SB1188

Regular Session

Relating to electronic health record requirements; authorizing a civil penalty.

CriticalImmediate action required

High Cost

Effective:2025-09-01

Enforcing Agencies

Texas Attorney General (Injunctive relief and civil penalties) • Texas Medical Board • Health and Human Services Commission (HHSC) • Texas Department of Insurance • Texas Department of Licensing and Regulation

Compliance Analysis

Key implementation requirements and action items for compliance with this legislation

Implementation Timeline

Effective Date: September 1, 2025 (General Provisions and Record Formatting).
Compliance Deadline:
September 1, 2025: New patient records must utilize mandated data fields; AI disclosures must commence; parental access portals must be unrestricted.
January 1, 2026: Hard Stop for Data Residency. All electronic health records (historical and current) must be physically stored within the United States.
Agency Rulemaking: HHSC, the Texas Medical Board, TDLR, and TDI must enter a memorandum of understanding and adopt rules defining specific data standards prior to September 1, 2025. Expect a regulatory "gray zone" in Summer 2025 as agencies rush to define technical specifications for "Biological Sex" and "AI" definitions.

Immediate Action Plan

1. Audit Data Residency: Immediately demand a "Data Residency Report" from your IT/EHR vendor to confirm current physical storage locations.
2. Update Liability Insurance: Review Cyber and E&O policies to ensure coverage for "regulatory fines and penalties" related to state privacy laws.
3. Purge Prohibited Fields: Remove data entry fields for credit scores and voter registration from all intake forms and software interfaces.
4. Draft AI Disclosures: Create a patient consent addendum disclosing the use of AI-assisted diagnostic tools for use starting Sept 1, 2025.
5. Vendor Demand Letter: Send formal notice to your EHR vendor citing SB1188, requiring a roadmap for the implementation of "Biological Sex" and "Sexual Development Disorder" fields.

Operational Changes Required

Contracts

Vendor Certification: You must immediately amend Master Service Agreements (MSAs) with EHR vendors and cloud providers (e.g., AWS, Azure) to mandate data sovereignty. The contract must guarantee that data is never stored, processed, or backed up on servers outside the United States.
Indemnification: Update vendor contracts to include indemnification for civil penalties resulting from the vendor's failure to provide compliant data fields or domestic storage.
Subcontractors: Require vendors to certify that their downstream subcontractors also comply with the US-only residency requirement.

Hiring/Training

Clinical Staff: Providers must be trained to document "Human in the Loop" review. They cannot simply sign off on an AI diagnostic recommendation; they must affirmatively document their independent review.
Intake Staff: Train front-desk personnel to stop collecting credit scores or voter registration status. If these fields exist in current workflows, they must be disabled.
AI Disclosure: Staff must be trained to present and secure signatures on AI usage disclosure forms at the point of care.

Reporting & Record-Keeping

Mandatory Data Fields: Your EHR must be reconfigured to capture "Biological Sex" (defined strictly as Male/Female based on gamete production) and a separate field for "Sexual Development Disorder."
Parental Access: IT teams must disable automatic "adolescent privacy" filters in patient portals. Parents must have "complete, unrestricted, and immediate" access to minor records unless a court order exists.
Metabolic Health: Configure the EHR to allow specific recording of diet and metabolic health communications for chronic disease management.

Fees & Costs

Civil Penalties: The law introduces a tiered penalty structure: up to $5,000 for negligent violations, $25,000 for knowing violations, and $250,000 for violations involving financial gain.
IT Remediation: Expect significant one-time costs for EHR reconfiguration and potential data migration fees to move storage to US-based servers.

Strategic Ambiguities & Considerations

Definition of "Artificial Intelligence": The statute is broad regarding what constitutes AI in a diagnostic context. It is unclear if standard clinical decision support tools (e.g., drug interaction checkers) trigger the disclosure requirement. Watch TMB rulemaking closely for this definition.
"Immediate" Access: The requirement for "immediate" parental access is technically undefined. Agencies may interpret this as real-time API access, which many legacy systems cannot support.
Metabolic Health Communications: The requirement to record communications regarding diet is vague on format. It is unclear if this requires structured data (CCDA) or if free-text notes suffice.

