Singapore Mandates Health Data Sharing with New Law

Singapore’s parliament passed a significant law on January 12, 2025, requiring all licensed healthcare providers to share patients’ health information with a central repository. This initiative, driven by the Ministry of Health (MOH), aims to streamline patient care by integrating health data into the National Electronic Health Record (NEHR) system, which has been in operation since 2011.

The new Health Information Bill mandates that healthcare providers contribute essential health information, including allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images, and discharge summaries. This requirement will apply to Singaporean citizens, permanent residents, and long-term pass holders. The law is a critical step toward transitioning Singapore’s healthcare system from a hospital-centric model to one that prioritizes community-based care.

In a parliamentary session, Tan Kiat How, Senior Minister of State for Health, emphasized the need for this reform. He noted that the current system often leaves patients’ key health records inaccessible when they switch between providers, which can lead to medication errors, delayed treatments, and unnecessary duplicate tests. By ensuring that health information is shared across healthcare settings, the Bill aims to improve coordination and quality of care while potentially lowering costs.

Key Provisions of the Bill

The Health Information Bill establishes a legal framework governing the collection, access, and sharing of health information within the NEHR. It outlines who can access this data and the purposes for which it can be used, primarily focusing on patient care. Access will generally be restricted to healthcare providers involved in a patient’s care, including doctors, nurses, and pharmacists.

The Bill also delineates circumstances under which non-NEHR health information, such as basic identification details and health risk indicators, can be shared. This data may support continuity of care and national health initiatives. Specific public health stakeholders, including public health institutions and the Agency for Integrated Care, will initially be covered under this framework.

Notably, identifiable NEHR data may be utilized for public health purposes, such as during major health crises, while anonymised data can be employed for research and cost-effectiveness analysis. The sharing of health information for employment or insurance purposes remains prohibited, except for legally required medical examinations related to specific services, such as the military or police.

Patients will retain some control over their health data. They can view which healthcare providers accessed their records through HealthHub, report unauthorized access to the MOH, and set access restrictions on their NEHR records. Nevertheless, critical information, such as allergy and vaccination records, will remain visible to all healthcare providers to minimize risks during new patient consultations.

Privacy Concerns and Cybersecurity Measures

While the Bill has been met with support for its privacy safeguards, several Members of Parliament (MPs) expressed the necessity of ensuring patient trust. They raised concerns regarding how sensitive information, particularly mental health records, will be managed. Dr. Wan Rizal highlighted that fears about the misuse of health data could deter individuals from seeking care.

Concerns regarding potential loopholes in insurance practices were echoed by Mr. Kenneth Tiong, who questioned whether integrated plan insurers could exploit contractual clauses to access full medical records. Meanwhile, calls for enhanced patient control over sensitive information continued, with suggestions for higher authorization levels before accessing certain records.

The Bill mandates that healthcare providers and system operators implement robust safeguards to protect patient data. Providers must promptly report any cybersecurity incidents or data breaches to the MOH. Non-compliance can result in significant penalties, including fines ranging from S$20,000 for minor infractions to S$1 million for systemic breaches.

The introduction of this law comes in the wake of the 2018 SingHealth data breach, where the records of 1.5 million patients were compromised. The agency responsible for operating the NEHR, Synapxe, was formerly known as Integrated Health Information Systems (IHiS), which faced scrutiny for its handling of cybersecurity measures.

In response to these concerns, the MOH assured that the NEHR’s security protocols have been strengthened, incorporating lessons learned from past incidents. Regular audits, vulnerability scans, and penetration tests will be conducted to ensure the integrity of the system.

As Singapore prepares to implement this law, healthcare providers will be given time to adjust to the new requirements and bolster their cybersecurity measures. The MOH plans to offer training resources and funding support to assist providers in meeting these obligations. The rollout of the access restriction feature on HealthHub is expected in the second half of 2025, although the use of this option is not encouraged due to its potential impact on the quality of care.

Through this legislative change, Singapore aims to build a more integrated healthcare ecosystem that enhances patient outcomes while addressing privacy and security concerns comprehensively.