Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Ministry of Health
Speeches

HEALTH INFORMATION BILL SECOND READING - OPENING SPEECH FOR SMS TAN KIAT HOW

12 January 2026

A.  Introduction

1.         Mr Deputy Speaker, on behalf of the Minister for Health, I beg to move that “The Bill be now read a Second time.”

2.         I will first set out the context of the Health Information Bill (or HIB) and its role in supporting the transformation of our healthcare delivery model.

3.         I will then outline how the HIB will help MOH achieve the goal of ‘One Patient, One Health Summary, One Care Journey’ and bring Members of the House through the key provisions of the Bill, before finally covering our plans to commence the Bill from early 2027.

4.         Sir, Singapore is rapidly ageing. By 2030, one in four Singaporeans will be aged 65 and above. This substantial demographic shift brings with it a higher burden of chronic diseases and a higher proportion of patients with multiple co-morbidities. These patients will need well-coordinated, sustained care.

5.         This is why we are transforming our healthcare delivery – from being hospital-centric to delivering care in the community. We are implementing national programmes like Healthier SG and Age Well SG, as well as initiatives such as Home Personal Care and Mobile Inpatient Care @ Home.

6.         So this effort will enable patients to benefit from timely and more holistic care. Patients will receive care from a wider range of healthcare providers – not just at public hospitals and polyclinics, but also at home or in the community, including at General Practitioner (GP) clinics, dialysis centres, and via home medical or rehabilitation services.

7.         The sharing of a patient’s key health information across settings and service providers is therefore essential.

8.         Such sharing of health information will also benefit younger patients who visit new healthcare providers or encounter medical emergencies.

9.         Today’s situation is not ideal. Currently, when patients move between healthcare providers such as from private specialist clinics to their GPs, their key health records are often not accessible across providers. Such gaps can risk medication errors, delayed treatment, and duplicate tests and procedures.

10.     This is why many jurisdictions, such as Australia, Estonia, Finland and Norway, have developed robust governance frameworks to govern the sharing of health information across healthcare providers. This sharing regime has led to better patient outcomes, reduced costs and more effective and efficient healthcare delivery. We have studied these jurisdictions carefully and adopted key features suited to our local context.


NEHR and Current Status

11.     But sir, in practice, we are not starting from scratch. Singapore started sharing health information across providers since 2011, with the implementation of the National Electronic Health Record system (or NEHR).

a.    Today, all public hospitals and polyclinics are already contributing key health information to NEHR. Public hospitals contribute about 80% of total beds in Singapore and account for approximately 90% of hospital stays

b.    With Healthier SG, most GP clinics are already onboarded onto NEHR. This has been of tremendous benefit for GPs and their patients.

c.    Most private hospitals have also onboarded to NEHR, while the remaining are in the process of doing so.  

d.    Hence, the vast bulk of key healthcare services are already on NEHR, or coming on board soon, leaving a small group that have not done so such as specialist clinics, clinical and radiological laboratories and dental clinics.

 

One Patient, One Health Summary, One Care Journey

12.     Sir, with your permission, may I ask the Clerks to distribute a handout on the key elements of the HIB. Members may also access the handout through the MP@SGPARL App.

13.     Sir, the HIB will help us realise the vision of ‘One Patient, One Health Summary, One Care Journey’ in two important ways.

14.     First, the HIB will close the remaining gap by requiring all licensed healthcare providers to contribute to the NEHR and providing for their NEHR access. This will allow patients’ key health information to be accessible by their healthcare providers when they move across healthcare settings. Patients will also benefit from better coordinated care, enhanced quality of care and lower costs.  

15.     Let me illustrate with a hypothetical example of 50-year-old Ms Kamala as covered in the infographic. Ms Kamala regularly visits her nearby GP to manage her chronic health conditions. She recently moved to a new estate. When she visits a different GP near her new home, the doctor there can make informed care decisions based on Ms Kamala’s health information in NEHR.

16.     Her new doctor can see which tests have been done and the medications that have been prescribed. He need not repeat the tests, saving Ms Kamala time and money. Appropriate tests and medications can also be ordered to better manage Ms Kamala’s health requirements. Patients moving between private and public healthcare providers, or acute and community settings will similarly benefit.

