Photo: fabfernandez/Getty Images
Singapore's parliament has passed a new law mandating all healthcare providers in the country to contribute patient health information to the National Electronic Health Record system from early 2027.
WHAT IT'S ABOUT
The Health Information Bill, first introduced in parliament in November last year, was passed on Monday following its second reading and will govern how key health information is shared across Singapore's healthcare ecosystem "for better coordinated care," according to the Ministry of Health.
Under the law, all licensed healthcare providers – including those who provide patient care within the military and prison systems – will be required to contribute key health information of Singapore citizens, permanent residents, and patients with long-term immigration passes to the NEHR system.
This includes data such as allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images and discharge summaries.
The legislation also establishes a legal basis for sharing non-NEHR health information to facilitate community health initiatives and community-based care.
According to the ministry, this will enable national programmes such as Healthier SG and Age Well SG by allowing healthcare clusters, for example, to share contact details of vulnerable seniors with the Agency for Integrated Care so outreach and care coordination can be better targeted.
Accessing patients' NEHR information, however, will not be compulsory, Senior Minister of State for Health Tan Kiat How clarified. "NEHR supports and complements existing clinical practices, including good history-taking and physical examinations," he said.
Tan also stressed that the new law will not impede NEHR information sharing already required or permitted under other laws, such as the Criminal Procedure Code for criminal investigations or the Infectious Diseases Act for outbreak investigations and contact tracing.
The law includes legal safeguards limiting NEHR access strictly to patient care purposes, allowing only healthcare providers and healthcare professionals (including doctors, nurses, pharmacists, and allied health professionals) whom patients are seeking care from to access their records.
It explicitly prohibits the use of NEHR data for employment or insurance purposes, except for a specified list of medical examinations required or permitted under written law.
Minister Tan added that authorised users will only be granted access to the specific data types required for their roles. "For example, nurses in general will not have access to radiological images as they do not require this information for their patient care duties."
The government will also progressively roll out additional technical controls to limit and detect unauthorised access to NEHR data, he noted.
Patients will be able to monitor which healthcare providers have accessed their NEHR records via the HealthHub application and report any suspected unauthorised access, according to the MOH.
They also have the option to activate access restrictions – similar to those available in Australia, Estonia and Hong Kong – so that only selected healthcare providers may view their NEHR information. However, this does not cover allergies and vaccination information, which will remain accessible to healthcare providers even when restrictions are enabled, to reduce the risk of inappropriate prescriptions or immunisations.
In medical emergencies, doctors will be able to override patient access restrictions using a "break glass" function to retrieve NEHR data needed to deliver timely, potentially life-saving care.
These safeguards complement existing technical controls, such as regular audits to flag inappropriate access and limits on the number of patient records that can be accessed within a specified timeframe.
The law also requires all providers that contribute to and access the NEHR, as well as entities authorised to share and receive non-NEHR health information, to meet cybersecurity and data security requirements to protect health information.
Licensed healthcare professionals in Singapore are already obligated to protect patients' personal data under existing laws, including the Personal Data Protection Act and the Healthcare Services Act.
"These requirements ensure that healthcare providers and relevant entities implement appropriate technical and organisational safeguards for the proper storage, access, use, and sharing of health information, and notify MOH of confirmed cybersecurity incidents and data breaches in a timely manner," the ministry explained.
Addressing concerns over potential liability arising from NEHR use and access, the MOH said it will publish guidelines on the appropriate access and use of NEHR information, which providers may refer to in their practice.
The law is expected to take effect in early 2027, giving healthcare providers about a year to familiarise themselves with its requirements. The government will also offer training resources and programmes, as well as funding support to assist with their compliance.
The MOH is encouraging providers, especially smaller clinics, to adopt whitelisted health information management systems that automate the contribution of relevant data to the NEHR.
For clinics that require more time to digitalise, the ministry said it will provide alternative contribution channels so they can begin submitting data while they work towards long-term digitalisation.
Penalties under the new law include fines of up to SG$20,000 ($15,500) and up to one year's imprisonment for deliberate or reckless non-compliance, fines of up to SG$50,000 ($38,000) and up to two years' imprisonment for unauthorised access to NEHR data, and fines of up to SG$1 million ($776,000) for providers that fail to implement required cybersecurity or data protection measures.
WHY IT MATTERS
As Singapore moves to deliver care closer to home amid an ageing population and a rising burden of chronic disease, access to a consistent and comprehensive set of patient health information has become increasingly critical to maintaining continuity of care across settings.
Despite years of NEHR rollout, some providers have yet to connect to the system, increasing the risk of medication errors, delayed treatment, and duplicate tests and procedures.
As of October, about 70% of GPs are connected to the NEHR, according to the MOH, while all nine private hospitals in Singapore have committed to contributing data to the system.
"By enabling the sharing of key health information within our healthcare ecosystem, Singaporeans will benefit from better coordinated care, enhanced quality of care, and lower costs," the MOH said.
The ministry also underscored that the Health Information Law supports its vision of "One Patient, One Health Summary, One Care Journey."
The legislation also enables population-level health research by allowing identifiable NEHR information to be used for public health purposes, and anonymised NEHR data to be shared for broader public interest purposes.
