Texas Enacts Electronic Health Record Data Localization Law

pTexas Governor Greg Abbott recently signed into law SB 1188 a bill that regulates the security and storage of electronic health record data and the deployment of artificial intelligence AI in the health care context  The law creates a data localization requirement obligating covered entities to physically maintain electronic health records in the United States  In addition the law permits health care practitioners to use AI for diagnostic purposes in connection with electronic health records only in accordance with specified requirements  The law also introduces a definition of biological sex and sets forth rules governing when an individuals biological sex as recorded in an electronic health record may be amended  Further the law addresses parents access to minors electronic health records the facilitation of communication between covered entities and restrictions on covered entities access to certain types of electronic health record informationppApplicabilityppThe law applies to covered entities and health care practitioners Covered entity has the definition found in Tex Code Sect 181001b2 an entity that assembles collects analyzes uses evaluates stores or transmits protected health information as defined under HIPAA and includes health care practitioners Health care practitioner is defined as an individual who is licensed certified or otherwise authorized to provide health care services in Texas with certain enumerated exceptions eg nursing and continuing care facilities  ppData Localization and Data SecurityppThe law requires covered entities to physically maintain in the US all electronic health records of Texas patients  This data localization requirement applies to 1 electronic health records that are stored by a thirdparty or subcontracted computing facility or entity that provides cloud computing services and 2 electronic health records that are stored using a technology through which patient information may be electronically retrieved accessed or transmittedppThe law also requires covered entities to ensure that Texas patients electronic health record information is accessible only to personnel who require the information to perform relevant employment duties related to treatment payment or health care operations  In addition the law requires covered entities to implement reasonable and appropriate administrative physical and technical safeguards to protect the confidentiality integrity and availability of electronic health record informationppUse of AIppThe law allows health care practitioners to use AI for diagnostic purposes including for recommendations diagnosis and treatment decisions based on a patients medical record provided that the practitioner meets the following criteriappBiological Sex Information in Electronic Health RecordsppThe law defines biological sex as the biological trait that determines whether a sexually reproducing organism produces male or female gametes and defines male and female based on their reproductive systems  The law requires electronic health records to include fields to record an individuals biological sex at birth and information on any sexual development disorder of the individual whether identified at birth or later in the individuals life  Under the law a covered entity may amend an individuals recorded biological sex information only if the amendment is to 1 correct a clerical error or 2 account for a sexual development disorder diagnosis received by the individual  The law also requires that any algorithm or decision assistance tool used in connection with medical treatment decisions made about an individual include the individuals biological sexppMiscellaneous ProvisionsppThe law further requires covered entities to facilitate the collection and recording of communications between multiple covered entities regarding a patients metabolic health and diet in the treatment of a chronic disease or illness within the patients electronic health record Additionally the law prohibits covered entities from collecting storing or sharing any information regarding an individuals credit score or voter registration status that is contained in the individuals electronic health record The law also requires covered entities to allow parents or legal guardians of minors under 17 to have immediate unrestricted access to their minor childs electronic health recordsppEnforcementppThe law empowers the Texas Health and Human Services Commission and other appropriate regulatory agencies eg the Texas Medical Board the Texas Department of Insurance to investigate alleged violations of the law The appropriate regulatory agency may take disciplinary action against a covered entity that violates the law three or more times in the same manner as if the covered entity violated the applicable licensing or regulatory law eg suspension or revocation of a covered entitys license registration or certificationppAdditionally the Texas attorney general may seek injunctive relief and impose civil penalties against covered entities found to be in violation of the law in the range of 5000 to 250000 per violation depending on the nature and degree of the violationppEffective DateppMost of the laws requirements and restrictions take effect on September 1 2025 The data localization provisions requiring electronic health records to be physically maintained in the US will take effect retroactively beginning January 1 2026 and will apply to all electronic health records stored on or after that date regardless of the date on which the record was preparedp