Singapore’s new legislation on health data requires controlled sharing of information.

To enforce data disclosure and sharing, the Ministry of Health has the authority to impose fines of up to $1 million for non-compliance.

Since 2011, Singapore has maintained a central repository for patient health records known as the National Electronic Health Record (NEHR). However, as of October 2023, only 15% of private providers have participated in this system.

In a bid to foster greater collaboration and data sharing among healthcare providers, the government has introduced the Healthcare Information Bill (HIB), which mandates the sharing of health data.

Lim Ren Jun, principal and co-lead of Healthcare & Life Sciences Industry Group at Baker McKenzie Wong & Leow, emphasized that the Ministry of Health foresees increasing complexity in healthcare needs as the population ages.

This shift will lead to more Singaporeans grappling with chronic conditions, necessitating visits to multiple healthcare institutions and reliance on various healthcare providers.

Lim highlighted that the Ministry of Health anticipates Singapore’s healthcare system to become more diverse as it adapts to meet the evolving demands of the population.

He emphasized that sharing key health information among healthcare providers would streamline care delivery and improve overall patient outcomes.

Zhen Guang Lam, senior associate at Clyde & Co Clasis Singapore, echoed similar sentiments, emphasizing the transformative potential of a central repository for patient health records.

He highlighted that such a system not only improves efficiency and coordination among healthcare professionals but also empowers patients with greater control over their health data.

Lam emphasized that the seamless exchange of information across the healthcare ecosystem can result in more accurate diagnoses, timely interventions, and ultimately, better patient outcomes.

Moreover, disclosing health data on the NEHR eliminates the need for patients to repeatedly declare their medical history to different healthcare professionals, saving valuable time.

Similarly, Lim noted that this approach also relieves healthcare providers of the burden of requesting patients to provide such information, thereby freeing up resources.

With access to a common set of patient health data, healthcare professionals can make more informed decisions for the benefit of their patients, Lam concluded.

Duties and Obligations

The proposed bill encompasses all licensed healthcare service providers, extending its reach to digital health service providers offering telemedicine services, approved users with access to health information in the NEHR, and data intermediaries.

Under the bill, these entities are mandated to share specific health information, such as patient demographics, medical diagnoses or allergies, and prescribed medications.

Moreover, they must adhere to cybersecurity and data security protocols, including the obligation to promptly notify the Ministry of Health within two hours in the event of a data breach or cybersecurity incident.

Lim from Baker McKenzie emphasized the necessity for healthcare providers to meticulously assess their compliance with the stringent cybersecurity and data security standards outlined in the HIB.

“Operationally, healthcare providers will need to establish procedures to ensure compliance with this compulsory incident notification mandate,” he further elaborated.

Access

Authorized healthcare professionals possess access to data within the NEHR. Non-authorized healthcare professionals or unlicensed healthcare providers may also receive access to the central repository as “approved users.”

However, they will only be granted access to “relevant information necessary for them to deliver care for patients,” as explained by Clyde & Co’s Lam.

Retail pharmacists fall into this category of non-licensed healthcare providers. Lam elaborated, stating, “Retail pharmacists may be given limited access to medication and allergy records to identify any unsafe interactions between medications the patient is currently taking and other medications the patient intends to purchase.”

“Generally, NEHR data should exclusively be utilized for patient care and not for non-healthcare purposes. Specifically, the bill will explicitly prohibit data from being used to assess a person’s suitability,” Lam emphasized.

Moreover, access rights to sensitive health information will solely be granted to medical practitioners based on their specific role in delivering healthcare to the patient.

Lam clarified, “A medical practitioner will not be permitted to access a patient’s sensitive health information if they are not providing care to that patient or if such access is unnecessary for delivering care.”

Sensitive health information encompasses data that may lead to stigmatization or discrimination, according to Lam.

Given its sensitive nature, accessing sensitive health information necessitates additional requirements, including administrative access controls such as a double-locking mechanism “to ensure healthcare professionals make a deliberate decision when accessing such information,” Lam shared.

According to Lim, under the proposed bill, patients may also possess the right to impose access restrictions on their NEHR data.

However, they might not have the ability to “customize access restrictions; for instance, restricting access solely to specific doctors or institutions, or certain data fields.”

Penalties

Healthcare providers that fail to adhere to the bill may incur various penalties.

The proposed legislation empowers the Ministry of Health (MOH) to levy financial penalties of up to $1 million (US$743,000) or 10% of the organization’s annual turnover, whichever is higher.

This aligns with the penalty framework outlined in the Personal Data Protection Act (PDPA), as stated by Lim.

Furthermore, the MOH will possess general authority to issue directives for entities to address non-compliance with the Healthcare Information Bill (HIB).

These directives encompass halting unauthorized access and collection of health information from the NEHR, disposing of all health information collected in an unauthorized manner, discontinuing further unauthorized sharing of health information under the data sharing framework, and adhering to cybersecurity and data security requirements.

Lim elucidated, “In more intricate scenarios involving cybersecurity incidents and data breaches, the MOH has indicated its intent to collaborate with the Cyber Security Agency and Personal Data Protection Commission to impose appropriate penalties under the relevant Acts.”

“In addition to penalties imposed on licensed entities, the HIB also seeks to establish offenses to hold individuals accountable for gross mishandling of health information controlled by an entity subject to the HIB,” he added.