BILL ANALYSIS C.S.H.B. 4503 By: Bonnen State Affairs Committee Report (Substituted) BACKGROUND AND PURPOSE Medical records provide vital patient information to health care providers, informing patient care. The bill author has informed the committee that these records also can be vulnerable to exposure or misinterpretation if used in the wrong ways and that current statute lacks important safeguards around Texans' medical records, both on the side of the patient and the provider. C.S.H.B. 4503 seeks to address this issue by providing for electronic health record requirements, ensuring that these records are secure, accessible to the relevant parties, accurate, and used for their intended purpose. CRIMINAL JUSTICE IMPACT It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision. RULEMAKING AUTHORITY It is the committee's opinion that rulemaking authority is expressly granted to the executive commissioner of the Health and Human Services Commission, the Texas Medical Board, the Texas Department of Licensing and Regulation, the Texas Department of Insurance, and each appropriate regulatory agency in SECTION 1 of this bill. ANALYSIS C.S.H.B. 4503 amends the Health and Safety Code to require a covered entity to ensure that the following electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a U.S. territory: electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted. The bill requires a covered entity to ensure that the electronic health record information of Texas residents, other than open data, is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations. The bill requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information. These bill provisions regarding requirements for electronic health storage apply to the storage of an electronic health record on or after January 1, 2026, regardless of the date on which the electronic health record was prepared. C.S.H.B. 4503 defines "covered entity" by reference to statutory provisions governing medical records privacy, including a health care practitioner, but not including the following: a licensed home and community support services agency; a licensed nursing facility; a continuing care facility regulated under the Texas Continuing Care Facility Disclosure and Rehabilitation Act; an assisted living facility licensed under the Assisted Living Facility Licensing Act; a licensed intermediate care facility; a day activity and health services facility licensed under the Day Activity and Health Services Act; or a provider under the Texas home living (TxHmL) or home and community-based services (HCS) waiver program. C.S.H.B. 4503 requires a covered entity to ensure each electronic health record maintained for an individual includes the option for a health practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in the treatment of a chronic disease or illness. The bill prohibits such an entity from collecting, storing, or sharing any information regarding an individual's credit score or voter registration status in the individual's electronic health record. C.S.H.B. 4503 requires a health care practitioner who uses artificial intelligence (AI) for diagnostic purposes, including the use of AI for recommendations on a diagnosis or course of treatment based on a patient's medical record, to review all records created with AI to ensure that the data is accurate and properly managed. The bill requires a health care practitioner who uses AI for such diagnostic purposes to disclose the practitioner's use of that technology to the practitioner's patients. C.S.H.B. 4503 requires a covered entity to ensure each electronic health record system the entity uses to store electronic health records of minors allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record immediately upon request, unless access to all or part of the record is restricted under state or federal law or by a court order. For these purposes, the bill defines "minor" as an individual 17 years of age or younger who has not had the disabilities of minority removed for general purposes. C.S.H.B. 4503 requires the Health and Human Services Commission (HHSC), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI) to jointly ensure the following: each electronic health record prepared or maintained by a covered entity in Texas includes a separate space for the health care practitioner to document the following: o an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth; and o information on any sexual development disorder of the individual, whether identified at birth or later in the individual's life; and any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions includes an individual's biological sex as recorded in such a separate space for documenting an individual's biological sex as it was recorded at birth. These bill provisions regarding electronic health record requirements regarding biological sex expressly do not prohibit an electronic health record from including spaces for recording other information related to an individual's biological sex or gender identity. C.S.H.B. 4503 authorizes a covered entity to amend on an electronic health record an individual's biological sex as recorded in the applicable space only if the amendment is to correct a clerical error or the individual is diagnosed with a sexual development disorder and the amendment changes the individual's listed biological sex to the opposite biological sex. If an individual's biological sex is so amended, the covered entity must include in the individual's electronic health record information on the individual's sexual development disorder in the applicable space. C.S.H.B. 4503 authorizes HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill's provisions by a covered entity and requires HHSC or the agency to ensure the investigation is conducted in compliance with all applicable state and federal laws, including the Health Insurance Portability and Accountability Act of 1996. The bill authorizes the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the same manner as if the covered entity violated an applicable licensing or regulatory law. The bill authorizes such disciplinary action to include license, registration, or certification suspension or revocation for a period the agency determines appropriate. C.S.H.B. 4503 authorizes the attorney general to institute an action for injunctive relief to restrain a violation of the bill's provisions. The bill authorizes the attorney general to institute an action for civil penalties against a covered entity for a violation of the bill's provisions, which civil penalty is capped as follows: $5,000 for each violation that is committed negligently and that occurs in a single year, regardless of how long the violation continues during that year; $25,000 for each violation that is committed knowingly or intentionally and that occurs in a single year, regardless of how long the violation continues during that year; or $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain. C.S.H.B. 4503 requires the executive commissioner of HHSC, the TMB, the Texas Department of Licensing and Regulation (TDLR), TDI, and each regulatory agency subject to the bill's provisions to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions. Except