(a) A covered entity shall ensure that electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a territory of the United States. This subsection applies to:
- (1) electronic health records that are stored by a third-party or subcontracted computing facility or an entity that provides cloud computing services; and
- (2) electronic health records that are stored using a technology through which patient information may be electronically retrieved, accessed, or transmitted.
- (b) A covered entity shall ensure that the electronic health record information of this state's residents, other than open data, is accessible only to individuals who require the information to perform duties within the scope of the individual's employment related to treatment, payment, or health care operations.
- (c) Each covered entity shall implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health record information.
Added by Acts 2025, 89th Leg., R.S., Ch. 1002 (S.B. 1188), Sec. 1, eff. September 1, 2025.