17.     Actually, I think many members of the house can relate to these examples. We often see scenes where our residents, especially our seniors, sit in front of the GP clinic carrying a big plastic bag of medicine. I once joked with a resident, saying that most people see the doctor to collect medicine, but he brings his medicine to see the doctor. He laughed and said that the doctor has asked him what medicines he currently takes, and he cannot remember, so he brought all his medicine. I am sure that if I had looked into his plastic bag of medicine, there would be medicine that has been issued by another doctor some time ago that has probably expired. So, this situation is not ideal.

18.     Second, the HIB will enable the sharing of non-NEHR health information to facilitate community-based care. Today, the Agency for Integrated Care (or AIC) under the Ministry of Health shares data with community health partners to enable them to engage and provide befriending services or care to seniors. The HIB will provide an additional channel for the sharing of non-NEHR health information to better support national health programmes and initiatives.

19.     Let me illustrate this using another hypothetical example also covered in the infographic. 72-year- old Mr Lim has Type 2 diabetes and has rarely left home since his wife passed away. Mr Lim has been skipping his polyclinic appointments and struggles to manage his diabetes.

20.     Without the opportunity to see Mr Lim, the polyclinic cannot seek his consent to share his contact and relevant health information with community health partners for follow-up. However, if our community healthcare providers and their partners are aware of Mr Lim’s conditions, they can better support him.

21.     With the HIB, when Mr Lim's polyclinic assesses that he would benefit from community support, the polyclinic can potentially share his contact information and an indicator of his level of health risk, such as whether he has a chronic condition, with AIC. AIC can then prioritise engaging Mr Lim, encourage him to check on his well-being and link him up with necessary support as needed.

22.     AIC’s early engagement of seniors like Mr Lim allows them to benefit from healthcare providers and community-based services before their isolation sets in, leading to more serious health consequences. Again, this is a scenario many members of the House see when we do our house visits and meet our seniors in the community, especially seniors living alone who are isolated. These provisions under HIB will help to enable better care for our seniors.


Stakeholder and Public Feedback

23.     To ensure that the Bill addresses Singapore’s healthcare needs as well as considers stakeholders’ views, MOH has been engaging the public and stakeholders since 2022.

24.     I would like to take this opportunity to thank members of the public and patient advocacy groups for their support for the Bill and their invaluable input such as providing patients with greater control over their access to their NEHR.

25.     I would also like to thank the professional bodies and healthcare professionals for their feedback, particularly regarding the cyber and data security requirements and the support that their members and colleagues may require as part of the transition.

26.     MOH has taken these viewpoints onboard.

 

B.  Structure and Key Provisions of the Bill

27.     Sir, now allow me to go through the Bill’s key provisions and safeguards for the sharing of health information under the Bill.


Sharing of Key Health Information through NEHR – Contribution and Access  

Contribution of Key Health Information

28.     In the example of Ms Kamala shared earlier, NEHR would only be able to support her new doctor if key health information from her previous healthcare providers was contributed to NEHR.

29.     The HIB will require all healthcare providers licensed under the Healthcare Services Act 2020 and retail pharmacies licensed under the Health Products Act 2007 to contribute key health information about patients into NEHR. The key health information is those crucial for continuity of care such as allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images and discharge summaries.

30.     As certain public agencies such as the Singapore Armed Forces (SAF) and the Singapore Civil Defence Force (SCDF) also provide patient care, the Bill enables these agencies to be gazetted under the Act, to contribute key health information to NEHR.

31.     Key health information of Singapore citizens, permanent residents and patients with long-term immigration passes will need to be contributed as these groups are more likely to seek care in Singapore over time. Health information of transient visitors, such as tourists, need not be contributed.

32.     Clauses 10 – 15 set out the provisions relating to the contribution of key health information to NEHR. The First Schedule lists the key health information that each licensee category needs to contribute, based on the patient care functions they provide.


Safeguards governing NEHR access for provision of patient care  

33.     NEHR access will be provided for the healthcare providers that are contributing key health information to NEHR. The Bill will also enable NEHR access for community health partners providing clinical or care-planning services. This is in recognition of their increasingly important role in supporting patients’ continuity of care.  

