New Texas Law on Storage of Health Care Data

Texas is imposing new rules for the storage of electronic health records (“EHR”). Recently enacted Senate Bill 1188 (“SB 1188”) requires that, as of January 1, 2026, any EHR under the control of a covered entity must be physically maintained in the United States (or a U.S. territory). This requirement applies to all EHR regardless of whether it was created prior to January 1, 2026, and whether it is stored by a covered entity or by a third-party on behalf of the covered entity. 

Previous draft language of the proposed legislation required that the EHR of Texas residents be inaccessible to any person located outside of the United States. The final enacted version does not contain this detail; instead, it requires that a covered entity ensure that the EHR of Texas residents is “…accessible only to individuals who require the information to perform duties within the scope of the individual’s employment related to treatment, payment, or health care operations.” The covered entity is required to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EHRs. Given the onshore storage requirements in SB 1188, such safeguards, at a minimum, would likely need to include system level restrictions on the downloading/copying of remotely accessed EHRs to prevent inadvertent data persistence outside the United States. 

As used here, the term “covered entity” is broader than is commonly understood under the Health Insurance Portability and Accountability Act (“HIPAA”). SB 1188 largely adopts the “covered entity” definition found in the Texas Medical Records Privacy Act, which is broadly defined to cover almost any entity/person that engages in the assembling, collecting, analyzing, using, evaluating, storing, or transmitting of protected health information (“PHI”). This includes health care payors, governmental units, information or computer management entities, schools, health researchers, health care facilities, clinics, health care providers/practitioners, business associates (as defined under HIPAA), or any person who maintains an internet site that: (1) comes into possession of PHI; (2) obtains or stores PHI, or (3) is any employee, agent, or contractor of the previously mentioned covered entities. Notably, a few selected entities are not considered covered entities under SB 1188 (e.g., certain nursing, assisted living, continuing care, intermediate care, and day activity and health services facilities, as well as home and community support services agencies, and providers under the Texas home living or home and community-based services waiver program). 

The penalties for violations of the new law can be significant. The Texas Health and Human Services Commission, or another appropriate regulatory agency, is authorized to investigate and penalize non-compliance, which penalties could include revocation or suspension of a license/registration/certification. Additionally, the Texas Attorney General may pursue injunctive relief against violators and/or civil penalties for between $5,000 and $250,000 depending on the specific facts/circumstances of the violations. 

While many managed care contracts already impose limitations on the offshoring of patient data, Texas did not previously have a specific law addressing offshoring of EHR, much less one that applied to a broader audience than those contracting with health care payors. Given the extensive reach of the data storage provisions in SB 1188, and the potential for severe penalties for non-compliance, covered entities in Texas should carefully evaluate their current EHR data storage/access policies and procedures and their contracts with third parties to ensure compliance with SB 1188 when the new data storage provisions take effect on January 1, 2026.