Reaching Record Health: The Health Information Bill

In this Explainer, find out...

1. What is the Health Information Bill (HIB)? 

2. How will the HIB support care continuity and protect patient confidentiality?

3. What are some concerns surrounding 

the HIB?

Introduction

The Health Information Bill (HIB) is a new key infrastructural improvement to Singapore’s healthcare landscape that will add to the centralised health information platform — the National Electronic Health Record (NEHR) system. 

This Policy Explainer will introduce the HIB, its mechanisms, discuss its implications, before concluding with an evaluation of the conditions needed for its successful implementation.

The Purpose of Health Information Sharing 

Studies have shown that the centralisation of health information into a single repository can improve the efficiency of healthcare delivery and the quality of service from medical institutions. The HIB aims to accomplish this in Singapore.

By bridging the different IT and electronic medical record systems across general practitioner (GP) clinics, all private hospitals, and care providers such as pharmacies, the HIB aims to increase the availability of health information. This allows health information to be kept updated and accurate and prevents problems like repeated or incorrect prescriptions. 

Overview of the HIB

To make health information more accessible, the HIB will make it compulsory for all licensed healthcare providers to contribute data to the NEHR. The Bill also includes regulations for the sharing of non-NEHR health data and safeguards for health data protection.

Overall, the HIB has three main objectives:

1. Creating an accurate and accessible national health record that supports care continuity and patient welfare;

2. Regulating non-NEHR health information sharing used to support other national health priorities; and

3. Protecting patients’ health information and data privacy.

Understanding Key Terms in the HIB

Health Information 

Under the HIB, health information refers to the following:

1. Personal details: a patient’s  name, address, phone number, and

2. Medical details: information about the patient’s physical and mental health, as well as diagnosis, treatment and care. 

National Electronic Health Record

The National Electronic Health Record (NEHR) is a national resource platform that collects a selected copy of patients’ health information from different healthcare providers. 

Creating a National Health Record

The HIB aims to consolidate patient health information from different healthcare providers into a single national health record. Although public hospitals and polyclinics already contribute health data to the NEHR, the HIB will require all private healthcare providers to do the same. These include GP clinics and private hospitals.

Say you visited a doctor at a GP clinic. Health information generated during that visit will first be recorded in the GP clinic’s health record system. Under the HIB, a portion of that information will also be stored in the NEHR (see Figure 1). Say you then visited another doctor, and were unable to recall the medications you were prescribed. That doctor can access relevant information from the NEHR to determine an appropriate treatment. This ensures that you (the patient) receive consistent and connected care as you move between different providers, improving patient health outcomes.

With the NEHR, healthcare providers can therefore make more informed medical decisions and deliver more continuous care. This helps to fulfil the first key objective of the HIB: to build a unified and reliable national health record for providers, so as to support care continuity and promote patient welfare.

Regulating Non-NEHR Health Information

The HIB also proposes a regulatory framework for the sharing of health information held outside the NEHR. Under this system, organisations can share non-NEHR health information through MOH-approved data sharing arrangements. However, the health data can only be shared for these specific use cases:

1. Continuity of care;

2. Outreach under national health initiatives; and

3. Eligibility assessment for financing schemes.

Continuity of Care

Firstly, healthcare providers can share health information to ensure care continuity. Though the NEHR already facilitates data sharing for this purpose, some community care providers (e.g., senior care centres, adult disability homes) may not have access to the NEHR. Furthermore, other health record systems may contain more detailed health information (the NEHR mainly stores key health data).

Under the HIB’s data sharing framework, a doctor’s detailed clinical notes about an elderly patient can be shared directly with care providers at the senior care centre he visits. This can enhance coordination between care providers, improving the continuity and quality of care delivered to patients.

Outreach under National Health Initiatives

Besides care providers, community partners (e.g., the Health Promotion Board, SportSG) may also need access to health information to reach out to residents and refer them to health services. In this case, the sharing of non-NEHR data can bolster closer-to-home care and preventive care services. This aligns closely with objectives under recent national health initiatives like Healthier SG.

Eligibility Assessment for Financing Schemes

Lastly, social service agencies may need certain health information to assess whether a patient is eligible for a financing scheme. By establishing a legal basis for health data sharing for this use case, the HIB facilitates the work of these agencies.