as otherwise provided, the bill's provisions apply only to an electronic health record prepared on or after the bill's effective date. C.S.H.B. 4503 defines the following terms for purposes of its provisions: "biological sex" as the biological trait that determines whether a sexually reproducing organism produces male or female gametes; "female" as an individual whose reproductive system is developed to produce ova; "health care practitioner" as an individual who is licensed, certified, or otherwise authorized to provide health care services in Texas; "male" as an individual whose reproductive system is developed to produce sperm; and "sexual development disorder" as a congenital condition associated with atypical development of internal or external genital structures, including a chromosomal, gonadal, and anatomic abnormality. EFFECTIVE DATE September 1, 2025. COMPARISON OF INTRODUCED AND SUBSTITUTE While C.S.H.B. 4503 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill. While both the introduced and the substitute set out definitions applicable to the bill's provisions, the definitions differ as follows: the substitute omits the following terms as defined in the introduced: o "governmental entity" as the state, an agency of the executive, legislative, or judicial branch of state government, or a political subdivision of the state, including a local health department; and o "medical facility" as a facility licensed or registered by a state agency to provide medical care and other health care services or a health care facility in Texas that provides medical care and other health care services and that receives reimbursement under the state Medicaid program or receives any other state funding; and the substitute includes a provision absent from the introduced that defines "covered entity" by reference to Health and Safety Code provisions governing medical records privacy, including a health care practitioner and not including certain health care related facilities. Accordingly, the substitute replaces the applicability of provisions in the introduced that apply to a "medical facility, health care practitioner, and governmental entity" to instead apply to a "covered entity." Whereas the introduced required each applicable entity to store all electronic health record information of Texas residents only at a location in the United States, the substitute requires a covered entity to ensure that specified electronic health records under the entity's control are physically maintained in the United States or a U.S. territory. Additionally, whereas the introduced required each applicable entity to ensure electronic health record information of Texas residents, other than open data, is inaccessible to any person located outside of the United States, the substitute requires a covered entity to ensure that such information is accessible only to individuals who require the information for a qualifying reason. The substitute includes a provision absent from the introduced that requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of that information. With respect to the requirement for the applicable entity to ensure that each electronic health record maintained for an individual includes certain components, the introduced includes as a component the individual's medical history and any communications between the practitioner and a specialty health care practitioner related to the individual's metabolic health and diet in a specified treatment, whereas the substitute includes as a component the option for a health care practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in that treatment. While both the introduced and the substitute include provisions prohibiting an applicable entity from collecting or storing any information regarding an individual's credit score or voter registration status in the individual's electronic health record, the substitute additionally prohibits the sharing of such information. While both the substitute and the introduced establish provisions relating to AI protections relating to electronic health records, the two versions differ as follows: whereas the introduced version's provisions applied to a health care practitioner who uses AI for diagnostic or other purposes, the substitute's provisions apply only to a practitioner who uses AI for diagnostic purposes; whereas the introduced required the applicable practitioner to review all information obtained through the AI process to ensure the accuracy of the information for that patient before entering the information in the patient's electronic health record, the substitute requires a practitioner to review all records created with AI to ensure that the data is accurate and properly managed; and the substitute includes a requirement not in the introduced for a health care practitioner who uses AI for purposes described by the substitute to disclose the practitioner's use of that technology to the practitioner's patients. The substitute changes the definition of a "minor" from an individual under 18 years of age who has not had the disabilities of minority removed for general purposes, as in the introduced, to an individual 17 years of age or younger who has not had such disabilities removed. While both the introduced and the substitute require an applicable entity to ensure each health record system the entity uses allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record, the substitute specifies that this action must be taken immediately upon request. While both the introduced and the substitute requires HHSC, TMB, and TDI to jointly ensure that any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions conforms to certain requirements, the introduced required these tools to be based on an individual's biological sex, whereas the substitute requires the tools to include the individual's biological sex. The substitute omits provisions present in the introduced that did the following: authorized the appropriate state licensing agency to take disciplinary action against a medical facility or health care practitioner that violates the bill's provisions as if the medical facility or health care practitioner violated an applicable licensing law; and prohibited HHSC from providing Medicaid reimbursement to a medical facility or health care practitioner that violates the bill's provisions and requires HHSC to disenroll the facility or practitioner from participation as a Medicaid provider. The substitute includes provisions absent from the introduced that do the following: require HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill by a covered entity and ensure the investigation is conducted in compliance with all applicable law; authorize the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the appropriate manner; and authorize the attorney general to institute an action for injunctive relief and specified civil penalties for a violation of the bill's provisions. Whereas the introduced required HHSC, the TMB, and TDI to adopt rules as necessary to implement the bill's provisions, the substitute instead requires the HHSC executive commissioner, the TMB, TDLR, TDI, and each regulatory agency subject to the bill to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions.
