MOH consults on proposed Health Information Bill: Establishes framework to govern safe collection, access, use, and sharing of health information

30 January 2024

From 11 December 2023 to 11 January 2024, the Ministry of Health (“MOH”) conducted a public consultation to seek views on a proposed Health Information Bill (“Bill”). When implemented, the Bill will establish the framework to govern the safe collection, access, use, and sharing of health information across the healthcare ecosystem, to facilitate better continuity and seamless transition of care.

The Bill is expected to be tabled in Parliament in the first half of 2024.

Key provisions of the Bill

Set out below is a summary of some key provisions of the Bill:

• Contribution of and access to key health information: The Bill will mandate all healthcare licensees to contribute a copy of selected key health information to the National Electronic Health Record (“NEHR”). While NEHR is used by all public healthcare institutions, participation by private providers is currently voluntary. MOH will decide which healthcare providers have to contribute to the NEHR. Only key health information, such as diagnosis, medications, allergies or laboratory reports, will need to be contributed to the NEHR. All healthcare licensees will be granted access to the NEHR. Besides healthcare licensees, non-healthcare licensees may also be granted access as approved users, but they will have access only to the relevant information required for them to provide care to patients.
• Sharing beyond NEHR: The Bill will set out three purposes for which health information residing outside the NEHR can be shared. These are (i) for outreach under national health initiatives, (ii) to support continuity of care including telecollaboration, and (iii) for assessment of eligibility for financing schemes.
• Sensitive health information: While all health information is personal and sensitive, certain types of health information are even more sensitive, and risk subjecting individuals to discrimination or social stigma. The Bill terms such information as Sensitive Health Information (“SHI”). SHI will not be readily accessible compared to other key health information and additional requirements will be imposed on such SHI. The Bill will also explicitly disallow data to be used to assess one’s suitability for employment, or whether one can qualify to be an insurance policyholder or claimant.
• Access and sharing restrictions: The Bill will provide individuals the option to place access restrictions on the sharing of their key health information in NEHR. However, the Bill will allow for such access restrictions to be overridden in the case of a medical emergency, also known as a “break glass” provision.
• Cybersecurity and data security safeguards: As custodians of the patients’ healthcare data, healthcare providers contributing to or accessing NEHR, or care providers participating in data sharing use cases enabled under the Bill (collectively, “entities”), will have to meet a unified set of cybersecurity and data security requirements to protect both electronic and non-electronic health information. MOH will be surveying healthcare providers in the coming months, to better (i) profile their IT set-up, resourcing, and capabilities, and (ii) understand their current cyber and data security readiness. This will help inform subsequent steps that MOH may take to support healthcare providers in preparing for eventual implementation of the Bill.
• Requirements for data Intermediaries: The Bill will impose obligations on data intermediaries, including (i) the protection of health information from unauthorised access or disclosure, (ii) the disposal of information that is no longer needed, (iii) ensuring data portability standards, and (iv) informing the entity of any cybersecurity incident or data breach without undue delay.
• Enforcement and penalties: MOH will have powers under the Bill to issue directions for entities to rectify non-compliances with the Bill, such as stopping unauthorised access to health information on the NEHR, destroying all health information collected in an unauthorised manner, stopping further unauthorised sharing of health information under the data sharing framework, and strict compliance with the cyber and data security requirements. MOH will also have emergency powers to perform remediation measures involving health information in severe situations. For severe non-compliances by entities, MOH proposes to impose a fine of up to S$1 million, or 10% of the organisation's annual turnover (whichever is higher). Recognising the sensitivity of health information and to deter abuse, the Bill will also introduce offences to hold individuals accountable for egregious mishandling of any health information under the control of an entity.

Draft NEHR Guidelines for public consultation

Working with a group of senior members of the medical, dental, and legal professions, and various professional associations, MOH has drafted a set of guidelines for healthcare professionals which outline the core ethical principles and reasonable professional standards that should be adopted when contributing to, accessing, or using NEHR. The guidelines will also provide additional information and guidance on the professional standards that all relevant healthcare professionals should continue to uphold, while using the NEHR as a tool to complement their professional practice.

MOH is also seeking feedback on the draft set of guidelines, and will incorporate relevant feedback in the final version, which is intended for launch around the same time as the introduction of the Bill in 2024.

Reference materials

The following materials are available on the MOH website www.moh.gov.sg and the REACH website www.reach.gov.sg:

• MOH press release
• REACH press release
• Consultation Paper
• Annexes A to D
• Draft NEHR Guidelines for Public Consultation
• What does this mean for - Patients
• What does this mean for - Licensees and approved users
• What does this mean for - Data intermediaries