Texas Senate Bill (SB) 1188 is effective September 1, 2025, and imposes new legal obligations on certain covered entities, including healthcare practitioners, regarding the privacy, security, and processing of electronic health records (EHRs) and artificial intelligence (AI). Under SB 1188, covered entities are businesses that assemble, collect, analyze, use, evaluate, store, or transmit protected health information (PHI). This definition includes healthcare practitioners with certain exceptions, including nursing facilities, assisted living facilities, and intermediate care facilities.
What Is Required Under SB 1188?
From a regulatory standpoint, SB 1188 has three major provisions: (1) it requires covered entities to physically maintain their EHRs only within the United States and only allow their data to be accessed by those who require it in furtherance of treatment, payment, and healthcare operations; (2) it permits the use of AI by healthcare practitioners so long as they use it within the scope of their license, but it requires them to disclose any use of AI in diagnosis or over the course of treatment based on a patient's medical record; and (3) it requires covered entities to allow a minor's parent or guardian to obtain complete and unrestricted access to the minor's EHR, except in cases in which access to all or part of the record is restricted under state or federal law or by court order. Violations of SB 1188 can result in civil penalties ranging from $5,000 to $250,000 per violation, depending on the violator's intent. SB 1188 includes certain additional provisions related to logging and amending references to an individual's biological sex in EHRs, which this article does not address.
Practical Implications of SB 1188
The applicability of SB 1188 relies on the definition of a covered entity under Texas Health and Safety Code Section 181.001. This definition is drafted in such a way that it can be interpreted to apply to entities located outside of Texas that process the PHI of Texas residents. Texas-based covered entities should ensure compliance with SB 1188, but entities located outside of Texas that process Texas PHI in an EHR should monitor enforcement under SB 1188.
The deadline for the requirement to maintain EHRs within the United States is January 1, 2026. SB 1188 is unclear as to whether the requirement to physically store EHR data within the United States prohibits the processing of such data offshore via read-only access. Covered entities should monitor for guidance related to this and evaluate internal processes to ensure that processing can be limited to the United States if necessary.
There has been a push under recent regulatory guidance to establish robust internal AI governance policies and procedures. SB 1188 is yet another example of why such internal processes are and will be important for legal compliance. Covered entities should develop internal logs of approved AI tools and a form notice regarding the use of AI in diagnosis or treatment that they can provide to patients. As always, practitioners should never allow an AI tool to ingest PHI without patient consent, and they should be wary of training an AI tool using the same.
Finally, covered entities should ensure that processes are established within their EHRs to allow immediate access to the parents and guardians of minors. The law does not provide additional guidance regarding what does and does not constitute immediate access.
What to Expect
The rapid proliferation of technology in the healthcare industry has been a topic of discussion for years, and with the new inclusion of AI on the horizon, it is likely that states and the federal government will continue to wrestle with the boundaries of regulation. Entities governed under SB 1188 should ensure compliance with the restrictions and obligations noted in this article and monitor for guidance related to the same.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