34.     To enable the provision of timely and effective care, there will not be a need for every healthcare professional to seek consent each time they access patients’ NEHR.  

35.     At the same time, we are mindful that patients expect their NEHR information to be kept confidential. The Bill provides for robust legislative safeguards to address these concerns. We also have in place technical controls to ensure that access to NEHR is tightly regulated.


Legislative safeguards

36.     Let me first speak about the legislative safeguards. NEHR access for patient care purposes will be limited to licensed healthcare providers and their authorised individuals.

37.     Healthcare providers must only authorise NEHR access for healthcare professionals who require it for patient care purposes.  Such professionals include doctors, nurses, pharmacists and allied health professionals. Individuals who only perform an administrative or corporate role, even if they are healthcare professionals, will not be given NEHR access. Authorised individuals must access NEHR only for patients whom they are providing patient care to.

38.     Healthcare providers must also implement appropriate practices to ensure their healthcare professionals access NEHR appropriately. This will include regular training on the appropriate use of NEHR, and conducting audits on NEHR access.

39.     In short, access to NEHR is restricted to healthcare professionals for the purpose of providing care to their patients.

40.     Accessing NEHR for purposes relating to employment or insurance will be strictly prohibited.

  • This means healthcare professionals will not be allowed to access NEHR for purposes such as filling out medical reports required for insurance claims or pre-employment medical screening forms.

  • This will address concerns expressed during the public consultation that health information could be used in a discriminatory manner by employers or insurance companies.

  • However, there are medical examinations, set out in statutes, which serve to protect the public and safeguard the health of the individual and those around him. Examples include examinations of persons who are at risk of an infectious disease and the medical examinations to assess fitness for service in the SAF, SCDF and Singapore Police Force, as required under the Enlistment Act. NEHR access will therefore be allowed for these statutory medical examinations.

41.     Clauses 16 – 23 set out the provisions relating to NEHR access, including the legislative safeguards. The Second Schedule sets out the categories of authorised individuals who may access NEHR for different categories of healthcare providers. The specified statutory medical examinations for which NEHR may be accessed is listed in the Third Schedule.


Technical safeguards

42.     Let me turn to the technical controls that MOH will put in place to tightly regulate access to NEHR.

43.     First, authorised individuals will only be granted access to the data types required for their patient care duties. For example, nurses in general will not have access to radiological images as they do not require this information for their patient care duties.  

44.     System-level controls to limit unauthorised access, such as limiting the number of patient records that can be accessed within a stipulated time frame and conducting regular audits to flag unauthorised NEHR access, have already been implemented.

45.     We will be progressively rolling out additional technical measures and processes to limit and detect unauthorised access to NEHR information of patients.   


Access Restrictions and Access Logs

46.     Patients themselves can monitor access of their NEHR information through their HealthHub account and can report suspicious activities to MOH for investigation.

47.     By default, patients’ key health information will be contributed to NEHR and will be accessible by healthcare providers to support the continuity of care across healthcare settings.

48.     For those who continue to have privacy concerns, they may restrict access to their NEHR information so that only select healthcare providers may have this access. This Access Restriction feature is like the approach adopted by Australia, Estonia and Hong Kong.

49.     Today, such an Access Restriction regime is already in place.  Patients can submit their request to place an Access Restriction at public healthcare institutions (or PHIs). From the second half of this year, patients can do so through their HealthHub app.

50.     For patient safety, when patients visit their healthcare providers, the provider will still be able to view a subset of records in the patients’ NEHR, even if there is an access restriction in place. This subset of records comprises critical allergies and vaccination information that helps reduce the risk of inappropriate prescriptions or immunisations when patients visit new healthcare providers.

51.     Further, a patient’s NEHR information may be accessed during medical emergencies despite an Access Restriction. This feature, known as “break-glass”, is like Australia’s approach. Access in such extenuating situations will be subject to strict controls.

52.     First, only doctors will be allowed to “break-glass”.

53.     Second, before “breaking glass”, the doctor must re-verify their credentials and declare a medical emergency has happened.

54.     Third, every instance where a doctor “breaks glass” will be subject to audits. Confirmed cases of inappropriate “break glass” will be investigated as potential breaches under the HIB and may also be referred to the Singapore Medical Council for disciplinary action.