In sum, the second key objective of the HIB is to establish a legal framework for the sharing of health information held outside the NEHR, so as to support national health priorities and government functions.

Protecting Health Information and Privacy

The HIB also sets out data security standards and data privacy measures that healthcare providers must comply with.

Access and Sharing Restrictions

The HIB allows a patient to restrict the access and sharing of their NEHR health information by selected healthcare providers. Nevertheless, healthcare providers can still access essential health information (e.g., allergies, vaccination records, key demographic information) to ensure safe care.

Additionally, healthcare providers can override access restrictions in the case of a medical emergency. This is done to enhance the speed and quality of care, which  may prove critical to the patient’s survival. To deter the misuse of these powers, MOH will audit these cases. Healthcare professionals who are found to have inappropriately overridden restrictions may face legal penalties and disciplinary action.

Data Security Safeguards

All NEHR contributors, users, and data intermediaries will need to meet cybersecurity and data security standards prescribed in the HIB. These include safeguards for electronic and non-electronic information, as well as proper data retention and disposal practices. NEHR users will need to report any cybersecurity incidents and data breaches to MOH within two hours to enable a prompt and coordinated governmental response. In the event of a data breach of significant scale or harm, NEHR users will also have to notify the affected individuals.

Avid readers of our Policy Explainers may notice that these provisions closely resemble the data protection obligations found under the Personal Data Protection Act 2012 (PDPA). In fact, the HIB sets out stricter, sector-specific rules for the handling of health data, which supersede the PDPA. The likely rationale here is that health data is of a particularly sensitive nature, and thus requires more robust protections.

Enforcement and Penalties

The HIB includes a tough enforcement regime to rectify instances of non-compliance. The Bill grants MOH the power to investigate and direct entities to stop unauthorised access and sharing of NEHR health data, or destroy unlawfully collected health data.

For severe non-compliance, an entity may be liable for a maximum fine of S$1 million, or ten per cent of its annual turnover, whichever is higher. The HIB also makes it an offence for an individual to egregiously mishandle health data. An offender is liable for a fine or imprisonment, or both.

Altogether, these data protection and enforcement measures point to the third key objective of the HIB: to enhance individual autonomy over health data, strengthen data security, and reinforce accountability among healthcare providers.

Potential Policy Challenges and Mitigation Measures

Patient Autonomy 

The core tension in the HIB is the balance between displacing patient autonomy to centralise health information and giving patients control over their own data. The HIB establishes a compulsory processing regime which intends to streamline the continuous collection of health information into the NEHR. Importantly, this minimises gaps in medical records and ensures continuity of care.

However, this shift in the legal basis for processing health information has raised several concerns. While patients have the option to opt out of data centralisation under the Bill, it restricts their access to public health initiatives that require data sharing, such as Healthier SG. Furthermore, patients who have opted out are still subject to the ‘emergency override’, which is safeguarded solely by retrospective audits. Consequently, critics argue that these factors render the HIB a de facto mandatory regime, where the significant opportunity cost of opting out compels participation.

In response to concerns about the nature of patient data restrictions, the MOH has announced that it will revise the access restriction regime to enable greater autonomy and enhance patient safety. This refers to being able to select which healthcare providers can access patients’ information, but still maintaining an essential set of health information accessible to all. 

Additionally, individuals willing to have their health information accessed for care purposes but who are reluctant to take part in public health efforts can place themselves on a Do-Not-Disturb (DnD) list that will exclude them from such initiatives.

The auditing of all inappropriate overrides and imposition of legal penalties on misusers will also ensure greater accountability among healthcare professionals.

Operational Feasibility

The HIB’s revised framework has engendered a heavier administrative load on the private sector, with the weight of these obligations falling most acutely on small- and medium-sized enterprises (SMEs). Compliance with these requirements demands substantial technical expertise and, potentially, significant financial investment. This risks diverting limited resources away from core patient care.

In a similar vein, some private hospitals have reported delays in connecting to the NEHR due to difficulties in reorganising existing electronic medical record databases to match NEHR specifications. Besides bureaucratic friction, these integration challenges raise the risk of the NEHR ingesting flawed or incomplete data, which may undermine the HIB’s intended improvements to clinical decision-making.

