Effective September 1, 2025, Texas Senate Bill No. 1188 (“SB 1188”) imposes new legal obligations on health care practitioners and other covered entities regarding the privacy, security and management of electronic health records (“EHRs”) and the use of artificial intelligence (“AI”). Key provisions of the law include:
- A requirement that EHRs be maintained in the United States;
- A requirement that health care practitioners disclose any use of AI in diagnosis or the course of treatment based on a patient’s medical record; and
- An express obligation that a covered entity allow a minor’s parent or guardian to obtain complete and unrestricted access to the minor’s EHR (except in cases where access to all or part of the record is restricted under state or federal law or by a court order).
Violations of SB 1188 may result in civil penalties ranging from $5,000 to $250,000 per violation, depending on the covered entity’s intent, and may also trigger injunctive enforcement by the Texas Attorney General.
Key Provisions
Application
The law applies to “covered entities” and “health care practitioners.” Covered entity means an entity that assembles, collects, analyzes, uses, evaluates, stores or transmits “protected health information” and includes health care practitioners. Health care practitioner means an individual who is licensed, certified or otherwise authorized to provide health care services in Texas, but excludes certain enumerated facilities (e.g., nursing, assisted living, intermediate and continuing care facilities).
EHR Storage Restrictions
The new law mandates that EHRs containing patient information must be “physically maintained” within the United States or its territories. The law is ambiguous regarding whether the prohibition relates only to storage or would also apply to offshore view-only access to such data. The geographic restriction has a delayed effective date of January 1, 2026, and will apply regardless of when such data was created.
Use of AI
SB 1188 clarifies that a health care practitioner may use AI for diagnostic purposes, provided that the practitioner is acting within their scope of license, such use is not otherwise restricted by state or federal law and the practitioner reviews all records created with AI in a manner consistent with medical records standards developed by the Texas Medical Board. When a practitioner uses AI, the practitioner must inform the patient of the use of AI tools in their diagnosis or treatment.
Parental and Guardian Access to EHRs
Covered entities must provide a minor’s parent or guardian “complete and unrestricted” access to the minor’s EHR “immediately,” unless access is restricted pursuant to state or federal law or a court order. The U.S. Department of Health and Human Services Office of Civil Rights has historically been deferential to states on issues of parental access to minor medical records.
Enforcement and Penalties
The Texas Health and Human Services Commission—or the relevant regulatory agency—has authority to investigate alleged violations of SB 1188. Where non-compliance is found, the Texas Attorney General may seek injunctive relief and/or request civil penalties in varying amounts of $5,000–$25,000 per violation, depending on the intent behind the actions of the covered entity. The civil penalty increases to $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
Practical Takeaways
To prepare for SB 1188’s upcoming requirements, Texas covered entities should consider:
- Evaluating their infrastructure design to ensure that EHR data meets the requirements of the new law, including evaluation of any remote access and business associate services that may be implicated (e.g., coding services).
- Developing an inventory of solutions that use AI to support health care practitioners’ understanding and patient notification.
- Developing patient notice advising on potential uses of AI in diagnosis or treatment.
- Evaluating patient portal configuration as it relates to parental access to ensure alignment with the new requirements for complete and immediate access.
- Providing staff training on patient access rights, parental/guardian access rules and disclosure requirements when AI tools are used in diagnosis or treatment.
If you have questions or would like more information about this topic, please contact:
- Michael Batt at (317) 977-1417 or mbatt@hallrender.com;
- John Tyson at (317) 429-3664 or jtyson@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