Need Help Understanding Implementation?

Our government affairs experts can walk you through this bill's specific impact on your operations.

Schedule Consultation

Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.

Legislative Timeline

This bill's path through the Texas Legislature

TopicsArtificial Intelligence Electronic Information Systems Health Care Providers Health Health--general Health--privacy/use of Information Gender Identity & Expression Medicaid Medical Care Facilities Health & Human Services Commission Insurance, Texas Department of Medical Board, Texas Civil Remedies & Liabilities Health--children's Insurance Parental Rights Records Management Licensing & Regulation, Texas Commission of Medical Records

Official Analysis

View HRO Analysis View All Bill Documents

BILL ANALYSIS

Senate Research Center	S.B. 1188
89R6209 EAS-F	By: Kolkhorst
	Health & Human Services
	3/14/2025
	As Filed

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

Medical records provide vital patient information to healthcare providers, informing patient care. Therefore, it is imperative that these records are secure, accessible to relevant patient parties, accurate, and used for their intended purpose.

Currently, some medical record systems automatically remove parental access from their child's medical record, only allowing "proxy" access if the child subsequently grants it. Not only do parents need to understand and be up to date on their child's medical history as legal guardians, but children also may not fully understand their own medical record and require assistance. Furthermore, though the development of artificial intelligence can prove helpful in the medical field, it should not replace the role of the physician with regard to medical records.

Additionally, in order to ensure accuracy and allow doctors to make informed, personalized decisions regarding patient care, medical records must include vital information such as a patient's biological sex at birth. Biological sex informs medical care decisions with regard to the anatomy of organ systems, disease prevalence, drug and toxin tolerance, and other relevant factors for determining care.

Lastly, medical records also have recently been used for voter registration purposes and for entities to determine credit score reports. Medical records should be used for their intended purpose�communication between providers and patients�rather than as a financial or social engineering tool.

S.B. 1188 seeks to address these issues, as well as improve patient care by adding a place for doctors to address metabolic health and other root-causes of health issues.

As proposed, S.B. 1188 amends current law relating to electronic health record requirements.

RULEMAKING AUTHORITY

Rulemaking authority is expressly granted to the Health and Human Services Commission in SECTION 1 (Section 183.010, Health and Safety Code) of this bill.

Rulemaking authority is expressly granted to the Texas Medical Board in SECTION 1 (Section 183.010, Health and Safety Code) of this bill.

Rulemaking authority is expressly granted to the Texas Department of Insurance in SECTION 1 (Section 183.010, Health and Safety Code) of this bill.

SECTION BY SECTION ANALYSIS

SECTION 1. Amends Subtitle I, Title 2, Health and Safety Code, by adding Chapter 183, as follows:

CHAPTER 183. ELECTRONIC HEALTH RECORDS

Sec. 183.001. DEFINITIONS. Defines "biological sex," "female," "governmental entity," "health care practitioner," "male," "medical facility," and "sexual development disorder."

Sec. 183.002. REQUIREMENTS FOR ELECTRONIC HEALTH RECORD STORAGE. (a) Requires each medical facility, health care practitioner, and governmental entity to store all electronic health record information of residents of this state only at a location in the United States.

(b) Requires each medical facility, health care practitioner, and governmental entity to ensure electronic health record information of residents of this state, other than open data, is inaccessible to any person located outside of the United States.

Sec. 183.003. REQUIRED MEDICAL HISTORY INFORMATION IN ELECTRONIC HEALTH RECORD. Requires a medical facility, health care practitioner, or governmental entity to ensure each electronic health record maintained for an individual includes the individual's medical history and any communications between the practitioner and a specialty health care practitioner related to the individual's metabolic health and diet in the treatment of a chronic disease or illness.

