SINGAPORE: All licensed healthcare providers will be required to share their patients’ health information with a central repository from early next year after parliament passed a new law on Monday (Jan 12).
Under the Health Information Bill, healthcare providers must contribute key health information to the National Electronic Health Record system (NEHR), which was introduced in 2011.
Examples of information to be shared include allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images and discharge summaries.
This will apply to patients who are Singaporeans, permanent residents or have long-term immigration passes.
The move aims to improve coordination of care as Singapore shifts from a hospital-centric system to one that is more community-based, according to the Ministry of Health (MOH).
Speaking in parliament on Monday, Senior Minister of State for Health Tan Kiat How described the current situation as “not ideal”.
“Currently, when patients move between healthcare providers, such as from private specialist clinics to their GPs, their key health records are often not accessible across providers,” he said, adding that such gaps risk medication errors, delayed treatment, duplicate tests and procedures.
He said the Bill will close the remaining gap, allowing patients’ key health information to be accessible by their healthcare providers when they move across healthcare settings.
Patients will benefit from better coordinated care, enhanced quality of care and lower costs, he said.
Since its introduction, NEHR has stored the health data of patients of public hospitals and polyclinics, while participation was voluntary for some private-sector providers.
While most healthcare providers already contribute to the NEHR, only a small group of specialist clinics, clinical and radiological laboratories and dental clinics do not.
As of Oct 31, 2025, approximately 70 per cent of GPs contribute to the NEHR, according to MOH.
The Bill provides a statutory framework governing the collection, contribution, access and sharing of health information under the NEHR, which contains patients’ medical histories from multiple healthcare providers.
It also spells out who may access the data and for what purposes.
Access is generally limited to patient care purposes, and only healthcare providers and professionals whom patients are consulting may view their records. These include doctors, nurses, pharmacists and allied health professionals.
The Bill also specifies use cases and conditions where non-NEHR health information - which refers to basic identification, contact information and, if necessary, broad health risk indicators - can be shared to support continuity of care and outreach for national health initiatives.
However, the data sharing must be between specified entities and will cover key public healthcare stakeholders such as public health institutions, the Agency for Integrated Care and public agencies for a start.
Identifiable NEHR data may be shared for public health purposes - subject to conditions if necessary - for example, during major drug contamination incidents to allow providers to quickly contact affected patients.
Anonymised data may be used for public interest purposes such as reviewing the cost-effectiveness of medicines, and NEHR information may also be used where required or permitted under other laws, such as for criminal investigations or disease control.
Use of NEHR data for employment or insurance purposes is prohibited, except for a limited set of medical examinations required or permitted by law, including fitness-for-service assessments for the Singapore Armed Forces, Singapore Police Force and Singapore Civil Defence Force.
Patients will be able to see which healthcare providers accessed their records through HealthHub and can flag any unauthorised access to MOH.
They can also place an access restriction so that only selected healthcare providers may view their NEHR record. However, information such as allergies and vaccination records will remain accessible to providers to reduce the risk of inappropriate prescriptions or immunisation when patients visit a new healthcare provider.
The patients’ key health information will also continue to be contributed to the NEHR to ensure there are no gaps in the records if the access restrictions are lifted in future.
In certain situations, such as medical emergencies, access restrictions may be overridden. However, this will be subjected to strict controls.
The access restriction feature will be rolled out on HealthHub in the second half of this year.
While the feature is an option, Mr Tan said its use is not encouraged as it would “adversely affect” the quality of care received by patients.
“It is only when healthcare providers … have access to our key health information that they can deliver holistic and effective care in a timely manner,” he said.
Healthcare providers and system operators will be required to put in place safeguards to protect patients’ health information and to promptly notify MOH of confirmed cybersecurity incidents and data breaches.
Where providers fall short, MOH said it will work with them first to resolve issues such as incompatible systems. If necessary, the ministry may issue directions requiring them to take steps to remedy or prevent recurrence.
For deliberate or persistent non-compliance, providers may face prosecution, said MOH.
Maximum penalties range from a S$20,000 fine and/or one year’s jail for failing to comply with directions to a S$50,000 fine and/or two years’ jail for unauthorised access or disclosure of NEHR information. This will be doubled for egregious breaches or repeat offences.
Systemic cybersecurity and data security failures carry fines of up to S$1 million.
The Bill will come into force early next year to give healthcare providers time to familiarise themselves with the new requirements and to strengthen their cybersecurity and data security measures.
Training resources and programmes, as well as funding support, will be made available to support healthcare providers and professionals.
While welcoming the privacy safeguards, MPs stressed the need to ensure patient trust and sought clarity on how more sensitive information, like mental health records, will be treated.
Dr Wan Rizal (PAP-Jalan Besar) said that the mere perception that health records could be used in employment decisions can discourage workers from seeking the care they need.