BILL ANALYSIS
# BILL ANALYSIS
C.S.H.B. 4503
By: Bonnen
State Affairs
Committee Report (Substituted)
C.S.H.B. 4503
By: Bonnen
State Affairs
Committee Report (Substituted)
BACKGROUND AND PURPOSE Medical records provide vital patient information to health care providers, informing patient care. The bill author has informed the committee that these records also can be vulnerable to exposure or misinterpretation if used in the wrong ways and that current statute lacks important safeguards around Texans' medical records, both on the side of the patient and the provider. C.S.H.B. 4503 seeks to address this issue by providing for electronic health record requirements, ensuring that these records are secure, accessible to the relevant parties, accurate, and used for their intended purpose.
CRIMINAL JUSTICE IMPACT It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
RULEMAKING AUTHORITY It is the committee's opinion that rulemaking authority is expressly granted to the executive commissioner of the Health and Human Services Commission, the Texas Medical Board, the Texas Department of Licensing and Regulation, the Texas Department of Insurance, and each appropriate regulatory agency in SECTION 1 of this bill.
ANALYSIS C.S.H.B. 4503 amends the Health and Safety Code to require a covered entity to ensure that the following electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a U.S. territory: electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted. The bill requires a covered entity to ensure that the electronic health record information of Texas residents, other than open data, is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations. The bill requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information. These bill provisions regarding requirements for electronic health storage apply to the storage of an electronic health record on or after January 1, 2026, regardless of the date on which the electronic health record was prepared. C.S.H.B. 4503 defines "covered entity" by reference to statutory provisions governing medical records privacy, including a health care practitioner, but not including the following: a licensed home and community support services agency; a licensed nursing facility; a continuing care facility regulated under the Texas Continuing Care Facility Disclosure and Rehabilitation Act; an assisted living facility licensed under the Assisted Living Facility Licensing Act; a licensed intermediate care facility; a day activity and health services facility licensed under the Day Activity and Health Services Act; or a provider under the Texas home living (TxHmL) or home and community-based services (HCS) waiver program. C.S.H.B. 4503 requires a covered entity to ensure each electronic health record maintained for an individual includes the option for a health practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in the treatment of a chronic disease or illness. The bill prohibits such an entity from collecting, storing, or sharing any information regarding an individual's credit score or voter registration status in the individual's electronic health record. C.S.H.B. 4503 requires a health care practitioner who uses artificial intelligence (AI) for diagnostic purposes, including the use of AI for recommendations on a diagnosis or course of treatment based on a patient's medical record, to review all records created with AI to ensure that the data is accurate and properly managed. The bill requires a health care practitioner who uses AI for such diagnostic purposes to disclose the practitioner's use of that technology to the practitioner's patients. C.S.H.B. 4503 requires a covered entity to ensure each electronic health record system the entity uses to store electronic health records of minors allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record immediately upon request, unless access to all or part of the record is restricted under state or federal law or by a court order. For these purposes, the bill defines "minor" as an individual 17 years of age or younger who has not had the disabilities of minority removed for general purposes. C.S.H.B. 4503 requires the Health and Human Services Commission (HHSC), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI) to jointly ensure the following: each electronic health record prepared or maintained by a covered entity in Texas includes a separate space for the health care practitioner to document the following: o an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth; and o information on any sexual development disorder of the individual, whether identified at birth or later in the individual's life; and any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions includes an individual's biological sex as recorded in such a separate space for documenting an individual's biological sex as it was recorded at birth. These bill provisions regarding electronic health record requirements regarding biological sex expressly do not prohibit an electronic health record from including spaces for recording other information related to an individual's biological sex or gender identity. C.S.H.B. 4503 authorizes a covered entity to amend on an electronic health record an individual's biological sex as recorded in the applicable space only if the amendment is to correct a clerical error or the individual is diagnosed with a sexual development disorder and the amendment changes the individual's listed biological sex to the opposite biological sex. If an individual's biological sex is so amended, the covered entity must include in the individual's electronic health record information on the individual's sexual development disorder in the applicable space. C.S.H.B. 