In regulating artificial intelligence (AI) in the state, Texas legislators passed two laws this year placing physicians squarely in the center of AI disclosure mandates that now require practices to take certain steps to ensure compliance in addition to longstanding HIPAA regulations.
Senate Bill 1188 by Sen. Lois Kolkhorst (R-Brenham) took effect Sept. 1, and Texas House Bill 149 by Rep. Giovanni Capriglione (R-Southlake) takes effect Jan. 1, 2026. Physicians may consider reviewing their AI systems, patient policies, and disclosure procedures.
That includes reviewing how an AI tool – and the data it collects – is used by vendors, knowledge that is “critical for compliance with various state and federal regulations, which can carry hefty penalties,” said Philip Bernard, MD, chair of the Texas Medical Association’s Committee on Health Information Technology and Augmented Intelligence.
HIPAA outlines that physicians must take steps to protect the privacy and security of patients’ data, including when using AI and other technology. Physicians who violate HIPAA may face civil monetary penalties, criminal charges, and professional sanctions, according to the American Medical Association.
SB 1188 requires physicians and health care practitioners who use AI for diagnostic purposes within the scope of their licensure – including for any recommendations on a diagnosis or course of treatment based on a patient’s medical records – to:
- Disclose such use of AI to their patients; and
- Review all records created by AI in a manner consistent with medical records standards.
The law does not specify how physicians should disclose their use of AI to patients, however. The law states the appropriate regulatory agencies – including the Texas Medical Board (TMB), the Texas Department of Licensing and Regulation, and the Texas Department of Insurance – may take disciplinary action against a HIPAA “covered entity” that violates the order three or more times in the same manner. The disciplinary action may include “license, registration, or certification suspension or revocation for a period the agency determines appropriate,” per the law.
Violations of SB 1188 can also result in civil penalties ranging from $5,000 to $250,000 per violation, depending on the violator’s intent and whether the violator used protected health information (PHI) for financial gain.
Additionally, HB 149 – titled the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) – requires providers of a health care service or treatment in which the patient “interacts with an artificial intelligence system” to use specified written disclosures to inform patients or their personal representatives that they are interacting with an AI system “not later than the date of service or treatment,” or as soon as reasonably possible in an emergency.
However, TRAIGA does not clearly mandate how physicians should disclose their use of AI, just that disclosures must be clear and conspicuous, written in plain language, and not use a “dark pattern” on any printed copies. Physicians may use a hyperlink to direct patients to a separate internet webpage where the disclosure is posted, per the law.
Physicians who fail to comply with HB 149’s provisions may face suspension, probation, or revocation of their medical licenses, and may incur civil penalties.
The Texas attorney general has exclusive authority to enforce HB 149, except for licensing state agencies, such as TMB, whose enforcement power is more limited. Before the attorney general can bring an action, however, the attorney general must send a written notice of violation to the alleged violator. The violator then has 60 days to:
- Cure the alleged violation;
- Provide supporting documentation showing the cure; and
- Update or revise internal policies to prevent further violations.
Physicians may consider creating practice policies to aid them in preventing prohibited uses. To do this, a physician will need to understand the context in which AI tool is being used, the purpose of its use, and the data (including PHI) it will process or collect.
HIPAA complexities
Although HIPAA does not mention AI directly, the law provides guidelines for the use of PHI in technology. For example, if a physician uses AI for tasks like documentation, image analysis, or patient communication, the AI vendor they use is most likely considered a HIPAA business associate and must meet the same protections required of any other technology vendor handling PHI.
The HIPAA Privacy Rule permits the use and disclosure of PHI for treatment, payment, or health care operations without physicians needing to seek patients’ authorization, per the U.S. Department of Health and Human Services. This includes activities such as determining eligibility for treatment, reviewing health care services for medical necessity, and billing and collection.
But training AI technology may not be considered one of those uses: treatment, payment, or health care operations. Dr. Bernard cautions physicians should ask current and potential AI vendors about how patient data is used. The vendor may be using the data to train its models or may sell the data.
Additionally, physicians will need to enter into a business associate agreement (BAA) with any AI vendors that create, receive, store, or transmit PHI. This agreement outlines each party’s responsibilities regarding PHI, requires technical safeguards, governs breach reporting, and prevents the vendor from using PHI without proper authorization.
Physicians can either seek a BAA from the AI vendor, or work with their own legal counsel to develop one. TMA offers its members a free BAA sample that can be customized to fit the unique needs of every practice.
For more information on AI, including an AI vendor evaluation tool TMA designed as a member benefit, visit TMA’s AI webpage.