---
title: "State Data Residency for AI Voice in Healthcare — Texas, Nevada, Colorado in 2026"
description: "Texas SB 1188 requires US-resident EHRs from January 1, 2026; Nevada's consumer-health-data law constrains health data; Colorado AI Act takes effect June 30, 2026. AI voice agents must architect for state-by-state data localization."
canonical: https://callsphere.ai/blog/vw5f-state-data-residency-tx-nv-co-ai-voice-2026
category: "AI Strategy"
tags: ["Data Residency", "Texas SB 1188", "Nevada", "Colorado AI Act", "AI Voice"]
author: "CallSphere Team"
published: 2026-04-15T00:00:00.000Z
updated: 2026-05-07T16:29:58.972Z
---

# State Data Residency for AI Voice in Healthcare — Texas, Nevada, Colorado in 2026

> Texas SB 1188 requires US-resident EHRs from January 1, 2026; Nevada's consumer-health-data law constrains health data; Colorado AI Act takes effect June 30, 2026. AI voice agents must architect for state-by-state data localization.

> January 1, 2026: Texas SB 1188 turned on US-resident EHRs. June 30, 2026: Colorado AI Act enforcement begins. Nevada's consumer-health-data law (NRS 603A.400 et seq.) is already enforceable. AI voice and chat agents now have to know where the data sits.

## What the rule says

**Texas SB 1188.** Effective January 1, 2026, Texas requires that EHRs containing patient information be physically maintained in the United States or its territories. SB 1188 applies to "covered entities" as defined in Texas Health and Safety Code Chapter 181, which includes any person or organization assembling, collecting, analyzing, using, storing, or transmitting protected health information in Texas. The same SB 1188 also requires Texas physicians using AI for diagnostic purposes to disclose AI use to patients and review all AI-created records under medical-records standards. Texas Attorney General enforces.

**Nevada NRS 603A.400 et seq. (consumer health data).** Nevada SB 370 (2023) added the consumer health data privacy provisions to NRS 603A. Effective March 31, 2024, businesses must obtain explicit consent before collecting, using, or disclosing consumer health data, implement reasonable security, and may not use geofencing around medical facilities to track or target ads. Enforced exclusively by the Nevada Attorney General.

**Colorado AI Act SB 24-205.** Effective date delayed to June 30, 2026 (originally February 1, 2026). Applies to developers and deployers of high-risk AI systems making consequential decisions in employment, education, housing, insurance, financial services, legal services, government services, healthcare services, and essential services. HIPAA-covered entities providing AI-generated healthcare recommendations that require a healthcare provider's action are not "high-risk" under SB 24-205. Annual impact assessments, risk-management programs aligned to NIST AI RMF or ISO/IEC 42001, and consumer disclosures are required.

## What AI voice/chat must do

For Texas: confirm primary and backup EHR storage is US-resident; document the physical-residency posture in vendor BAAs; build an AI-use disclosure into intake scripts when AI assists diagnosis. For Nevada: capture explicit consent before processing any consumer health data not otherwise governed by HIPAA; disable geofencing around medical facilities; tighten access-control around the Nevada-resident dataset. For Colorado: classify AI systems against SB 24-205 high-risk criteria; conduct annual impact assessments; deliver consumer disclosures; carve out HIPAA-covered AI recommendations explicitly.

Operationally this means tenant-level data-residency tags, region-pinned database replicas where customers require state residency, model-provider routing that respects residency (some providers offer US-only inference), and audit trails that prove residency at the row level.

## CallSphere compliance posture

CallSphere's data plane is US-resident by default. The encrypted PostgreSQL `healthcare_voice` database, primary and backups, sit in US regions; KMS keys never leave the region; AES-256 at rest, TLS 1.3 in transit, KMS rotation every 90 days. Tenant-level residency tags route data to the matching region; Texas tenants are pinned US-resident with SB 1188 attestation in the contract. The Healthcare Voice Agent's 14 tools route to US-only model-provider endpoints (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI) and capture explicit consent at intake. Colorado AI Act impact assessments are scaffolded in the platform's compliance dashboard. Platform: HIPAA and SOC 2 aligned, 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses at 4.8/5. Pricing $149 / $499 / $1,499; [14-day trial](/trial); 22% affiliate. Healthcare hub: [/industries/healthcare](/industries/healthcare); behavioral-health: [/lp/behavioral-health](/lp/behavioral-health). Reach the team at [/contact](/contact) for state-specific reviews.

```mermaid
flowchart LR
A[Tenant State] --> B{TX/NV/CO?}
B -- TX --> C[US-Resident Pin\nSB 1188]
B -- NV --> D[Explicit Consent\nNRS 603A]
B -- CO --> E[Impact Assess\nSB 24-205]
C --> F[(healthcare_voice)]
D --> F
E --> F
F --> G[Audit Trail]
```

## Compliance checklist

1. Tag every tenant with applicable state laws at onboarding.
2. Pin Texas tenants to US-resident database, object store, and model-provider regions.
3. Capture Texas AI-use disclosure during intake when AI assists diagnostic decisions.
4. Capture Nevada explicit consent before collecting consumer health data outside HIPAA scope.
5. Disable geofencing of medical facilities for Nevada datasets.
6. Run a Colorado SB 24-205 high-risk classification on every AI feature; document HIPAA carve-outs explicitly.
7. Build the annual Colorado impact assessment template and run it on schedule.
8. Stand up consumer-disclosure language for Colorado deployments.
9. Track Colorado AI Act amendments through the 2026 legislative session.
10. Maintain a state-by-state residency matrix in the compliance dashboard.

## FAQ

**Does SB 1188 cover backups?**
Yes. Physically-maintained means primary and backups in the US or its territories.

**Is NRS 603A preempted by HIPAA?**
HIPAA preempts where it applies. Non-PHI consumer health data falls under NRS 603A.

**Are HIPAA AI recommendations exempt from Colorado SB 24-205?**
Yes when the recommendation requires a healthcare provider's action.

**What about Washington, New York, and other states?**
Add to the matrix. Each has its own posture.

## Sources

- Texas SB 1188 — Texas Legislature: [https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=SB1188](https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=SB1188)
- Texas Health and Safety Code Chapter 181: [https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm)
- Nevada NRS 603A: [https://www.leg.state.nv.us/NRS/NRS-603A.html](https://www.leg.state.nv.us/NRS/NRS-603A.html)
- Colorado SB 24-205: [https://leg.colorado.gov/bills/sb24-205](https://leg.colorado.gov/bills/sb24-205)
- Colorado Attorney General AI rulemaking: [https://coag.gov/ai/](https://coag.gov/ai/)

---

Source: https://callsphere.ai/blog/vw5f-state-data-residency-tx-nv-co-ai-voice-2026