4503 authorizes HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill's provisions by a covered entity and requires HHSC or the agency to ensure the investigation is conducted in compliance with all applicable state and federal laws, including the Health Insurance Portability and Accountability Act of 1996. The bill authorizes the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the same manner as if the covered entity violated an applicable licensing or regulatory law. The bill authorizes such disciplinary action to include license, registration, or certification suspension or revocation for a period the agency determines appropriate. C.S.H.B. 4503 authorizes the attorney general to institute an action for injunctive relief to restrain a violation of the bill's provisions. The bill authorizes the attorney general to institute an action for civil penalties against a covered entity for a violation of the bill's provisions, which civil penalty is capped as follows: $5,000 for each violation that is committed negligently and that occurs in a single year, regardless of how long the violation continues during that year; $25,000 for each violation that is committed knowingly or intentionally and that occurs in a single year, regardless of how long the violation continues during that year; or $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain. C.S.H.B. 4503 requires the executive commissioner of HHSC, the TMB, the Texas Department of Licensing and Regulation (TDLR), TDI, and each regulatory agency subject to the bill's provisions to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions. Except as otherwise provided, the bill's provisions apply only to an electronic health record prepared on or after the bill's effective date. C.S.H.B. 4503 defines the following terms for purposes of its provisions: "biological sex" as the biological trait that determines whether a sexually reproducing organism produces male or female gametes; "female" as an individual whose reproductive system is developed to produce ova; "health care practitioner" as an individual who is licensed, certified, or otherwise authorized to provide health care services in Texas; "male" as an individual whose reproductive system is developed to produce sperm; and "sexual development disorder" as a congenital condition associated with atypical development of internal or external genital structures, including a chromosomal, gonadal, and anatomic abnormality.
EFFECTIVE DATE September 1, 2025.
COMPARISON OF INTRODUCED AND SUBSTITUTE While C.S.H.B. 4503 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill. While both the introduced and the substitute set out definitions applicable to the bill's provisions, the definitions differ as follows: the substitute omits the following terms as defined in the introduced: o "governmental entity" as the state, an agency of the executive, legislative, or judicial branch of state government, or a political subdivision of the state, including a local health department; and o "medical facility" as a facility licensed or registered by a state agency to provide medical care and other health care services or a health care facility in Texas that provides medical care and other health care services and that receives reimbursement under the state Medicaid program or receives any other state funding; and the substitute includes a provision absent from the introduced that defines "covered entity" by reference to Health and Safety Code provisions governing medical records privacy, including a health care practitioner and not including certain health care related facilities. Accordingly, the substitute replaces the applicability of provisions in the introduced that apply to a "medical facility, health care practitioner, and governmental entity" to instead apply to a "covered entity." Whereas the introduced required each applicable entity to store all electronic health record information of Texas residents only at a location in the United States, the substitute requires a covered entity to ensure that specified electronic health records under the entity's control are physically maintained in the United States or a U.S. territory. Additionally, whereas the introduced required each applicable entity to ensure electronic health record information of Texas residents, other than open data, is inaccessible to any person located outside of the United States, the substitute requires a covered entity to ensure that such information is accessible only to individuals who require the information for a qualifying reason. The substitute includes a provision absent from the introduced that requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of that information. With respect to the requirement for the applicable entity to ensure that each electronic health record maintained for an individual includes certain components, the introduced includes as a component the individual's medical history and any communications between the practitioner and a specialty health care practitioner related to the individual's metabolic health and diet in a specified treatment, whereas the substitute includes as a component the option for a health care practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in that treatment. While both the introduced and the substitute include provisions prohibiting an applicable entity from collecting or storing any information regarding an individual's credit score or voter registration status in the individual's electronic health record, the substitute additionally prohibits the sharing of such information. While both the substitute and the introduced establish provisions relating to AI protections relating to electronic health records, the