Texas Implements New Requirements for Electronic Medical Record Storage
On September 1, 2025, a new law was implemented in Texas that has new requirements for the storage of electronic health records (EHRs), which must be physically stored within the United States or a territory of the United States. The new EHR storage requirements will apply to the storage of all EHRs on or after January 1, 2026, regardless of when the EHRs were created.
The new requirements do not only apply to HIPAA-covered entities. Senate Bill 1188 (SB1188) uses a broader definition and applies to “electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted.”
There has also been a change to the language concerning access to the EHRs of Texas residents. Access must be restricted to individuals who require the information in EHRs to perform duties within the scope of the individual’s employment related to treatment, payment, and healthcare operations. There are also data security requirements that mirror the requirements of HIPAA. Covered entities must implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information.
The EHR must allow healthcare practitioners to collect and record communications between two or more covered entities related to the individual’s metabolic health and diet in the treatment of a chronic disease and illness, and the medical record of a minor (under 17 years of age) must be available immediately to the minor’s parent or, if applicable, legal guardian or managing conservator unless access to that record is restricted under state or federal law.
There are also new restrictions on the information that can be stored in an EHR. Covered entities are not permitted to store information about an individual’s credit score or voter registration status in the EHR. The EHR must record an individual’s biological sex, as determined by a healthcare provider at birth (M/F), and include information on any sexual development disorder, either identified at birth or later in life. There are also restrictions on when an individual’s biological sex can be changed in the individual’s health record.
The new law permits the use of artificial intelligence tools for diagnostic purposes, including recommendations on a diagnosis or course of treatment based on a patient’s medical record, provided the practitioner is acting within the scope of their license, certification, or other authorization to provide healthcare services in the state, and provided the practitioner checks any records created with an AI tool to ensure that the record is consistent with the medical records standards of the Texas Medical Board.
The penalties for noncompliance can be severe, including fines of between $5,000 and $20,000 and potentially the revocation or suspension of a license, registration, or certification. Covered entities have a little over 3 months to ensure they are fully compliant with the new requirements, so they should, if they have not done so already, evaluate their current EHR and data storage policies and procedures, and ensure that any third-party contractors are also compliant and bound by the new requirements in their contracts/business associate agreements.