55.     To ensure there are no gaps in patients’ records even during emergencies, health information will continue to be contributed to NEHR even when an Access Restriction is placed.

56.     While Access Restriction is an option, we do not encourage its use as it would adversely affect the quality of care we receive as patients. It is only when healthcare providers, like our doctors or healthcare frontline staff, have access to our key health information that they can deliver holistic and effective care in a timely manner.

57.     Clauses 29 – 33 deal with Access Restrictions. Details relating to these Access Restrictions will be set out in subsidiary legislation.


Other Uses of NEHR Information

58.     As the national repository of key health information, NEHR information can be used to inform national policies and research to improve population health outcomes for Singaporeans.

59.     The HIB will provide for the sharing of identifiable NEHR information for public health purposes, and anonymised NEHR information for broader public interest purposes.

60.     For example, in the event of a major drug contamination incident, MOH may share necessary information from NEHR – such as the identity of patients prescribed with the drug – with relevant healthcare institutions and direct them to promptly contact the affected individuals and advise them to stop taking the drug and seek medical care.

61.     The HIB will not impede the sharing of NEHR information as required or permitted under other laws. For example, NEHR information may be required under the Criminal Procedure Code 2010 to facilitate criminal investigations by the Police; or by the Communicable Diseases Agency (CDA) under the Infectious Diseases Act 1976 for outbreak investigations and contact tracing of potentially exposed individuals.

62.     But for all requests, MOH will assess whether the NEHR information is appropriate and necessary for the purpose of the request, taking into consideration factors such as whether alternative information is suitable, and whether anonymised or aggregated data would suffice.  

63.     The sharing of NEHR information under other laws, as well as for public health and public interest purposes are provided for in Clause 5 and Clauses 20 to 28 respectively.


Sharing of non-NEHR Health Information to Facilitate Community-based Care

64.     Sir, let me turn now to the provisions for the sharing of non-NEHR health information to facilitate community-based care.

65.     As mentioned earlier, the HIB will provide an additional channel for data-sharing to support the goal of ‘One Patient, One Health Summary, One Care Journey’.


Scope and key requirements for data sharing

66.     We will enable the scoped sharing of non-NEHR health information without an individual’s consent only if three key criteria are met.  

67.     First, data sharing must be between specified entities. For a start, this will cover key public healthcare stakeholders such as PHIs, AIC and public agencies.

68.     Second, information must only be shared for specified use cases to support continuity of care and population health outreach under national programmes such as Healthier SG and Age Well SG. For example, PHIs may share contact information and the addresses of seniors with AIC, for AIC to contact and engage these seniors to connect them to relevant community-based care services and activities based on their needs.

69.     Third, we will restrict the data types that can be shared to those relevant to each use case. The data shared will generally be limited to basic identification and contact information and, if necessary, broad health risk indicators such as the presence of frailty or chronic conditions, but not the actual medical conditions.

70.     The scope and key requirements for the sharing of non-NEHR health information are provided for under Clauses 45 – 60, while the use cases and the specified entities are set out in the Fourth Schedule. The list of data types allowed for each use case will be set out in subsidiary legislation.


Protecting Health Information: Cybersecurity and Data Security Measures

71.     Let me now turn to the measures in the HIB to secure and protect health information.


Cybersecurity and Data Security Requirements

72.     Healthcare providers that contribute to and access NEHR as well as entities allowed to share and receive non-NEHR health information, will need to meet cybersecurity and data security requirements. They will also be responsible for assessing whether a notifiable cybersecurity incident or data breach has occurred. Once confirmed, MOH will need to be notified. Where a data breach has resulted in, or is likely to result in, significant harm to individuals, the affected individuals will also need to be notified.

73.     These security requirements are covered in Clauses 61 to 82.  

74.     To be clear, today, licensed healthcare providers and practitioners already have obligations to safeguard the personal data of their patients under existing laws. The security requirements under the HIB are based on existing standards and legal requirements. What the HIB does is to consolidate these requirements in relation to health information.


Emergency Measures

75.     Additionally, the Bill will empower the Minister for Health to take emergency measures in critical events where the threat to health information or relevant health information systems could result in health information being lost or compromised. Such powers are not unique to this Bill and can be found in the Infectious Diseases Act 1976 and the Cybersecurity Act 2018.

