Recent updates to Texas health information legislation, which came into effect on September 1, introduce several critical provisions with implications for artificial intelligence and health record data management. Regulatory attorney Rachel Rose outlines the significance of this new state law, especially for organizations within the healthcare sector.
Texas Senate Bill 1188, signed by Governor Greg Abbott on June 20, set the stage for compliance deadlines that required immediate action from regulated entities. Among its provisions, the law mandates healthcare practitioners to inform patients when artificial intelligence is utilized, particularly in diagnostic contexts. “The focus is on generative AI used for diagnosis, including recommendations based on patient medical records,” Rose noted.
Rose emphasized that Texas is among the leading states in adopting AI-related regulations ahead of federal measures. This proactive stance is indicative of the growing importance placed on data governance in the healthcare landscape. “It’s not surprising that we see such advancements at the state level,” she stated during her interview with Information Security Media Group.
Another critical aspect of the new legislation relates to the storage of electronic health records. The law requires that covered organizations maintain patients’ health information within the physical boundaries of the United States. “Individually identifiable health information must be stored either in the continental U.S. or its territories, as well as in Alaska or Hawaii,” she explained. This requirement aligns with prior federal and state contracts, including legislation in Arizona.
However, organizations must tread carefully if they rely on offshore services for tasks such as interpreting medical images or utilizing cloud computing. This specific regulation, which will become effective in January 2026, necessitates meticulous scrutiny. Rose stated, “Knowing the location of your data is crucial, particularly when third parties also come into play, such as those processing radiology reports abroad.” Awareness regarding data storage, creation, and transmission is essential for compliance.
The law also authorizes the Texas Attorney General to pursue injunctive relief and impose civil penalties that can range from $5,000 to $250,000 per violation. “This could have significant ramifications for non-compliance,” Rose highlighted, underscoring the stakes involved for healthcare organizations navigating these new requirements.
In her conversation with Information Security Media Group, Rose discussed how Texas’ law compares with HIPAA and other state regulations, the potential implications of documenting a patient’s biological sex in medical records, and notable legal developments affecting health information privacy and security. Understanding these dynamics is essential for business leaders in the healthcare sector as they strive to align their practices with state and federal laws.
As a licensed attorney in Texas and a fellow of the Federal Bar Association, Rose brings her expertise to the forefront, serving as a director on the FBA’s national board and being actively involved in its Government Relations Committee and Qui Tam Section. Her insights are invaluable as the industry navigates these evolving regulatory frameworks.