“Workers must feel safe engaging with the healthcare system, without fear of downstream consequences at work,” said the labour MP.
He said workers worry about “backdoor” use of their information, and sought assurance that the exception to share patient data for specific statutory medical examinations will not expand to general pre-employment screenings.
Mr Kenneth Tiong (WP-Aljunied) raised concerns about possible insurance loopholes, noting that integrated plan insurers increasingly require doctors to sign contracts with inspection and right to audit clauses, which grant them the right to inspect full medical records to verify claims.
He asked if the government would review the inspection and right to audit clauses in integrated plan contracts to ensure that insurers do not circumvent the excluded purposes provision.
Some MPs asked for more patient control or differentiation around access to medical records.
Ms Mariam Jaafar (PAP-Sembawang) sought higher-level authorisation and additional justification to access sensitive information like mental health and reproductive health records.
Noting how key health information will continue to be shared with the NEHR even if there are access restrictions, Mr Louis Chua (WP-Sengkang) urged MOH to move away from the “collect first, tell later” approach.
He also said some patients might wish to block access to only certain records and have more flexibility in protecting their information, rather than a blanket approval or restriction.
MPs on both sides of the House called for more support for smaller clinics, which they said could face challenges implementing the necessary cybersecurity requirements.
“This Bill changes the rules of the game. It mandates that every private clinic, from the specialist in Orchard Road to the void deck GP in the heartlands, must contribute their data. They have no choice if they wish to stay open,” said Mr Dennis Tan (WP-Hougang).
Mr Dennis Tan, Ms Joan Pereira (PAP-Tanjong Pagar), Mr David Hoe (PAP-Jurong East-Bukit Batok) and Nominated MP Haresh Singaraju suggested providing shared IT services or staffing arrangements to support smaller clinics, which do not have the dedicated IT departments of large healthcare operators.
Dr Haresh, a family physician, said there remains a “grey zone” around what is considered “reasonable care” by doctors, who may not consult patient records available in the NEHR if they consider their clinical assessment sufficient.
Echoing this, Dr Hamid Razak (PAP-West Coast-Jurong West) asked for confirmation that the NEHR is “a supplementary clinical tool and not a mandatory step”.
The surgeon said this would help to address concerns that clinicians could be held liable for not checking the NEHR in every patient consultation.
Workers’ Party’s (WP) Mr Tiong noted that Synapxe, the agency that operates the NEHR, was rebranded from Integrated Health Information Systems (IHiS), the entity found responsible for the 2018 SingHealth data breach.
That was when the records of 1.5 million patients were stolen in the most serious breach of personal data in Singapore’s history.
Mr Tiong pointed to the findings that the breach was a result of human lapses, including lack of cybersecurity awareness among IHiS staff, who did not respond appropriately when they detected suspicious activity.
“Given the history here, I believe our health authorities also need to take steps towards rebuilding that trust,” he said.
He sought details and assurance from MOH on NEHR’s technical architecture and how the ministry will police unauthorised access to the database.
Fellow WP MP Mr Dennis Tan noted that SingHealth and IHiS were collectively fined S$1 million for the 2018 data breach.
He said this effectively worked out to a 66-cent fine for each stolen patient record, and that the fine could be considered “a trivial operating expense” for such a large healthcare operator, given its revenues.
He suggested that a fine on a per-person basis would signal the value the government places on citizens’ privacy and make organisations take cybersecurity more seriously.
Responding to Mr Tiong, Mr Tan encouraged the WP MP to file a separate parliamentary question as the topic was not related to the debate on the Health Information Bill.
He added: “Synapxe is not a commercial entity. Its fundamental role is to support MOH in delivering digital health and IT services to benefit the healthcare clusters, to deliver better healthcare services to our Singaporeans.”
Mr Tan later also said that MOH and the NEHR had taken in the recommendations of the 2019 committee of inquiry into the cyberattack.
"NEHR is subject to security and resilience audits, with vulnerability scans, penetration tests and exercises carried out regularly to ensure that systems are secure and back-up systems are operational in the event of downtime," he said.
He said the NEHR database had "several lines of defence" to detect and block suspicious traffic.
He added that the lesson from the data breach was that “we are open and transparent about the issue, convene the committee of inquiry, learn the lessons, apply them, and make sure we work very hard to prevent such breaches from reoccurring”.
On the S$1 million fine for SingHealth and IHiS, Mr Tan pointed out that Singapore also provides for criminal prosecution for data breaches, which can include prison time.
“But more basically, we take an approach that is more supportive, working together with our healthcare providers and healthcare professionals,” he said.
“We want to take a supportive role and approach to uplift data security and cyber security postures, not the punitive approach.”
Continue reading...
