The Ministry of Health (MOH) will conduct a public consultation from 11 December 2023 to 11 January 2024 to seek views on the proposed Health Information Bill (HIB). The HIB will establish the framework to govern the safe collection, access, use, and sharing of health information across the healthcare ecosystem, to facilitate better continuity and seamless transition of care. The HIB will be tabled in Parliament in the first half of 2024.
The Need for the Health Information Bill
2. As our population ages, we expect healthcare needs to become more complex. More Singaporeans will have chronic conditions, will need to visit various healthcare institutions, and rely on multiple healthcare providers for care. In our diverse healthcare system, most patients are seen and managed by more than one healthcare provider. The health information generated from each visit is currently held by these providers in separate paper or electronic record systems.
3. Sharing the key health information of patients, such as their test results, vital signs, medications and allergies, can facilitate more seamless and better care delivery. This will benefit patients by removing the need for repetitive laboratory or radiological tests, and for patients to repeat their medical history to various healthcare providers. More importantly, by having access to a common set of their patients’ key health information, healthcare providers will be able to make better clinical decisions for the benefit of their patients.
4. This is why the National Electronic Health Record (NEHR) was established in 2011 as a centralised health information repository. The NEHR serves to improve the flow of key health information, by establishing a network between public and private providers. This allows patients to move seamlessly across the healthcare ecosystem to receive coordinated care, regardless of setting.
5. While NEHR is used by all public healthcare institutions, participation by private providers is voluntary, with about 15% participating as of October 2023. Hence, there is no single holistic picture available of an individual’s health information, as data is fragmented and scattered across different providers.
6. Around the world, health authorities face the same challenge, and have been pushing for a shared patient database. In Singapore, having developed the NEHR, MOH is proposing to introduce the HIB, which will make it mandatory for all licensed healthcare providers to contribute data to the NEHR. This will enable patients and providers to continue benefitting from having access to an up-to-date, accurate and complete centralised national repository of key health information whenever care is provided.
Contribution and Access to Health Information
7. Only key health information, such as diagnosis, medications, allergies or laboratory reports, will need to be contributed to the NEHR. This will allow providers access to patients’ summary medical records for better care. At the same time, providers are only allowed access to relevant information required for them to provide care to patients.
8. While all health information is personal and sensitive, certain types of health information are even more sensitive, and risk subjecting individuals to discrimination or social stigma. Such sensitive health information can only be accessed by medical practitioners, selected nurses and pharmacists in the public institutions, based on their role in the care delivery of the patient. This mirrors today’s care environment, where access to such sensitive health information is restricted.
9. To better safeguard patients’ interest, additional equirements will be imposed on sensitive health information under the HIB. These include administrative access controls, such as a double log-in function within NEHR, and mandatory incident reporting requirements should any breach of access occur. Any unjustified use or access by unauthorised personnel will be subject to penalties.
10. The HIB will also explicitly disallow data to be used to assess one’s suitability for employment, or whether one can qualify to be an insurance policyholder or claimant. This will ensure that a patient's medical history cannot be used to discriminate against the employability or insurability of the patient. This prohibition overrides patient consent to ensure that patients will not be coerced into giving consent for such assessments.
Access and Sharing Restrictions
11. The Bill will provide individuals the option to place access restrictions on the sharing of their key health information in NEHR. Once in place, this restriction means that no one will be allowed to access the individual’s information within the NEHR, including the individual’s own attending doctor.
12. As a result, the individual may experience more inefficient care delivery, leading to greater inconveniences, such as having to repeat laboratory or radiological investigations, and potentially even compromise their safety and welfare, as critical information, such as the individual’s allergic reactions to medications, will no longer be made known to healthcare professionals.
13. Despite these protections for individual privacy, the Bill will allow for such access restrictions to be overridden in the case of a medical emergency, or a ‘break glass’ provision. For the ‘break glass’ override to be triggered, the individual must be medically assessed to be at risk of immediate and significant harm unless medical intervention is given, and is unable to provide consent (e.g. because they are comatose). Access restrictions cannot be overridden for individuals who continue to have the ability to provide or withhold consent, even in a medical emergency.
Cybersecurity and Data Security Safeguards
14. With an increase in the contribution, access and sharing of health information across the ecosystem, there is increasing risk of cyber-attacks and consequences of potential data losses. As custodians of the patients’ healthcare data, healthcare providers contributing to or accessing NEHR, or care providers participating in data sharing use cases enabled under the Bill will have to meet a robust unified set of cybersecurity and data security requirements to protect both electronic and non-electronic health information.
15. This includes reporting cybersecurity incidents and data breaches (including unauthorised NEHR access) that meet the prescribed thresholds to MOH. These safeguards are necessary in view of the interconnected roles that healthcare and care providers play in the healthcare ecosystem.
Invitation to Provide Feedback
16. MOH has consulted extensively on the proposed provisions of the HIB over the past year, with 39 focus group discussions conducted and over 1,000 stakeholders engaged. These include members of the public, licensees, healthcare professionals and associations, as well as IT vendors, to design and refine the Bill.
17. MOH is seeking the views of members of the public, patients, healthcare providers and data intermediaries whom this Bill will directly impact. The feedback gathered will help MOH to develop and implement robust policies, and enable us to build a safer and secure digitalised healthcare system for everyone in support of our national healthcare priorities and initiatives.
18. From 11 December 2023 to 11 January 2024, members of the public are invited to visit go.gov.sg/hib-consult for the consultation paper and submit their feedback. More details on the HIB can also be found on healthinfo.gov.sg. The public can email any clarifications or queries to HIA_Enquiries@moh.gov.sg.
MINISTRY OF HEALTH
11 DECEMBER 2023