Sec. 183.004. INFORMATION RESTRICTIONS IN ELECTRONIC HEALTH RECORD. Prohibits a medical facility, health care practitioner, or governmental entity from collecting or storing any information regarding an individual's credit score or voter registration status in the individual's electronic health record.

Sec. 183.005. ARTIFICIAL INTELLIGENCE IN ELECTRONIC HEALTH RECORD. Requires a health care practitioner who uses artificial intelligence for diagnostic or other purposes, including the use of artificial intelligence for recommendations on a diagnosis or course of treatment based on a patient's medical record, to review all information obtained through the artificial intelligence process to ensure the accuracy of the information for that patient before entering the information in the patient's electronic health record.

Sec. 183.006. ACCESS TO ELECTRONIC HEALTH RECORD OF MINOR. (a) Defines "minor."

(b) Requires a medical facility, health care practitioner, or governmental entity to ensure each electronic health record system the facility, practitioner, or entity uses to store electronic health records of minors automatically allows a minor's parent, guardian, or conservator to fully access the minor's electronic health record unless access to all or a portion of the record is restricted under state or federal law or by a court order.

Sec. 183.007. ELECTRONIC HEALTH RECORD REQUIREMENTS REGARDING BIOLOGICAL SEX. (a) Requires the Health and Human Services Commission (HHSC), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI) to jointly ensure that:

(1) each electronic health record prepared or maintained by a medical facility, health care practitioner, or governmental entity in this state includes a separate space for the health care practitioner to document:

(A) an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth; and

(B) information on any sexual development disorder of the individual, whether identified at birth or later in the individual's life; and

(2) any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions is based on an individual's biological sex as recorded in the space described by Subdivision (1)(A).

(b) Provides that this section does not prohibit an electronic health record from including spaces for recording other information related to an individual's biological sex or gender identity.

Sec. 183.008. AMENDING CERTAIN BIOLOGICAL SEX INFORMATION IN ELECTRONIC HEALTH RECORDS. (a) Provides that a medical facility, health care practitioner, or governmental entity is authorized to amend on an electronic health record an individual's biological sex as recorded in the space described by Section 183.007(a)(1)(A) only if:

(1) the amendment is to correct a clerical error; or

(2) the individual is diagnosed with a sexual development disorder and the amendment changes the individual's listed biological sex to the opposite biological sex.

(b) Requires the medical facility, health care practitioner, or governmental entity, if an individual's biological sex is amended under Subsection (a)(2), to include in the individual's electronic health record information on the individual's sexual development disorder in the space described by Section 183.007(a)(1)(B).

Sec. 183.009. DISCIPLINARY ACTION BY LICENSING AGENCY; MEDICAID REIMBURSEMENT INELIGIBILITY. (a) Authorizes the appropriate state licensing agency to take disciplinary action against a medical facility or health care practitioner that violates this chapter as if the medical facility or health care practitioner violated an applicable licensing law.

(b) Prohibits HHSC from providing Medicaid reimbursement to a medical facility or health care practitioner that violates this chapter and requires HHSC to disenroll the medical facility or health care practitioner from participation as a Medicaid provider.

Sec. 183.010. RULES. Requires HHSC, TMB, and TDI to adopt rules as necessary to implement this chapter.

SECTION 2. (a) Makes application of Chapter 183, Health and Safety Code, as added by this Act, except as provided by Subsection (b) of this section, prospective.

(b) Provides that Section 183.002, Health and Safety Code, as added by this Act, applies to the storage of an electronic health record on or after January 1, 2026, regardless of the date on which the electronic health record was prepared.

SECTION 3. Effective date: September 1, 2025.