two versions differ as follows: whereas the introduced version's provisions applied to a health care practitioner who uses AI for diagnostic or other purposes, the substitute's provisions apply only to a practitioner who uses AI for diagnostic purposes; whereas the introduced required the applicable practitioner to review all information obtained through the AI process to ensure the accuracy of the information for that patient before entering the information in the patient's electronic health record, the substitute requires a practitioner to review all records created with AI to ensure that the data is accurate and properly managed; and the substitute includes a requirement not in the introduced for a health care practitioner who uses AI for purposes described by the substitute to disclose the practitioner's use of that technology to the practitioner's patients. The substitute changes the definition of a "minor" from an individual under 18 years of age who has not had the disabilities of minority removed for general purposes, as in the introduced, to an individual 17 years of age or younger who has not had such disabilities removed. While both the introduced and the substitute require an applicable entity to ensure each health record system the entity uses allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record, the substitute specifies that this action must be taken immediately upon request. While both the introduced and the substitute requires HHSC, TMB, and TDI to jointly ensure that any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions conforms to certain requirements, the introduced required these tools to be based on an individual's biological sex, whereas the substitute requires the tools to include the individual's biological sex. The substitute omits provisions present in the introduced that did the following: authorized the appropriate state licensing agency to take disciplinary action against a medical facility or health care practitioner that violates the bill's provisions as if the medical facility or health care practitioner violated an applicable licensing law; and prohibited HHSC from providing Medicaid reimbursement to a medical facility or health care practitioner that violates the bill's provisions and requires HHSC to disenroll the facility or practitioner from participation as a Medicaid provider. The substitute includes provisions absent from the introduced that do the following: require HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill by a covered entity and ensure the investigation is conducted in compliance with all applicable law; authorize the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the appropriate manner; and authorize the attorney general to institute an action for injunctive relief and specified civil penalties for a violation of the bill's provisions. Whereas the introduced required HHSC, the TMB, and TDI to adopt rules as necessary to implement the bill's provisions, the substitute instead requires the HHSC executive commissioner, the TMB, TDLR, TDI, and each regulatory agency subject to the bill to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions.
BACKGROUND AND PURPOSE
Medical records provide vital patient information to health care providers, informing patient care. The bill author has informed the committee that these records also can be vulnerable to exposure or misinterpretation if used in the wrong ways and that current statute lacks important safeguards around Texans' medical records, both on the side of the patient and the provider. C.S.H.B. 4503 seeks to address this issue by providing for electronic health record requirements, ensuring that these records are secure, accessible to the relevant parties, accurate, and used for their intended purpose.
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
RULEMAKING AUTHORITY
It is the committee's opinion that rulemaking authority is expressly granted to the executive commissioner of the Health and Human Services Commission, the Texas Medical Board, the Texas Department of Licensing and Regulation, the Texas Department of Insurance, and each appropriate regulatory agency in SECTION 1 of this bill.
ANALYSIS
C.S.H.B. 4503 amends the Health and Safety Code to require a covered entity to ensure that the following electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a U.S. territory:
electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and
electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted.
The bill requires a covered entity to ensure that the electronic health record information of Texas residents, other than open data, is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations. The bill requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information. These bill provisions regarding requirements for electronic health storage apply to the storage of an electronic health record on or after January 1, 2026, regardless of the date on which the electronic health record was prepared.
C.S.H.B. 4503 defines "covered entity" by reference to statutory provisions governing medical records privacy, including a health care practitioner, but not including the following:
a licensed home and community support services agency;
a licensed nursing facility;
a continuing care facility regulated under the Texas Continuing Care Facility Disclosure and Rehabilitation Act;
an assisted living facility licensed under the Assisted Living Facility Licensing Act;
a licensed intermediate care facility;
a day activity and health services facility licensed under the Day Activity and Health Services Act; or
a provider under the Texas home living (TxHmL) or home and community-based services (HCS) waiver program.
