According to the Legislative Budget Board, SB 1188 is expected to result in a net negative impact of approximately $1.57 million to the General Revenue Fund through August 31, 2027. The primary driver of this cost is the increased workload for the Health and Human Services Commission (HHSC), particularly within its Long-term Care Regulatory team, which will be responsible for enforcing the new electronic health record (EHR) storage and access requirements.

To support implementation and compliance activities, HHSC anticipates the need for five new full-time employees (FTEs) beginning in fiscal year 2026, with recurring personnel and administrative costs of roughly $760,000 to $809,000 per year. One-time implementation expenses totaling nearly $50,000 are also included in the 2026 estimate. While HHSC expects to integrate these requirements into its new EHR vendor systems by September 2026 without additional technology costs, ongoing regulatory oversight necessitates the added staff.

Importantly, the fiscal note also points out that the revenue impact from potential civil penalties under the bill is indeterminate, as it is unknown how many violations might occur. The Comptroller of Public Accounts could not estimate how much, if any, revenue would be generated through enforcement actions. Nevertheless, the bill provides a legal foundation for future appropriations tied to its enforcement.

Finally, the analysis assumes no significant fiscal impact on local governments and anticipates that other state agencies involved (such as the Texas Medical Board, Department of Insurance, and others) can absorb the bill’s requirements within their existing resources. This limits the broader budgetary footprint of the bill while concentrating implementation costs within the state’s public health regulatory framework.

SB 1188 presents a well-structured effort to enhance the security, integrity, and medical utility of electronic health records (EHRs) in Texas. It reflects a targeted policy response to increasing concerns over foreign access to sensitive health information, the proper use of artificial intelligence in clinical decision-making, and the integrity of medical data used to guide treatment—particularly data tied to biological sex. These issues intersect strongly with the liberty principles of Individual Liberty, Personal Responsibility, and Limited Government.

From a privacy standpoint, the bill's requirement that EHRs be stored physically in the United States or its territories enhances data security and minimizes risk of unauthorized foreign access. This aligns with Individual Liberty by strengthening control over sensitive personal health data. By mandating access controls and internal safeguards, the bill promotes responsible data stewardship by healthcare providers, supporting the principle of Personal Responsibility.

The substitute version of the bill avoids overregulation by narrowing the scope of enforcement mechanisms and aligning oversight with existing privacy laws. It removes automatic disqualification from Medicaid reimbursement and instead allows enforcement via civil penalties and licensing actions for repeat violations, balancing accountability with regulatory restraint—thereby respecting the principle of Limited Government.

In sum, SB 1188 advances important goals in medical privacy, patient safety, and administrative integrity without significant government expansion or overreach. The bill is appropriately scoped, well-aligned with liberty principles, and as such, Texas Policy Research recommends that lawmakers vote YES on SB 1188.

• Individual Liberty: The bill strengthens individual liberty by enhancing protections around sensitive health data. Requiring electronic health records (EHRs) to be stored within the United States reduces the risk of foreign data breaches or unauthorized access, ensuring that Texans’ private health information remains under the jurisdiction of U.S. privacy laws. Limiting access to health records to only those with a professional need also reinforces personal privacy.
• Personal Responsibility: The bill promotes personal responsibility at the institutional level by holding health care providers and facilities accountable for data security, accuracy in records, and appropriate use of artificial intelligence in clinical decision-making. It compels entities to implement reasonable safeguards and requires health care practitioners to verify AI-generated content, ensuring professional oversight remains intact.
• Free Enterprise: On one hand, the bill could marginally burden businesses that use offshore data storage or rely on global cloud computing vendors, potentially increasing compliance costs. This could be seen as a restriction on market operations. However, the bill does not create barriers to entry, does not favor specific vendors, and aligns with existing privacy frameworks like HIPAA. Most importantly, by increasing consumer trust in how data is managed, the bill may actually encourage market participation in secure health tech services over the long term.
• Private Property Rights: The bill reinforces Texans’ control over their own medical information by requiring that it be stored securely and accessed only when necessary. By restricting the use of EHRs for non-medical purposes—such as voter registration or credit scoring—the bill affirms that personal data should not be repurposed without consent, respecting the informational boundaries of personal property.
• Limited Government: The bill incorporates enforcement mechanisms such as civil penalties and licensing oversight but does not establish new bureaucracies or grant excessive regulatory powers. It utilizes existing structures (e.g., the Texas Medical Board, Health and Human Services Commission) for rulemaking and enforcement. The removal of automatic Medicaid disqualification in the substitute version softens the scope of government action, keeping regulatory measures proportionate.

• HB 4503 (Same As)