From PHI to AI What Texas SB 1188 Means for Healthcare Entities and Vendors

This year the Texas legislature passed SB 1188 which aims to regulate electronic health record (“EHR”) practices and the use of artificial intelligence (“AI”) in healthcare. Although the law generally took effect on September 1, 2025, the data-localization requirement becomes effective on January 1, 2026. The data-localization component requires that any EHRs containing Texas patient data be physically stored in the United States. The law applies irrespective of when the electronic health record was created.  

SB 1188 applies to “covered entities” under Texas law (which mirrors the definition in Tex. Health & Safety Code § 181.001) and includes health care practitioners. The law also explicitly reaches third-party vendors, cloud service providers, and subcontractors that manage or store EHRs on behalf of covered entities.

Notably, the law excludes certain types of facilities from the “covered entity” designation, including some long-term care or assisted living facilities. However, given the broad drafting language in SB 1188, many software vendors and service providers will be implicated if they support Texas health providers. SB 1188 also authorizes civil penalties against entities that violate its requirements.

Key Requirements: What SB 1188 Mandates

The following is a list of  the principal requirements under SB 1188 for vendors and healthcare entities:

• Data Localization / Prohibition on Offshore Storage

• All EHRs that contain patient information for Texas residents must be physically maintained in the United States or a U.S. territory, including when stored with third-party or sub-contracted cloud or computing facilities.

• Offshore storage (i.e. physically outside the U.S.) is prohibited beginning January 1, 2026, regardless of when the record was created.

• Offshore access is somewhat more permissible, so long as data is not stored, cached, or copied offshore in violation of the law.

• Vendors must ensure that any caching, backup, replication, or disaster recovery processes comply with the requirement.

• Access Controls & Safeguards

• EHR systems must restrict access only to individuals who require access for treatment, payment, or health care operations within their employment duties.

• Covered entities must implement reasonable and appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of EHR data. These requirements are consistent with, but not limited to, HIPAA Security Rule obligations.

• Minor Access / Parental / Guardian Rights

• For minors (17 and under), EHR systems must allow their parent, conservator, or guardian to obtain full and immediate access to the minor’s EHR, unless access is lawfully restricted (e.g. by court order or federal law).

• Artificial Intelligence / Algorithm Use in Diagnostics

• Health care practitioners are permitted to use AI for diagnostic purposes (e.g. recommendations, decision assistance) if certain conditions are met:

• The practitioner acts within the scope of their license or certification.
  • The use of AI must be disclosed to the patient when used diagnostically.

• The law further mandates that any algorithm or decision tool used in EHR must incorporate the patient’s biological sex (as captured in the standard field) when making diagnostic or treatment recommendations.

• Biological Sex Field & Amendment Restrictions

• EHR systems must include a dedicated field for recording biological sex at birth (defined by reproductive gamete production).

• There must also be a field for recording sexual development disorders (identified either at birth or later).

• Amendments to the biological sex field are only allowed in narrow circumstances:

• To correct a clerical or factual error; or

• If the individual is diagnosed with a sexual development disorder and the change is from the recorded sex to the opposite sex — in such case, the record must also document the disorder.

• The law clarifies that recording gender identity is not prohibited, but must be separate from the biological sex field.

• Prohibitions on Certain Data Fields (Credit, Voter Data)

• EHRs may not collect, store, or share any information about a patient’s credit score or voter registration status.

• The law prohibits use of EHR records (or platforms) as a means to facilitate voter registration, or to execute mail-in ballots.

• Communications Regarding Metabolic Health / Diet

• EHRs must include the option for documenting communications between multiple covered entities relating to a patient’s metabolic health and diet in treatment of chronic disease.

• This is intended to support continuity of care and integrated management of chronic disease.

Key Considerations for Vendors and Providers

To prepare for the implementation of SB 1188 vendors should:

• Conduct an internal audit of their infrastructure to ensure EHR data is maintained on U.S.-based servers and avoids prohibited caching or offshore storage or duplication. Sub-contractors must also be compliant.

• AI workflows should be reviewed to ensure compliance with practitioner oversight requirements.

• EHR schema and data models should be updated as required.

Providers should be prepare for SB 1188 as follows:

• If using an offshore or cross-border hosting, implement a plan to migrate to a compliant U.S. infrastructure well before January 1, 2026.
• Conduct audit logs, role separation and review mechanisms to comply with new access control and role management requirements.

If you have questions about how SB 1188 affects your organization, including guidance on compliance strategies, vendor negotiations, or internal audits, please contact Janice Suchyta.

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.