Singapore’s health data bill mandates regulated information sharing

To ensure data disclosure and sharing, the Ministry of Health can impose up to $1m in fines for non-compliance.

Singapore has kept a central repository for patient health records since 2011. However, the National Electronic Health Record (NEHR) only has 15% participation by private providers as of October 2023.

To encourage data sharing amongst healthcare providers, the government introduced the Healthcare Information Bill (HIB) that will make health data sharing mandatory.

“The Ministry of Health has identified that healthcare needs would become more complex as the population ages. This will entail more Singaporeans experiencing chronic conditions, having to visit various healthcare institutions and rely on multiple healthcare providers. The MOH expects that Singapore’s healthcare system will become more diverse, as it is continually evolving to meet the different demands of the population,” Lim Ren Jun, principal and co-lead of Healthcare & Life Sciences Industry Group at Baker McKenzie Wong & Leow, told Singapore Business Review.

“The sharing of key health information of patients between healthcare providers would serve to facilitate more seamless and better care delivery,” Lim added.

Zhen Guang Lam, senior associate at Clyde & Co Clasis Singapore, has a similar insight saying: “A central repository for patient health records holds immense potential to revolutionise healthcare delivery, as it not only enhances efficiency and coordination among healthcare professionals, but also empowers patients with greater control over their own health data.”

“The seamless exchange of information across the healthcare ecosystem can lead to more accurate diagnosis, timely interventions, and ultimately, better patient outcomes,” Lam said.

Disclosing health data on the NEHR will eliminate repetitive patient declarations of their medical history to various healthcare professionals, saving time. Similarly, this frees up resources on the healthcare providers’ end as they would not need to require patients to provide such information, said Lim.

“By having access to a common set of the patient’s health data, healthcare professionals will ultimately be able to make better decisions for the benefit of their patients,” Lam added.

Duties and responsibilities

The bill being introduced applies to all licensed healthcare service providers, including digital health service providers offering telemedicine service, approved users who can access health information in the NEHR, and data intermediaries.

Those covered by the bill have the responsibility to share selected health information like patient demographics, medical diagnoses or allergies, and medications.

They are also required to comply with cybersecurity and data security requirements, including notifying the MOH within two hours should there be a data breach or cybersecurity incident.

“Healthcare providers may have to carefully scrutinise and consider whether they are in compliance with the cybersecurity and data security requirements due to robust requirements that will be implemented under the HIB,” Baker McKenzie’s Lim said.

“Operationally, healthcare providers would need to implement processes to comply with this mandatory incident notification requirement,” he added.

Access

Authorised healthcare professionals have access to data in the NEHR. Non-authorised healthcare professional or non-licensed healthcare providers may also be granted access to the central repository as “approved users,” but they will only be granted access to “relevant information required for them to provide care for patients,” said Clyde & Co’s Lam.

Retail pharmacists fall under this category of a non-licensed healthcare provider. “Retail pharmacists may be granted limited access to medication and allergy records so that they can flag out any unsafe interactions between medications that the patient is already consuming, with the other medications which the patient may be intending to purchase,” Lam said.

“In general, any NEHR data should only be used for the provision of patient care and not for non-healthcare purposes. In particular, the bill will expressly prohibit data to be used to assess a person’s suitability,” Lam added.

Meanwhile, access rights to sensitive health information will only be granted to medical practitioners based on their specific role in the healthcare delivery to the patient. “A medical practitioner will not be allowed to access a patient’s sensitive health information that they are not providing care to or where such access is not required to deliver care for the patient,” Lam said.

Sensitive health information refers to data that could lead to stigmatisation or discrimination, explained Lam.

Given its nature, sensitive health information has additional requirements for it to be accessed, including administrative access controls such as a double locking mechanism “to ensure healthcare professionals make a conscious decision when assessing such information,” shared Lam.

Under the proposed bill, patients may also have the right to place access restrictions on their NEHR data, said Lim.

Patient protected data may also be accessed during medical emergencies or where required by prescribed laws.

Patients, however, may not be able to “customise access restrictions; for example, restrict access only to specific doctors or institutions, or certain data fields," said Lim.

Penalties

Healthcare providers which fail to comply with the bill may face several penalties.

The proposed bill purports to give MOH the power to impose financial penalties of up to $1 million (US$743,000) or 10% of the organisation’s annual turnover, whichever is higher, which is in line with the Personal Data Protection Act’s (PDPA) penalty regime for non-compliance, according to Lim.

The MOH will also have general powers to “issue directions for entities to rectify non-compliance with the HIB. These directions include stopping the unauthorised access and collection of health information on the NEHR; destroying all health information collected in an unauthorised manner; stopping further unauthorised sharing of health information under the data sharing framework; and complying with cybersecurity and data security requirements.

“In more complex cases involving cybersecurity incidents and data breaches, the MOH has indicated that it would work with the Cyber Security Agency and Personal Data Protection Commission to mete out appropriate penalties under the various Acts,” Lim said.

“Aside from the penalties against licensed entities, the HIB also purports to introduce offences to hold individuals accountable for egregiously mishandling the health information controlled by a HIB entity,” he added.