C.S.H.B. 4503 requires a covered entity to ensure each electronic health record maintained for an individual includes the option for a health practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in the treatment of a chronic disease or illness. The bill prohibits such an entity from collecting, storing, or sharing any information regarding an individual's credit score or voter registration status in the individual's electronic health record.
C.S.H.B. 4503 requires a health care practitioner who uses artificial intelligence (AI) for diagnostic purposes, including the use of AI for recommendations on a diagnosis or course of treatment based on a patient's medical record, to review all records created with AI to ensure that the data is accurate and properly managed. The bill requires a health care practitioner who uses AI for such diagnostic purposes to disclose the practitioner's use of that technology to the practitioner's patients.
C.S.H.B. 4503 requires a covered entity to ensure each electronic health record system the entity uses to store electronic health records of minors allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record immediately upon request, unless access to all or part of the record is restricted under state or federal law or by a court order. For these purposes, the bill defines "minor" as an individual 17 years of age or younger who has not had the disabilities of minority removed for general purposes.
C.S.H.B. 4503 requires the Health and Human Services Commission (HHSC), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI) to jointly ensure the following:
each electronic health record prepared or maintained by a covered entity in Texas includes a separate space for the health care practitioner to document the following:
o an individual's biological sex as either male or female based on the individual's observed biological sex recorded by a health care practitioner at birth; and
o information on any sexual development disorder of the individual, whether identified at birth or later in the individual's life; and
any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions includes an individual's biological sex as recorded in such a separate space for documenting an individual's biological sex as it was recorded at birth.
These bill provisions regarding electronic health record requirements regarding biological sex expressly do not prohibit an electronic health record from including spaces for recording other information related to an individual's biological sex or gender identity.
C.S.H.B. 4503 authorizes a covered entity to amend on an electronic health record an individual's biological sex as recorded in the applicable space only if the amendment is to correct a clerical error or the individual is diagnosed with a sexual development disorder and the amendment changes the individual's listed biological sex to the opposite biological sex. If an individual's biological sex is so amended, the covered entity must include in the individual's electronic health record information on the individual's sexual development disorder in the applicable space.
C.S.H.B. 4503 authorizes HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill's provisions by a covered entity and requires HHSC or the agency to ensure the investigation is conducted in compliance with all applicable state and federal laws, including the Health Insurance Portability and Accountability Act of 1996. The bill authorizes the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the same manner as if the covered entity violated an applicable licensing or regulatory law. The bill authorizes such disciplinary action to include license, registration, or certification suspension or revocation for a period the agency determines appropriate.
C.S.H.B. 4503 authorizes the attorney general to institute an action for injunctive relief to restrain a violation of the bill's provisions. The bill authorizes the attorney general to institute an action for civil penalties against a covered entity for a violation of the bill's provisions, which civil penalty is capped as follows:
$5,000 for each violation that is committed negligently and that occurs in a single year, regardless of how long the violation continues during that year;
$25,000 for each violation that is committed knowingly or intentionally and that occurs in a single year, regardless of how long the violation continues during that year; or
$250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
C.S.H.B. 4503 requires the executive commissioner of HHSC, the TMB, the Texas Department of Licensing and Regulation (TDLR), TDI, and each regulatory agency subject to the bill's provisions to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions. Except as otherwise provided, the bill's provisions apply only to an electronic health record prepared on or after the bill's effective date.
C.S.H.B. 4503 defines the following terms for purposes of its provisions:
"biological sex" as the biological trait that determines whether a sexually reproducing organism produces male or female gametes;
"female" as an individual whose reproductive system is developed to produce ova;
"health care practitioner" as an individual who is licensed, certified, or otherwise authorized to provide health care services in Texas;
"male" as an individual whose reproductive system is developed to produce sperm; and
"sexual development disorder" as a congenital condition associated with atypical development of internal or external genital structures, including a chromosomal, gonadal, and anatomic abnormality.
EFFECTIVE DATE
September 1, 2025.
COMPARISON OF INTRODUCED AND SUBSTITUTE
While C.S.H.B. 4503 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.
