JD Key Consulting Logo
Signed Into Law
Signed June 20, 2025Effective 2025-09-01
SB1188

Regular Session

Relating to electronic health record requirements; authorizing a civil penalty.

Government Affairs & Regulatory Compliance Analysis

SB1188: Government Affairs Overview

SB1188 mandates a fundamental restructuring of Electronic Health Record (EHR) systems in Texas, requiring strict US-only data residency, specific biological sex data fields, and mandatory disclosure of AI usage in diagnostics. This law affects all "Covered Entities" (practitioners, hospitals, clinics) and introduces a "three-strikes" license revocation penalty for repeated non-compliance.

Sen. Lois Kolkhorst·Senate Bill·Regular Session

Critical
High Cost
Effective:2025-09-01
Enforcing Agencies

Health and Human Services Commission (HHSC)Texas Attorney General (Injunctive relief and civil penalties)Texas Department of InsuranceTexas Department of Licensing and RegulationTexas Medical Board

Business Impact

Who SB1188 Affects

This legislation has regulatory implications for the following Texas businesses and organizations:

Regulatory Priority: critical

Significant regulatory changes (effective 2025-09-01). Review with your legal and compliance teams to understand implications.

🏥

Healthcare

Affected business types:

  • Hospitals
  • Healthcare systems
  • Medical practices
  • Health insurance providers
View all healthcare legislation

Key Operational Considerations

  • 1Indemnification: Update vendor contracts to include indemnification for civil penalties resulting from the vendor's failure to provide compliant data fields or domestic storage.
  • 2Subcontractors: Require vendors to certify that their downstream subcontractors also comply with the US-only residency requirement.

Estimated Cost Impact

highSignificant operational investment may be required.

Enforcing Agencies

Need Government Relations Support?

JD Key Consulting provides government affairs and regulatory strategy services. We help businesses navigate Texas agencies, understand legislative impacts, and advocate for their interests.

Need Help Navigating This Legislation?

JD Key Consulting provides strategic guidance on Texas regulatory compliance and legislative impact for your business.

SB1188
Critical
Relating to electronic health record requirements; authorizing a civil penalty.
Critical Compliance Urgency
Requires immediate attention
Cost Impact
High
Effective
2025-09-01
Enforcing Agencies
HHSCTexas Attorney GeneralTexas Department of InsuranceTexas Department of Licensing an...+1 more
Primary Author: Sen. Lois Kolkhorst
89th Texas Legislature
jdkey.com
01

Compliance Analysis

Key implementation requirements and action items for compliance with this legislation

Implementation Timeline

  • Effective Date: September 1, 2025 (General Provisions and Record Formatting).
  • Compliance Deadline:
  • September 1, 2025: New patient records must utilize mandated data fields; AI disclosures must commence; parental access portals must be unrestricted.
  • January 1, 2026: Hard Stop for Data Residency. All electronic health records (historical and current) must be physically stored within the United States.
  • Agency Rulemaking: HHSC, the Texas Medical Board, TDLR, and TDI must enter a memorandum of understanding and adopt rules defining specific data standards prior to September 1, 2025. Expect a regulatory "gray zone" in Summer 2025 as agencies rush to define technical specifications for "Biological Sex" and "AI" definitions.

Immediate Action Plan

  • 1. Audit Data Residency: Immediately demand a "Data Residency Report" from your IT/EHR vendor to confirm current physical storage locations.
  • 2. Update Liability Insurance: Review Cyber and E&O policies to ensure coverage for "regulatory fines and penalties" related to state privacy laws.
  • 3. Purge Prohibited Fields: Remove data entry fields for credit scores and voter registration from all intake forms and software interfaces.
  • 4. Draft AI Disclosures: Create a patient consent addendum disclosing the use of AI-assisted diagnostic tools for use starting Sept 1, 2025.
  • 5. Vendor Demand Letter: Send formal notice to your EHR vendor citing SB1188, requiring a roadmap for the implementation of "Biological Sex" and "Sexual Development Disorder" fields.

Operational Changes Required

Contracts

  • Vendor Certification: You must immediately amend Master Service Agreements (MSAs) with EHR vendors and cloud providers (e.g., AWS, Azure) to mandate data sovereignty. The contract must guarantee that data is never stored, processed, or backed up on servers outside the United States.
  • Indemnification: Update vendor contracts to include indemnification for civil penalties resulting from the vendor's failure to provide compliant data fields or domestic storage.
  • Subcontractors: Require vendors to certify that their downstream subcontractors also comply with the US-only residency requirement.

Hiring/Training

  • Clinical Staff: Providers must be trained to document "Human in the Loop" review. They cannot simply sign off on an AI diagnostic recommendation; they must affirmatively document their independent review.
  • Intake Staff: Train front-desk personnel to stop collecting credit scores or voter registration status. If these fields exist in current workflows, they must be disabled.
  • AI Disclosure: Staff must be trained to present and secure signatures on AI usage disclosure forms at the point of care.

Reporting & Record-Keeping

  • Mandatory Data Fields: Your EHR must be reconfigured to capture "Biological Sex" (defined strictly as Male/Female based on gamete production) and a separate field for "Sexual Development Disorder."
  • Parental Access: IT teams must disable automatic "adolescent privacy" filters in patient portals. Parents must have "complete, unrestricted, and immediate" access to minor records unless a court order exists.
  • Metabolic Health: Configure the EHR to allow specific recording of diet and metabolic health communications for chronic disease management.