Under the Health Information Bill, healthcare providers must contribute key health information to the National Electronic Health Record system (NEHR), which was introduced in 2011.
Examples of information to be shared include allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images and discharge summaries.
This will apply to patients who are Singaporeans, permanent residents or have long-term immigration passes.
The move aims to improve coordination of care as Singapore shifts from a hospital-centric system to one that is more community-based, according to the Ministry of Health (MOH).
Speaking in parliament on Monday, Senior Minister of State for Health Tan Kiat How described the current situation as “not ideal”.
“Currently, when patients move between healthcare providers, such as from private specialist clinics to their GPs, their key health records are often not accessible across providers,” he said, adding that such gaps risk medication errors, delayed treatment, duplicate tests and procedures.
He said the Bill will close the remaining gap, allowing patients’ key health information to be accessible by their healthcare providers when they move across healthcare settings.
Patients will benefit from better coordinated care, enhanced quality of care and lower costs, he said.
Since its introduction, NEHR has stored the health data of patients of public hospitals and polyclinics, while participation was voluntary for some private-sector providers.
While most healthcare providers already contribute to the NEHR, only a small group of specialist clinics, clinical and radiological laboratories and dental clinics do not.
As of Oct 31, 2025, approximately 70 per cent of GPs contribute to the NEHR, according to MOH.
WHAT DOES THE BILL COVER?
The Bill provides a statutory framework governing the collection, contribution, access and sharing of health information under the NEHR, which contains patients’ medical histories from multiple healthcare providers.
It also spells out who may access the data and for what purposes.
Access is generally limited to patient care purposes, and only healthcare providers and professionals whom patients are consulting may view their records. These include doctors, nurses, pharmacists and allied health professionals.
The Bill also specifies use cases and conditions where non-NEHR health information - which refers to basic identification, contact information and, if necessary, broad health risk indicators - can be shared to support continuity of care and outreach for national health initiatives.
However, the data sharing must be between specified entities and will cover key public healthcare stakeholders such as public health institutions, the Agency for Integrated Care and public agencies for a start.
Identifiable NEHR data may be shared for public health purposes - subject to conditions if necessary - for example, during major drug contamination incidents to allow providers to quickly contact affected patients.
Anonymised data may be used for public interest purposes such as reviewing the cost-effectiveness of medicines, and NEHR information may also be used where required or permitted under other laws, such as for criminal investigations or disease control.
Use of NEHR data for employment or insurance purposes is prohibited, except for a limited set of medical examinations required or permitted by law, including fitness-for-service assessments for the Singapore Armed Forces, Singapore Police Force and Singapore Civil Defence Force.
Patients will be able to see which healthcare providers accessed their records through HealthHub and can flag any unauthorised access to MOH.
They can also place an access restriction so that only selected healthcare providers may view their NEHR record. However, information such as allergies and vaccination records will remain accessible to providers to reduce the risk of inappropriate prescriptions or immunisation when patients visit a new healthcare provider.
The patients’ key health information will also continue to be contributed to the NEHR to ensure there are no gaps in the records if the access restrictions are lifted in future.
In certain situations, such as medical emergencies, access restrictions may be overridden. However, this will be subjected to strict controls.
The access restriction feature will be rolled out on HealthHub in the second half of this year.
While the feature is an option, Mr Tan said its use is not encouraged as it would “adversely affect” the quality of care received by patients.
“It is only when healthcare providers … have access to our key health information that they can deliver holistic and effective care in a timely manner,” he said.
HOW WILL THE DATA BE PROTECTED?
Healthcare providers and system operators will be required to put in place safeguards to protect patients’ health information and to promptly notify MOH of confirmed cybersecurity incidents and data breaches.
Where providers fall short, MOH said it will work with them first to resolve issues such as incompatible systems. If necessary, the ministry may issue directions requiring them to take steps to remedy or prevent recurrence.
For deliberate or persistent non-compliance, providers may face prosecution, said MOH.
Maximum penalties range from a S$20,000 fine and/or one year’s jail for failing to comply with directions to a S$50,000 fine and/or two years’ jail for unauthorised access or disclosure of NEHR information. This will be doubled for egregious breaches or repeat offences.
Systemic cybersecurity and data security failures carry fines of up to S$1 million.
The Bill will come into force early next year to give healthcare providers time to familiarise themselves with the new requirements and to strengthen their cybersecurity and data security measures.
Training resources and programmes, as well as funding support, will be made available to support healthcare providers and professionals.
Related:
WORRIES ABOUT PATIENT PRIVACY
While welcoming the privacy safeguards, MPs stressed the need to ensure patient trust and sought clarity on how more sensitive information, like mental health records, will be treated.
Dr Wan Rizal (PAP-Jalan Besar) said that the mere perception that health records could be used in employment decisions can discourage workers from seeking the care they need.