76.     These powers are necessary. We have seen how incidents, whether cyber or physical in nature, can lead to major and prolonged disruptions of essential services around the world, including healthcare services. Physical incidents such as fires can take out information systems and result in data loss, just as faulty IT updates or cyber-attacks can lead to the same outcome. Hence, these powers are scoped towards enabling responses to protect health information regardless of the form of the threat.

77.     Should an outage involving health information or the systems that host or process such information occur in Singapore and threaten a major disruption of healthcare services, Clauses 83 to 85 will allow the Minister to direct relevant healthcare providers to take mitigating or recovery measures.


C.  Implementation and Enforcement of the Bill

Implementation Support

78.     Sir, as I have earlier mentioned, we intend for the Bill to take effect from early 2027. This would give healthcare providers sufficient time to familiarise themselves with the Bill’s requirements and strengthen their cybersecurity and data security posture. MOH is working closely with healthcare providers on the implementation timelines and will announce further details soon. 

79.     Sir, during our consultations, some healthcare providers shared concerns about the burden of implementing the HIB’s security requirements. MOH has been engaging the associations and providers. I wish to reassure them that MOH is committed to supporting them through this transition.

80.     We will inform healthcare providers of NEHR-compatible systems that meet the Bill’s cybersecurity requirements and automate the contribution of key health information. With the use of such NEHR-compatible systems, healthcare providers will then only need to ensure their data security measures are in place, such as training staff involved in patient care to access and use NEHR appropriately. Training resources and programmes, as well as funding support, will be made available to support healthcare providers and healthcare professionals.

81.     We are aware that some healthcare professionals are concerned about increased liability from accessing and using NEHR. MOH is working towards publishing guidelines on the appropriate access and use of NEHR information that healthcare professionals, including nurses and allied health professionals, may use as a resource.  


Offences and Penalties

82.     I will now touch on the key offences and the penalties. Under the HIB, non-compliance with contribution requirements is not an offence in the first instance, as we recognise that there could be genuine challenges onboarding to NEHR. If non-contribution arises from technical difficulties, for instance, we will work with healthcare providers to rectify the underlying issue.

83.     However, in the event of deliberate or reckless non-compliance or breaches, directions may then be issued to the healthcare provider to comply. It is only when the healthcare provider fails to comply with a direction that the provider could be liable for an offence punishable by up to $20,000, 1 year’s imprisonment or both upon conviction. I reinforce that this is only in the event of deliberate or reckless non-compliance or breaches.  

84.     For breaches that are likely to have a greater impact on patients, maximum penalties are higher. For instance, a person convicted of an offence relating to unauthorised access of NEHR information under Clause 38 faces a fine of up to $50,000, 2 years’ imprisonment or both for a first offence. This maximum penalty is doubled for a repeat offence, or if the unauthorised access was for employment or insurance purposes. The penalty for this offence is comparable to other relevant laws. For instance, the maximum fine of $50,000 is aligned with serious breaches involving unauthorised access to computer material in the Computer Misuse Act 1993.  

85.     Breaches involving systemic failures are dealt with most severely; for instance, healthcare providers that fail to put in place the cybersecurity or data security measures required under the HIB may face a fine of up to $1 million, as the health information of many patients could be compromised. A failure would likely be committed by a healthcare provider or other organisation; hence, the maximum fine must be high enough to serve as an effective deterrent to such organisations.

86.     Nevertheless, these are maximum penalties, which are aimed at addressing the most egregious of breaches. We would like to reassure healthcare providers and healthcare professionals as well as Singaporeans that should potential breaches occur, MOH will look at the facts of each case carefully. The Bill also allows for a range of enforcement actions besides prosecution, including composition of offences, directions to rectify breaches and letters of warning.


D.  Conclusion

87.     Sir, the HIB will play a critical role in supporting the transformation of our healthcare delivery services and model. Through ‘One Patient, One Health Summary, One Care Journey’, Singaporeans will benefit from better coordinated care, enhanced quality of care and lower costs. 

88.     I urge Members of the House to support the Bill.

89.     Mr Deputy Speaker Sir, I beg to move.


Back to top