigation is conducted in compliance with all applicable state and federal laws, including the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191).
Other · Healthcare
Health & Safety Code § 183.010
Plain Language
After three or more violations of this chapter, the relevant regulatory agency may take disciplinary action against a covered entity as if it had violated its licensing or regulatory laws. Available discipline includes license, registration, or certification suspension or revocation. This is an enforcement escalation provision — it creates no new compliance obligation but establishes consequences for repeated violations.
Statutory Text
The appropriate regulatory agency may take disciplinary action against a covered entity that violates this chapter three or more times in the same manner as if the covered entity violated an applicable licensing or regulatory law. The disciplinary action may include license, registration, or certification suspension or revocation for a period the agency determines appropriate.
Other · Healthcare
Health & Safety Code § 183.011(a)-(b)
Plain Language
The attorney general may sue for injunctive relief to stop violations and may seek civil penalties. Penalties are tiered by culpability: up to $5,000 per negligent violation per year, $25,000 per knowing/intentional violation per year, and $250,000 per violation involving knowing or intentional use of protected health information for financial gain. This is the enforcement and remedies provision — it creates no independent compliance obligation but establishes the consequences for violating the chapter's substantive requirements.
Statutory Text
(a) The attorney general may institute an action for injunctive relief to restrain a violation of this chapter. (b) In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed: (1) $5,000 for each violation that is committed negligently and that occurs in a single year, regardless of how long the violation continues during that year; (2) $25,000 for each violation that is committed knowingly or intentionally and that occurs in a single year, regardless of how long the violation continues during that year; or (3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
Other · Healthcare
Health & Safety Code § 183.012
Plain Language
Multiple state agencies must coordinate via a memorandum of understanding and adopt rules to implement this chapter. This is a directive to government agencies regarding implementation, not a compliance obligation on covered entities.
Statutory Text
The executive commissioner, the Texas Medical Board, the Texas Department of Licensing and Regulation, the Texas Department of Insurance, and each regulatory agency subject to this chapter shall enter into a memorandum of understanding and, as necessary, adopt rules to implement this chapter.