Texas Enacts Law Governing Security and Storage of Electronic Health Records
The Governor of Texas has added his signature to a bill regulating the storage and security of electronic health records and the use of artificial intelligence in healthcare for diagnostic purposes. The bill also introduces a new definition of “biological sex” and sets rules concerning the amendment of biological sex in electronic health records. S.B. 1188 applies to HIPAA-covered entities and healthcare practitioners.
The new law requires the electronic medical records of all Texas patients to be physically maintained in the United States, including if the medical records are stored by a third-party or subcontracted computing facility that provides cloud computing services. In such cases, the data center where the records are stored must be in the United States. The law also applies to electronic health records stored using technology that allows patient information to be electronically retrieved, accessed, or transmitted.
Covered entities must implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic health record information, as is already required by the HIPAA Security Rule. Further, covered entities must ensure that the electronic health record information of Texas patients is only accessible to personnel who require electronic medical record information to perform employment duties related to treatment, payment, and health care operations. In the case of minors, the electronic medical record system must allow the individual’s parent, managing conservator, or legal guardian to have immediate, unrestricted access to that individual’s electronic medical record, unless access is restricted under federal or state law.
The law permits the use of artificial intelligence for diagnostic purposes by healthcare practitioners, provided the practitioner informs patients that AI will be used for diagnostic purposes, the AI tools are used within the scope of their license, certification, or authorization, that the use of AI is not otherwise restricted or prohibited by federal or state law, and provided the practitioner reviews all records created using AI in a manner consistent with the medical record standards of the Texas Medical Board.
The law adds a definition of biological sex, which can be male or female. Male is defined as “an individual whose reproductive system is developed to produce sperm”, and a female is defined as “an individual whose reproductive system is developed to produce ova” Electronic health records must include a field to record biological sex at birth and a separate field to record any sexual development disorder, whether that is identified at birth or later in life. If AI tools are used for diagnostic or decision-making purposes, they must also include the individual’s biological sex at birth.
Any amendments to biological sex must only be made in order to a) correct a clerical error or b) if the individual is diagnosed with a sexual development disorder that changes the individual’s listed biological sex to the opposite sex, in which case, information on the individual’s sexual development disorder must be included in the individual’s record.
Covered entities are prohibited from collecting, storing or sharing any information regarding an individual’s credit score or voter registration status in their electronic health record, and covered entities must facilitate the collection and recording of communications between multiple covered entities regarding the individual’s metabolic health, diet, and the treatment of a chronic disease or illness in their electronic health record.
The Texas Health and Human Services Commission, Texas Medical Board, Texas Department of Insurance, and other appropriate regulatory entities are authorized to investigate violations of the law and take disciplinary action if the law is violated three or more times in the same manner as if the covered entity violated an applicable licensing or regulatory law. The Texas Attorney General can seek injunctive relief and impose civil penalties for violations. Civil penalties of $5,000 per violation within a single year apply if the violation was committed negligently, $25,000 for each violation committed knowingly or intentionally within a single year, and $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
Most of the new requirements and restrictions take effect on September 1, 2025, although the requirement to locate electronic health records in the United States will take effect on January 1, 2026.