Senate Authors

Sen. Lois KolkhorstRepublican · Primary Author

House Sponsors

Rep. Greg BonnenRepublican · Primary Sponsor

Joint Sponsors

William Metcalf (R)

Cosponsors (2)

Bill Text(with markup)

S.B. No. 1188

View bill text in multiple formats on Texas Legislature website

Fiscal NoteView Original

	AN ACT
	relating to electronic health record requirements; authorizing a
	civil penalty.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. Subtitle I, Title 2, Health and Safety Code, is
	amended by adding Chapter 183 to read as follows:
	CHAPTER 183. ELECTRONIC HEALTH RECORDS
	Sec. 183.001. DEFINITIONS. In this chapter:
	(1) "Biological sex" means the biological trait that
	determines whether a sexually reproducing organism produces male or
	female gametes.
	(2) "Covered entity" has the meaning assigned by
	Section 181.001. The term includes a health care practitioner. The
	term does not include:
	(A) a home and community support services agency
	licensed under Chapter 142;
	(B) a nursing facility licensed under Chapter
	242;
	(C) a continuing care facility regulated under
	Chapter 246;
	(D) an assisted living facility licensed under
	Chapter 247;
	(E) an intermediate care facility licensed under
	Chapter 252;
	(F) a day activity and health services facility
	licensed under Chapter 103, Human Resources Code; or
	(G) a provider under the Texas home living
	(TxHmL) or home and community-based services (HCS) waiver program.
	(3) "Female" means an individual whose reproductive
	system is developed to produce ova.
	(4) "Health care practitioner" means an individual who
	is licensed, certified, or otherwise authorized to provide health
	care services in this state.
	(5) "Male" means an individual whose reproductive
	system is developed to produce sperm.
	(6) "Sexual development disorder" means a congenital
	condition associated with atypical development of internal or
	external genital structures. The term includes a chromosomal,
	gonadal, or anatomic abnormality.
	Sec. 183.002. REQUIREMENTS FOR ELECTRONIC HEALTH RECORD
	STORAGE. (a) A covered entity shall ensure that electronic health
	records under the control of the entity that contain patient
	information are physically maintained in the United States or a
	territory of the United States. This subsection applies to:
	(1) electronic health records that are stored by a
	third-party or subcontracted computing facility or an entity that
	provides cloud computing services; and
	(2) electronic health records that are stored using a
	technology through which patient information may be electronically
	retrieved, accessed, or transmitted.
	(b) A covered entity shall ensure that the electronic health
	record information of this state's residents, other than open data,
	is accessible only to individuals who require the information to
	perform duties within the scope of the individual's employment
	related to treatment, payment, or health care operations.
	(c) Each covered entity shall implement reasonable and
	appropriate administrative, physical, and technical safeguards to
	protect the confidentiality, integrity, and availability of
	electronic health record information.
	Sec. 183.003. REQUIRED MEDICAL HISTORY INFORMATION IN
	ELECTRONIC HEALTH RECORD. A covered entity shall ensure each
	electronic health record maintained for an individual includes the
	option for a health care practitioner to collect and record
	communications between two or more covered entities related to the
	individual's metabolic health and diet in the treatment of a
	chronic disease or illness.
	Sec. 183.004. INFORMATION RESTRICTIONS IN ELECTRONIC
	HEALTH RECORD. A covered entity may not collect, store, or share
	any information regarding an individual's credit score or voter
	registration status in the individual's electronic health record.
	Sec. 183.005. ARTIFICIAL INTELLIGENCE IN ELECTRONIC HEALTH
	RECORD. (a) A health care practitioner may use artificial
	intelligence for diagnostic purposes, including the use of
	artificial intelligence for recommendations on a diagnosis or
	course of treatment based on a patient's medical record, if:
	(1) the practitioner is acting within the scope of the
	practitioner's license, certification, or other authorization to
	provide health care services in this state, regardless of the use of
	artificial intelligence;
	(2) the particular use of artificial intelligence is
	not otherwise restricted or prohibited by state or federal law; and
	(3) the practitioner reviews all records created with
	artificial intelligence in a manner that is consistent with medical
	records standards developed by the Texas Medical Board.
	(b) A health care practitioner who uses artificial
	intelligence for diagnostic purposes as described by Subsection (a)
	must disclose the practitioner's use of that technology to the
	practitioner's patients.
	Sec. 183.006. ACCESS TO ELECTRONIC HEALTH RECORD OF MINOR.
	(a) In this section, "minor" means an individual 17 years of age or
	younger who has not had the disabilities of minority removed for
	general purposes.
	(b) A covered entity shall ensure each electronic health
	record system the entity uses to store electronic health records of