MOH has acknowledged that healthcare entities, particularly smaller ones, face concerns regarding readiness and complexity. Thus, it is providing implementation support and funding schemes. These schemes include:

• The Early Contribution Incentive (ECI) scheme, which helps private healthcare providers offset costs for IT system upgrades;

• The General Practitioner (GP) IT Enablement Grant, which supports GP clinics in digitalisation;

• Workshops facilitated by Synapxe, the national agency for health technology; and

• Technical mapping services provided by Synapxe.

Medico-Legal Liabilities

Perhaps most intimidating to clinicians is the fear of expanded legal liability. Clinicians have expressed worry that simply accessing the NEHR creates unrealistic expectations of care that expose them to negligence claims. 

To allay these concerns, the MOH is collaborating with senior members of medical, dental, and legal professions to develop a dedicated set of guidelines on the appropriate use of NEHR information. The MOH explicitly defined in a statement following the Bill that accessing the NEHR is merely a supplementary tool to assist clinical decision-making. Clinicians are also not required to consult every NEHR record at every consultation. NEHR access should be situational, guided by both professional judgement and the information relevant to the current patient encounter. This means that clinicians will not be exposed to greater liability just because the NEHR is available to them.

Additionally, MOH has assured providers that should they choose to automate NEHR processes and do so inaccurately, the initial recourse will involve working closely with the provider to rectify errors. Strict enforcement will be reserved for those who fail to meet requirements despite repeated warnings.

Lastly, to protect practitioners from legal liability solely arising from vendor issues, MOH will maintain a whitelist of HIB-compliant Health Information Management Systems (HIMS). If a provider exercises their due diligence in selecting a whitelisted HIMS, they would not be held accountable for cybersecurity lapses. 

Systemic Security Risks

Sensitive health data being centralised into a single national repository can inadvertently lead to the creation of a ‘data honeypot’. This potentially creates a prime target for sophisticated cyberattacks, which has led to unease among the public. A failure in this system could result in catastrophic exposure of data. Nonetheless, MOH has committed to fortifying its defences. The NEHR system undergoes frequent cybersecurity reviews by the Cyber Security Agency (CSA), GovTech, and independent firms, which proactively identify and ameliorate weaknesses in data protection.

Another concern is functional 'scope creep'. The HIB authorises the secondary use of NEHR data for non-clinical objectives, such as financial means-testing, which grants non-medical personnel access to sensitive patient records. This expansion creates uncertainty about the limits of secondary use. Specifically, which non-clinical purposes are acceptable and which personnel should have access.

MOH has since clarified that the HIB explicitly criminalises NEHR access for employment and insurance determination to prevent discriminatory profiling. Authorised secondary uses, like financial means-testing, remain stringently governed by data sharing agreements that enforce minimal data use and mandatory post-use deletion.

When combined, these measures reduce the systemic security risks associated with an easily accessible and centralised data system.  

Conclusion

Ultimately, as with most major public policies, ongoing evaluation of the HIB is required to ensure that it achieves the intended public health objectives and mitigates unintended consequences. Robust mechanisms for soliciting and responding to feedback from healthcare professionals, patients, and relevant stakeholders should be established and actively maintained.

While the legislation is designed to enhance care coordination as part of the broader goal of national healthcare planning, effective implementation relies on active engagement by both patients and healthcare providers. The full benefits of a comprehensive, interoperable NEHR can only be realised when all stakeholders engage consistently and responsibly with the system.

The measure of the HIB’s success extends beyond metrics of system adoption or regulatory compliance. Instead, it hinges upon whether the framework substantively enhances Singapore’s healthcare system. Its success can then be sustained through continuous auditing and active refinement, ensuring that the HIB evolves from just a statutory obligation into a dependable force for modern healthcare delivery in Singapore.

This Policy Explainer was written by members of MAJU. MAJU is a ground-up, fully youth-led organisation dedicated to empowering Singaporean youths in policy discourse and co-creation.

By promoting constructive dialogue and serving as a bridge between youths and the Government, we hope to drive the keMAJUan (progress!) of Singapore.

The citations to our Policy Explainers can be found in the PDF appended to this webpage.