Texas S.B. 1188 and health information implications

Rachel V. Rose, JD, MBA

Recently, Texas Governor Abbott signed into law legislation (S.B. 1188) that regulates three main items: (1) security of health record data; (2) storage of health data overseas; and (3) deployment of artificial intelligence (AI). The effective date is September 1, 2025 (or January 1, 2026 for the data localization requirement) and essentially, the law emphasizes electronic health record requirements and authorizes civil penalties.

Who does the law apply to? For those unfamiliar with Texas’ definition of “covered entity” it is broader than the Health Insurance Portability and Accountability Act of 1996 (HIPAA) definition, which is found at 45 CFR §160.103. Included in the definition, like that of federal HIPAA, are health care providers. New in Texas S.B. 1188 is the requirement that the “biological sex” is included and is based on “the biological trait that determines whether a sexually reproducing organism produces male or female gametes.” There are rare congenital situations where individuals develop two sets of gonads (female and male) in utero and are in turn born with traits of both males and females. When this occurs, adequate medical record documentation is essential.

How is the security of health record data impacted? It some ways, it reinforces HIPAA and Texas H.B. 300 requirements that individually identifiable health information (IIHI) is accessible only by covered entity personnel who utilize it within the scope of performing specific employment duties related to diagnosis, treatment, payment and/or healthcare operations. And, per the HIPAA Security Rule, which was incorporated into the Texas Health and Safety Code, adequate technical, administrative and physical safeguards are required to ensure the confidentiality, integrity and availability of the IIHI. The storage of IIHI in the United States is now required in Texas.

Known as a data localization requirement, Texas covered entities are now required to physically maintain Texas patients’ designated health record sets in the United States. This requirement applies to (1) electronic health records that are stored by a third-party or subcontracted computing facility or entity that provides cloud computing services; and (2) electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed or transmitted.

Regarding AI, the law requires the following:

• Disclosure to patients by providers, their use of AI for diagnostic purposes;
• Utilization of AI is limited to the scope of a provider’s license, certification or authorization;
• AI deployment is not otherwise restricted or prohibited by applicable state or federal law; and
• Review by the provider of all records created with AI in a manner consistent with medical records standards developed by the Texas Medical Board.

The law further requires Texas covered entities to facilitate the collection and recording of communications between multiple covered entities regarding a patient’s metabolic health and diet in the treatment of a chronic disease or illness, within the patient’s electronic health record. This seems like a significant hurdle and practitioners should be looking at both patient-owned devices and apps, as well as those prescribed.

Enforcement is permissible and the Texas Attorney General may seek injunctive relief and impose civil penalties ranging between $5,000 and $250,000 per violation.

In sum, providers need to evaluate a lot of items. These items should also be incorporated into an annual HIPAA risk analyses, as well as coordinating with their electronic health record company, IT provider and legal counsel. Finally, implementing AI that is safe, ethical and legal, coupled with adequate policies and procedures to avoid the inclusion of hallucinations in a medical record, can mitigate downstream liability.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.