How Texas S.B. 1188 transforms healthcare data protection beyond HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) has been the federal baseline for healthcare privacy protection. However, HIPAA explicitly allows states to enact more stringent protections. Texas S.B. 1188 represents an expansion of this state-level authority, particularly in areas where HIPAA provides limited guidance.

HIPAA's Privacy Rule focuses primarily on the use and disclosure of protected health information (PHI), while its Security Rule addresses electronic safeguards. Texas S.B. 1188 builds upon these foundations by adding specific requirements for data storage locations, artificial intelligence disclosure, and access controls that go beyond federal mandates.

Learn more: What is HIPAA?

Where Texas goes beyond HIPAA

Data sovereignty requirements

One of the differences between S.B. 1188 and HIPAA lies in data storage requirements. While HIPAA contains no explicit restrictions on offshore data storage, Texas now explicitly mandates under Section 183.002(a) that "A covered entity shall ensure that electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a territory of the United States." According to the official bill analysis, this requirement specifically applies to "electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services" and "electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted," all of which must be "physically maintained in the United States or a U.S. territory."

This requirement takes effect January 1, 2026, and reflects concerns about data sovereignty and foreign surveillance that HIPAA could not have anticipated.

This geographic restriction creates compliance challenges for healthcare organizations that have embraced global cloud storage solutions. Many major cloud providers offer data centers worldwide, and organizations may unknowingly store patient data in international locations for cost efficiency or performance optimization. Under S.B. 1188, these organizations must audit their entire data infrastructure and potentially restructure vendor relationships.

Artificial intelligence governance

HIPAA contains no specific provisions addressing artificial intelligence in healthcare. Texas S.B. 1188 fills this void by establishing requirements for AI use in diagnosis. Under Section 183.005(a), a health care practitioner may use "artificial intelligence for diagnostic purposes, including the use of artificial intelligence for recommendations on a diagnosis or course of treatment based on a patient's medical record" with specific conditions including that "the practitioner reviews all records created with artificial intelligence in a manner that is consistent with medical records standards developed by the Texas Medical Board."

Also, Section 183.005(b) establishes a mandatory transparency requirement: "A health care practitioner who uses artificial intelligence for diagnostic purposes as described by Subsection (a) must disclose the practitioner's use of that technology to the practitioner's patients."

These requirements create transparency obligations that extend beyond HIPAA's general disclosure requirements. While HIPAA requires covered entities to inform patients about uses and disclosures of their PHI, it doesn't specifically address AI-assisted diagnosis. Texas now mandates explicit patient notification when artificial intelligence contributes to their care.

The implementation challenges are a lot. As Rachel V. Rose emphasizes in Texas S.B. 1188 and health information implications, providers must focus on "implementing AI that is safe, ethical and legal, coupled with adequate policies and procedures.”

Enhanced access controls

HIPAA's minimum necessary standard requires covered entities to limit PHI access to the minimum amount necessary for the intended purpose. Texas S.B. 1188 strengthens this requirement through Section 183.002(b), which mandates that electronic health record information "is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations."

While this may seem redundant with HIPAA, the Texas law's language suggests a more restrictive interpretation that could require additional access auditing and documentation.

Expanded coverage and documentation requirements

One of the aspects of S.B. 1188 is its broad definition of "covered entity," which extends beyond HIPAA's traditional healthcare ecosystem. While HIPAA covers healthcare providers, health plans, healthcare clearinghouses, and their business associates, Texas law includes any person or entity that collects, maintains, or stores health information of Texas residents for commercial, financial, or professional gain.

The law also introduces specific documentation requirements. Section 183.007(a)(1) mandates that "each electronic health record prepared or maintained by a covered entity in this state includes a separate space for the entity to document...an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth." As Rose notes, this requirement addresses rare situations where individuals develop both sets of gonads and requires adequate medical record documentation, with the bill defining "biological sex" under Section 183.001(1) as "the biological trait that determines whether a sexually reproducing organism produces male or female gametes."

This expansion means that employers maintaining workers' compensation documentation, schools keeping student health records, mobile health apps tracking user data, and life insurance companies collecting medical information during underwriting may all fall under Texas jurisdiction. These entities may have minimal HIPAA obligations but could face compliance requirements under state law.

Compliance complexities and operational challenges

Healthcare organizations operating in Texas now face the challenge of complying with both HIPAA and state requirements simultaneously. In many cases, this means implementing the more restrictive standard where laws overlap and addressing entirely new requirements where they don't.

Data storage presents the most immediate challenge. Organizations must conduct data mapping exercises to identify where electronic health records reside, evaluate current vendor agreements for compliance with geographic restrictions, and potentially migrate data to compliant storage solutions. 

The AI disclosure requirements demand new operational workflows. Healthcare providers must inventory existing AI tools, establish review protocols for AI-generated content, and create patient communication processes for AI disclosure. This requires coordination between clinical, compliance, and IT departments to ensure seamless implementation.

Enforcement and penalties

Texas S.B. 1188 introduces enforcement mechanisms that operate independently of HIPAA violations but carry equally serious consequences. The Texas commissioner of Health and Human Services can investigate credible violation allegations, while the state attorney general can pursue injunctive relief and substantial financial penalties.

Section 183.011(b) establishes specific civil penalty caps that escalate based on intent and harm:

• "$5,000 for each violation that is committed negligently"
• "$25,000 for each violation that is committed knowingly or intentionally"
• "$250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain"

Under Section 183.010, multiple violations can lead to license suspension, creating existential risks for healthcare organizations.

These penalties operate alongside potential HIPAA violations and OCR enforcement actions, meaning organizations could face dual exposure for related conduct. A single data handling incident could trigger both federal and state investigations, multiplying financial and operational risks.

Implications for healthcare organizations

The passage of S.B. 1188, with an effective date of September 1, 2025, signals a broader trend toward state-level healthcare privacy regulation that healthcare organizations must anticipate and prepare for. As other states consider similar legislation, organizations may face compliance with varying requirements across jurisdictions.

Organizations should view Texas law compliance as an opportunity to strengthen overall data governance practices. The geographic storage requirements may drive investment in domestic cloud infrastructure, while role-based access mandates could improve overall security posture. AI disclosure requirements may enhance patient trust through increased transparency about technological involvement in care delivery.

However, organizations must also prepare for the operational complexity of multi-jurisdictional compliance. This may require investment in compliance management systems, expanded legal and compliance teams, and more vendor management processes. As Rose recommends, these items should be incorporated into annual HIPAA risk analyses, coordinating with electronic health record companies, IT providers, and legal counsel to ensure compliance strategies.

FAQs

Does Texas S.B. 1188 apply to telehealth providers outside Texas treating Texas residents?

Yes, if they collect or store the health information of Texas residents, they fall under the law.

How does this law affect small healthcare startups compared to large hospital systems?

Smaller organizations may face higher compliance costs due to limited resources.

Are there exceptions for research institutions or universities under S.B. 1188?

No explicit research exemptions exist, so institutions handling Texas patient data must comply.

What role do cloud providers play in compliance with the U.S.-only storage mandate?

Cloud vendors must guarantee that Texas patient data is stored within U.S. borders.

Could S.B. 1188 set a precedent for other states to pass similar laws?

Yes, Texas may become a model for stricter healthcare privacy legislation nationwide.