“Workers must feel safe engaging with the healthcare system, without fear of downstream consequences at work,” said the labour MP.
He said workers worry about “backdoor” use of their information, and sought assurance that the exception to share patient data for specific statutory medical examinations will not expand to general pre-employment screenings.
Mr Kenneth Tiong (WP-Aljunied) raised concerns about possible insurance loopholes, noting that integrated plan insurers increasingly require doctors to sign contracts with inspection and right to audit clauses, which grant them the right to inspect full medical records to verify claims.
He asked if the government would review the inspection and right to audit clauses in integrated plan contracts to ensure that insurers do not circumvent the excluded purposes provision.
Some MPs asked for more patient control or differentiation around access to medical records.
Ms Mariam Jaafar (PAP-Sembawang) sought higher-level authorisation and additional justification to access sensitive information like mental health and reproductive health records.
Noting how key health information will continue to be shared with the NEHR even if there are access restrictions, Mr Louis Chua (WP-Sengkang) urged MOH to move away from the “collect first, tell later” approach.
He also said some patients might wish to block access to only certain records and have more flexibility in protecting their information, rather than a blanket approval or restriction.
SUPPORT FOR SMALLER CLINICS
MPs on both sides of the House called for more support for smaller clinics, which they said could face challenges implementing the necessary cybersecurity requirements.
“This Bill changes the rules of the game. It mandates that every private clinic, from the specialist in Orchard Road to the void deck GP in the heartlands, must contribute their data. They have no choice if they wish to stay open,” said Mr Dennis Tan (WP-Hougang).
Mr Dennis Tan, Ms Joan Pereira (PAP-Tanjong Pagar), Mr David Hoe (PAP-Jurong East-Bukit Batok) and Nominated MP Haresh Singaraju suggested providing shared IT services or staffing arrangements to support smaller clinics, which do not have the dedicated IT departments of large healthcare operators.
Dr Haresh, a family physician, said there remains a “grey zone” around what is considered “reasonable care” by doctors, who may not consult patient records available in the NEHR if they consider their clinical assessment sufficient.
Echoing this, Dr Hamid Razak (PAP-West Coast-Jurong West) asked for confirmation that the NEHR is “a supplementary clinical tool and not a mandatory step”.
The surgeon said this would help to address concerns that clinicians could be held liable for not checking the NEHR in every patient consultation.
LESSONS FROM 2018 SINGHEALTH BREACH
Workers’ Party’s (WP) Mr Tiong noted that Synapxe, the agency that operates the NEHR, was rebranded from Integrated Health Information Systems (IHiS), the entity found responsible for the 2018 SingHealth data breach.
That was when the records of 1.5 million patients were stolen in the most serious breach of personal data in Singapore’s history.
Mr Tiong pointed to the findings that the breach was a result of human lapses, including lack of cybersecurity awareness among IHiS staff, who did not respond appropriately when they detected suspicious activity.
“Given the history here, I believe our health authorities also need to take steps towards rebuilding that trust,” he said.
He sought details and assurance from MOH on NEHR’s technical architecture and how the ministry will police unauthorised access to the database.
Fellow WP MP Mr Dennis Tan noted that SingHealth and IHiS were collectively fined S$1 million for the 2018 data breach.
He said this effectively worked out to a 66-cent fine for each stolen patient record, and that the fine could be considered “a trivial operating expense” for such a large healthcare operator, given its revenues.
He suggested that a fine on a per-person basis would signal the value the government places on citizens’ privacy and make organisations take cybersecurity more seriously.
Responding to Mr Tiong, Mr Tan encouraged the WP MP to file a separate parliamentary question as the topic was not related to the debate on the Health Information Bill.
He added: “Synapxe is not a commercial entity. Its fundamental role is to support MOH in delivering digital health and IT services to benefit the healthcare clusters, to deliver better healthcare services to our Singaporeans.”
Mr Tan later also said that MOH and the NEHR had taken in the recommendations of the 2019 committee of inquiry into the cyberattack.
"NEHR is subject to security and resilience audits, with vulnerability scans, penetration tests and exercises carried out regularly to ensure that systems are secure and back-up systems are operational in the event of downtime," he said.
He said the NEHR database had "several lines of defence" to detect and block suspicious traffic.
He added that the lesson from the data breach was that “we are open and transparent about the issue, convene the committee of inquiry, learn the lessons, apply them, and make sure we work very hard to prevent such breaches from reoccurring”.
On the S$1 million fine for SingHealth and IHiS, Mr Tan pointed out that Singapore also provides for criminal prosecution for data breaches, which can include prison time.
“But more basically, we take an approach that is more supportive, working together with our healthcare providers and healthcare professionals,” he said.
“We want to take a supportive role and approach to uplift data security and cyber security postures, not the punitive approach.”
Continue reading...