S.B. 1188 Texas EHR Law: Data Localization AI and Access Requirements

On June 20, 2025, Texas Governor Greg Abbott signed into law S.B. 1188, regulating how electronic health records (EHRs) are managed, stored, and accessed. Effective dates for different requirements begin as early as September 2025 and January 2026, giving covered entities and their vendors a relatively short window to come into compliance. Businesses and institutions ranging from hospitals and clinics to insurers and school districts will need to assess their EHR practices and vendor relationships to avoid ongoing legal and operational risks.

Applicability: Who Is Subject to S.B. 1188?

The law is written broadly and captures a wide range of entities beyond traditional clinical settings that create, maintain, or process EHRs. While healthcare providers are the primary focus, with some limited statutory exclusions, the law also applies to schools, health insurers, and third-party vendors who handle EHRs for covered entities.

Key Data Privacy and Protection Requirements Under S.B. 1188

Prohibition on Offshore Storage of Electronic Health Records

 Effective January 1, 2026, the law prohibits the storage of EHRs outside the United States or a U.S. territory. Importantly, while offshore storage is banned, offshore access is still permitted, provided that appropriate safeguards are in place. As such, covered entities and vendors must ensure that offshore access does not result in storage, copying, or caching of EHR data on non-U.S. servers or devices. This requirement poses particular challenges for organizations using global cloud vendors, offshore IT contractors, or international data processing solutions. Contracts and technical safeguards should be reviewed and, where necessary, updated to ensure no EHR data is inadvertently stored offshore.

Role-Based Access Controls for Electronic Health Records

 Beginning September 1, 2025, for EHRs prepared on or after that date, EHR information of Texas residents must be accessible only to individuals who require it to perform duties within the scope of their employment related to treatment, payment, or health care operations, with reasonable and appropriate administrative, physical, and technical safeguards. Entities must implement and enforce access controls that ensure only authorized personnel can view or interact with sensitive health information. Regular reviews of user roles, access logs, and audit trails will be essential for demonstrating compliance and mitigating insider threats.

Regulated Use of Artificial Intelligence in Diagnosis

While the law acknowledges the increasing role of artificial intelligence (AI) in healthcare, it also sets guardrails on its use in clinical settings:

  • Practitioner Oversight: Any use of AI in diagnosis or treatment must be performed by a healthcare practitioner acting within the scope of their license.
  • Lawful Use: The use of AI must not violate any other laws or regulations.
  • Review: Practitioners must review AI-generated records in accordance with standards set by the Texas Medical Board.
  • Disclosure: When a practitioner uses AI, they must inform the patient of the use of AI tools in their diagnosis or treatment.

Providers should update their policies, training, and patient communications to reflect these standards. Vendors offering AI-driven healthcare solutions must ensure their platforms enable required practitioner review and disclosure workflows.

Immediate and Full Parental Access to Minor’s EHR

The law also requires full, immediate parental (or conservator or guardian) access to a child’s complete electronic health record, unless such access is otherwise limited by law or court order. Entities must ensure their EHR systems and workflows allow parents or legal guardians to promptly obtain all of their child’s health information, removing unnecessary delays or partial disclosures.

Enforcement, Penalties, and Further Guidance

The law grants the Texas Attorney General authority to seek injunctive relief and civil monetary penalties for violations of the law:

  • Negligent violations may result in penalties of $5,000 per violation.
  • Knowing or intentional violations may result in penalties of $25,000 per violation.
  • Knowing or intentional violations for financial gain can result in penalties of $250,000 per violation.

Repeated violations may also lead to suspension or revocation of a practitioner’s professional license.

Further Regulations

 The law directs multiple Texas agencies— including, but not limited to, the Health and Human Services Commission, the Texas Medical Board, the Texas Department of Licensing and Regulation, and the Texas Department of Insurance— to develop memoranda of understanding and adopt implementing rules to clarify and operationalize key provisions of the law.

McDonald Hopkins will continue to monitor for additional regulations, technical standards, and agency guidance over the coming months, as these may provide further detail regarding compliance obligations, enforcement practices, and required safeguards.

Steps Businesses Should Take to Prepare for Compliance

Given the tight compliance deadlines and the impact of S.B. 1188, covered entities should:

  • Conduct a data mapping exercise to understand where Texas resident EHRs are stored and processed and identify any offshore storage risks.
  • Update vendor contracts and data processing agreements to require U.S.-only storage and appropriate access controls.
  • Implement or review role-based access systems for EHRs, ensuring least-privilege access and comprehensive audit logging.
  • Review and update policies and procedures regarding the use of AI in healthcare, including practitioner oversight and patient disclosure protocols.
  • Audit and update EHR access rights for parents and legal guardians of minors to ensure full and immediate proxy access as required.
  • Train staff and update compliance programs to ensure awareness and operational readiness before key effective dates.

If you have any questions regarding your company’s strategy to comply with S.B. 1188 or would like to discuss the law’s impact, reach out to McDonald Hopkins’ national Data Privacy and Cybersecurity practice group.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.