	minors allows a minor's parent or, if applicable, the minor's
	managing conservator or guardian to obtain complete and
	unrestricted access to the minor's electronic health record
	immediately, unless access to all or part of the record is
	restricted under state or federal law or by a court order.
	Sec. 183.007. ELECTRONIC HEALTH RECORD REQUIREMENTS
	REGARDING BIOLOGICAL SEX. (a) Notwithstanding any other law, the
	commission, the Texas Medical Board, and the Texas Department of
	Insurance shall jointly ensure that:
	(1) each electronic health record prepared or
	maintained by a covered entity in this state includes a separate
	space for the entity to document:
	(A) an individual's biological sex as either male
	or female based on the individual's observed biological sex
	recorded by a health care practitioner at birth; and
	(B) information on any sexual development
	disorder of the individual, whether identified at birth or later in
	the individual's life; and
	(2) any algorithm or decision assistance tool included
	in an electronic health record to assist a health care practitioner
	in making medical treatment decisions includes an individual's
	biological sex as recorded in the space described by Subdivision
	(1)(A).
	(b) This section does not prohibit an electronic health
	record from including spaces for recording other information
	related to an individual's biological sex or gender identity.
	Sec. 183.008. AMENDING CERTAIN BIOLOGICAL SEX INFORMATION
	IN ELECTRONIC HEALTH RECORDS. (a) A covered entity may amend on an
	electronic health record an individual's biological sex as recorded
	in the space described by Section 183.007(a)(1)(A) only if:
	(1) the amendment is to correct a clerical error; or
	(2) the individual is diagnosed with a sexual
	development disorder and the amendment changes the individual's
	listed biological sex to the opposite biological sex.
	(b) If an individual's biological sex is amended under
	Subsection (a)(2), the covered entity shall include in the
	individual's electronic health record information on the
	individual's sexual development disorder in the space described by
	Section 183.007(a)(1)(B).
	Sec. 183.009. INVESTIGATION BY COMMISSION OR REGULATORY
	AGENCY. The commission or the appropriate regulatory agency shall
	conduct an investigation of any credible allegation of a violation
	of this chapter by a covered entity. The commission or agency shall
	ensure the investigation is conducted in compliance with all
	applicable state and federal laws, including the Health Insurance
	Portability and Accountability Act of 1996 (Pub. L. No. 104-191).
	Sec. 183.010. DISCIPLINARY ACTION BY REGULATORY AGENCY.
	The appropriate regulatory agency may take disciplinary action
	against a covered entity that violates this chapter three or more
	times in the same manner as if the covered entity violated an
	applicable licensing or regulatory law. The disciplinary action
	may include license, registration, or certification suspension or
	revocation for a period the agency determines appropriate.
	Sec. 183.011. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
	attorney general may institute an action for injunctive relief to
	restrain a violation of this chapter.
	(b) In addition to the injunctive relief provided by
	Subsection (a), the attorney general may institute an action for
	civil penalties against a covered entity for a violation of this
	chapter. A civil penalty assessed under this section may not
	exceed:
	(1) $5,000 for each violation that is committed
	negligently and that occurs in a single year, regardless of how long
	the violation continues during that year;
	(2) $25,000 for each violation that is committed
	knowingly or intentionally and that occurs in a single year,
	regardless of how long the violation continues during that year; or
	(3) $250,000 for each violation in which the covered
	entity knowingly or intentionally used protected health
	information for financial gain.
	Sec. 183.012. MEMORANDUM OF UNDERSTANDING; RULES. The
	executive commissioner, the Texas Medical Board, the Texas
	Department of Licensing and Regulation, the Texas Department of
	Insurance, and each regulatory agency subject to this chapter shall
	enter into a memorandum of understanding and, as necessary, adopt
	rules to implement this chapter.
	SECTION 2. (a) Except as provided by Subsection (b) of this
	section, Chapter 183, Health and Safety Code, as added by this Act,
	applies only to an electronic health record prepared on or after the
	effective date of this Act.
	(b) Section 183.002, Health and Safety Code, as added by
	this Act, applies to the storage of an electronic health record on
	or after January 1, 2026, regardless of the date on which the
	electronic health record was prepared.
	SECTION 3. If before implementing any provision of this Act
	a state agency determines that a waiver or authorization from a
	federal agency is necessary for implementation of that provision,
	the agency affected by the provision shall request the waiver or
	authorization and may delay implementing that provision until the
	waiver or authorization is granted.
	SECTION 4. This Act takes effect September 1, 2025.