Fees & Costs

  • Civil Penalties: The law introduces a tiered penalty structure: up to $5,000 for negligent violations, $25,000 for knowing violations, and $250,000 for violations involving financial gain.
  • IT Remediation: Expect significant one-time costs for EHR reconfiguration and potential data migration fees to move storage to US-based servers.

Strategic Ambiguities & Considerations

  • Definition of "Artificial Intelligence": The statute is broad regarding what constitutes AI in a diagnostic context. It is unclear if standard clinical decision support tools (e.g., drug interaction checkers) trigger the disclosure requirement. Watch TMB rulemaking closely for this definition.
  • "Immediate" Access: The requirement for "immediate" parental access is technically undefined. Agencies may interpret this as real-time API access, which many legacy systems cannot support.
  • Metabolic Health Communications: The requirement to record communications regarding diet is vague on format. It is unclear if this requires structured data (CCDA) or if free-text notes suffice.

Need Compliance Guidance on This Legislation?

JD Key Consulting specializes in Texas regulatory compliance strategy. Work directly with James Dickey—former Chairman of the Republican Party of Texas—to understand this bill's impact on your operations and develop an actionable compliance plan.

Schedule a Consultation

Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.

02

Legislative Timeline

This bill's path through the Texas Legislature

Filed
Feb 7, 2025
Passed Senate
Apr 7, 2025
Passed House
May 23, 2025
Signed
Jun 20, 2025
Effective
Sep 1, 2025
TopicsArtificial IntelligenceElectronic Information SystemsHealth Care ProvidersHealthHealth--generalHealth--privacy/use of InformationGender Identity & ExpressionMedicaidMedical Care FacilitiesHealth & Human Services CommissionInsurance, Texas Department ofMedical Board, TexasCivil Remedies & LiabilitiesHealth--children's InsuranceParental RightsRecords ManagementLicensing & Regulation, Texas Commission ofMedical Records
03

Senate Authors

Sen. Lois KolkhorstRepublican · Primary Author

House Sponsors

Rep. Greg BonnenRepublican · Primary Sponsor
Joint Sponsors
Cosponsors (2)

Bill Text(with markup)

View bill text in multiple formats on Texas Legislature website

Fiscal NoteView Original

Related Legislation

Explore more bills from this author and on related topics

More from Sen. Lois Kolkhorst

View all bills by Sen. Lois Kolkhorst

Related by Topic

View more Artificial Intelligence legislation
Quick Reference

Frequently Asked Questions

Common questions about SB1188

Q

What does Texas SB1188 do?

SB1188 mandates a fundamental restructuring of Electronic Health Record (EHR) systems in Texas, requiring strict US-only data residency, specific biological sex data fields, and mandatory disclosure of AI usage in diagnostics. This law affects all "Covered Entities" (practitioners, hospitals, clinics) and introduces a "three-strikes" license revocation penalty for repeated non-compliance.

Q

Who authored SB1188?

SB1188 was authored by Texas Senator Lois Kolkhorst during the Regular Session.

Q

When was SB1188 signed into law?

SB1188 was signed into law by Governor Greg Abbott on June 20, 2025.

Q

Which agencies enforce SB1188?

SB1188 is enforced by Health and Human Services Commission (HHSC), Texas Attorney General (Injunctive relief and civil penalties), Texas Department of Insurance, Texas Department of Licensing and Regulation and Texas Medical Board.

Q

How significant are the changes in SB1188?

The regulatory priority for SB1188 is rated as "critical". Businesses and organizations should review the legislation to understand potential impacts.

Q

What is the cost impact of SB1188?

The cost impact of SB1188 is estimated as "high". This may vary based on industry and implementation requirements.

Q

What topics does SB1188 address?

SB1188 addresses topics including artificial intelligence, electronic information systems, health care providers, health and health--general.

Q

What are the key dates for SB1188?

Key dates for SB1188: Effective date is 2025-09-01. Rulemaking: Must enter into a memorandum of understanding and adopt rules to implement Chapter 183, specifically regarding biological sex documentation standards. (Prior to 2025-09-01 (Implied)). Consult with legal counsel regarding applicability.

Q

What are the penalties under SB1188?

SB1188 establishes the following penalties: civil penalty of Up to $5,000 per violation (annual cap applies) for Negligent violation of EHR requirements (assessed per violation occurring in a single year).; civil penalty of Up to $25,000 per violation (annual cap applies) for Knowing or intentional violation of EHR requirements.; civil penalty of Up to $250,000 per violation for Knowing or intentional use of protected health information for financial gain.. Consult with legal counsel for specific applicability to your situation.

Q

Which Texas businesses are affected by SB1188?

SB1188 primarily affects healthcare providers and medical facilities, insurance companies and financial institutions. These businesses should review the legislation with their legal and compliance teams to understand potential impacts.

Need Strategic Guidance on This Legislation?

JD Key Consulting is an Austin, Texas-based government affairs firm led by James Dickey, former Chairman of the Republican Party of Texas. We specialize in Texas regulatory compliance and legislative strategy for data centers, energy, banking, and manufacturing.

Legislative data provided by LegiScanLast updated: January 11, 2026