While both the introduced and the substitute set out definitions applicable to the bill's provisions, the definitions differ as follows:
the substitute omits the following terms as defined in the introduced:
o "governmental entity" as the state, an agency of the executive, legislative, or judicial branch of state government, or a political subdivision of the state, including a local health department; and
o "medical facility" as a facility licensed or registered by a state agency to provide medical care and other health care services or a health care facility in Texas that provides medical care and other health care services and that receives reimbursement under the state Medicaid program or receives any other state funding; and
the substitute includes a provision absent from the introduced that defines "covered entity" by reference to Health and Safety Code provisions governing medical records privacy, including a health care practitioner and not including certain health care related facilities.
Accordingly, the substitute replaces the applicability of provisions in the introduced that apply to a "medical facility, health care practitioner, and governmental entity" to instead apply to a "covered entity."
Whereas the introduced required each applicable entity to store all electronic health record information of Texas residents only at a location in the United States, the substitute requires a covered entity to ensure that specified electronic health records under the entity's control are physically maintained in the United States or a U.S. territory. Additionally, whereas the introduced required each applicable entity to ensure electronic health record information of Texas residents, other than open data, is inaccessible to any person located outside of the United States, the substitute requires a covered entity to ensure that such information is accessible only to individuals who require the information for a qualifying reason. The substitute includes a provision absent from the introduced that requires each covered entity to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of that information.
With respect to the requirement for the applicable entity to ensure that each electronic health record maintained for an individual includes certain components, the introduced includes as a component the individual's medical history and any communications between the practitioner and a specialty health care practitioner related to the individual's metabolic health and diet in a specified treatment, whereas the substitute includes as a component the option for a health care practitioner to collect and record communications between two or more covered entities related to the individual's metabolic health and diet in that treatment.
While both the introduced and the substitute include provisions prohibiting an applicable entity from collecting or storing any information regarding an individual's credit score or voter registration status in the individual's electronic health record, the substitute additionally prohibits the sharing of such information.
While both the substitute and the introduced establish provisions relating to AI protections relating to electronic health records, the two versions differ as follows:
whereas the introduced version's provisions applied to a health care practitioner who uses AI for diagnostic or other purposes, the substitute's provisions apply only to a practitioner who uses AI for diagnostic purposes;
whereas the introduced required the applicable practitioner to review all information obtained through the AI process to ensure the accuracy of the information for that patient before entering the information in the patient's electronic health record, the substitute requires a practitioner to review all records created with AI to ensure that the data is accurate and properly managed; and
the substitute includes a requirement not in the introduced for a health care practitioner who uses AI for purposes described by the substitute to disclose the practitioner's use of that technology to the practitioner's patients.
The substitute changes the definition of a "minor" from an individual under 18 years of age who has not had the disabilities of minority removed for general purposes, as in the introduced, to an individual 17 years of age or younger who has not had such disabilities removed. While both the introduced and the substitute require an applicable entity to ensure each health record system the entity uses allows a minor's parent or, if applicable, the minor's managing conservator or guardian to obtain complete and unrestricted access to the minor's electronic health record, the substitute specifies that this action must be taken immediately upon request.
While both the introduced and the substitute requires HHSC, TMB, and TDI to jointly ensure that any algorithm or decision assistance tool included in an electronic health record to assist a health care practitioner in making medical treatment decisions conforms to certain requirements, the introduced required these tools to be based on an individual's biological sex, whereas the substitute requires the tools to include the individual's biological sex.
The substitute omits provisions present in the introduced that did the following:
authorized the appropriate state licensing agency to take disciplinary action against a medical facility or health care practitioner that violates the bill's provisions as if the medical facility or health care practitioner violated an applicable licensing law; and
prohibited HHSC from providing Medicaid reimbursement to a medical facility or health care practitioner that violates the bill's provisions and requires HHSC to disenroll the facility or practitioner from participation as a Medicaid provider.
The substitute includes provisions absent from the introduced that do the following:
require HHSC or the appropriate regulatory agency to conduct an investigation of any credible allegation of a violation of the bill by a covered entity and ensure the investigation is conducted in compliance with all applicable law;
authorize the appropriate regulatory agency to take disciplinary action against a covered entity that violates the bill's provisions three or more times in the appropriate manner; and
authorize the attorney general to institute an action for injunctive relief and specified civil penalties for a violation of the bill's provisions.
Whereas the introduced required HHSC, the TMB, and TDI to adopt rules as necessary to implement the bill's provisions, the substitute instead requires the HHSC executive commissioner, the TMB, TDLR, TDI, and each regulatory agency subject to the bill to enter into a memorandum of understanding and, as necessary, adopt rules to implement the bill's provisions.