LEGISLATIVE BUDGET BOARD
Austin, Texas

FISCAL NOTE, 89TH LEGISLATIVE REGULAR SESSION


March 18, 2025

TO:	Honorable Lois W. Kolkhorst, Chair, Senate Committee on Health & Human Services

FROM:	Jerry McGinty, Director, Legislative Budget Board

IN RE:	SB1188 by Kolkhorst (Relating to electronic health record requirements.), As Introduced

No significant fiscal implication to the State is anticipated.

It is assumed that any costs associated with the bill could be absorbed using existing resources.

Local Government Impact

No significant fiscal implication to units of local government is anticipated.

Source Agencies:

452 Department of Licensing and Regulation, 454 Department of Insurance, 503 Texas Medical Board, 529 Health and Human Services Commission, 537 State Health Services, Department of, 644 Juvenile Justice Department, 696 Department of Criminal Justice, 701 Texas Education Agency, 710 Texas A&M University System Administrative and General Offices, 720 The University of Texas System Administration

LBB Staff:

JMc, NPe, THO, NAz, APA

Related Legislation

Explore more bills from this author and on related topics

Frequently Asked Questions

Common questions about SB1188

What does Texas SB1188 do?

SB1188 mandates a fundamental restructuring of Electronic Health Record (EHR) systems in Texas, requiring strict US-only data residency, specific biological sex data fields, and mandatory disclosure of AI usage in diagnostics. This law affects all "Covered Entities" (practitioners, hospitals, clinics) and introduces a "three-strikes" license revocation penalty for repeated non-compliance. Implementation Timeline Effective Date: September 1, 2025 (General Provisions and Record Formatting).

Who authored SB1188?

SB1188 was authored by Texas Senator Lois Kolkhorst during the Regular Session.

When was SB1188 signed into law?

SB1188 was signed into law by Governor Greg Abbott on June 20, 2025.

Which agencies enforce SB1188?

SB1188 is enforced by Texas Attorney General (Injunctive relief and civil penalties), Texas Medical Board, Health and Human Services Commission (HHSC), Texas Department of Insurance and Texas Department of Licensing and Regulation.

How urgent is compliance with SB1188?

The compliance urgency for SB1188 is rated as "critical". Businesses and organizations should review the requirements and timeline to ensure timely compliance.

What is the cost impact of SB1188?

The cost impact of SB1188 is estimated as "high". This may vary based on industry and implementation requirements.

What topics does SB1188 address?

SB1188 addresses topics including artificial intelligence, electronic information systems, health care providers, health and health--general.

Legislative data provided by LegiScanLast updated: November 25, 2025

Need Strategic Guidance on This Bill?

Need help with Government Relations, Lobbying, or compliance? JD Key Consulting has the expertise you're looking for.