Introduction
The Ministry of Health (the MOH) has recently concluded a public consultation on the Health Information Bill (the Bill). Following the public consultation, the Bill is expected to be tabled in Parliament in the first half of 2024.
Scope of the Bill
The Bill sets out Singapore’s legal framework governing the safe collection, access, use, and sharing of health information across the health care ecosystem. It also defines regulations and guidance to facilitate improved continuity and seamless transition of care. The Bill complements the Personal Data Protection Act 2012 (the PDPA), which sets out the legal framework for personal data in general, as well as the related Advisory Guidelines for the Healthcare Sector recently updated in November 2023.
The MOH has set out three main objectives for the Bill:
- Ensure that health information is kept updated, accurate, and accessible.
- Establish a robust framework for the safe collection, access, use, and sharing of health information.
- Set out data security and cybersecurity requirements that health care providers must comply with.
The Bill’s impact on the health care ecosystem
To achieve the three main objectives, the Bill will introduce the following measures:
Require all licensed health care providers and approved contributors to contribute selected and accurate patient health information, with access to the information granted to licensed health care providers and approved users for patient care purposes.
Simplify the health data sharing framework and provide greater clarity on the boundaries of data sharing to facilitate the flow of information for patient care purposes.
Set in place safeguards to govern the safe collection, access, use, and sharing of health information as well as reporting requirements for cybersecurity incidents and data breaches.
The Bill will increase the adoption of the National Electronic Health Record (the NEHR), which was introduced in 2011 as a centralised health information repository. Although public health care institutions were early adopters, only around 15% of private health care institutions participate in the NEHR voluntarily as of October 2023. The Bill now makes it mandatory for all licensed health care providers (public or private) to contribute data to the NEHR. Only key health information such as diagnosis, medications, allergies, and laboratory reports are to be contributed to the NEHR. At the same time, the Healthier SG initiative, the nationwide preventive health care programme, will see community clinics linking up with the NEHR for patient enrolment, recording health plans, and making patient referrals.
The Bill, together with draft NEHR guidelines, sets access limitations to prevent sensitive information stored in the NEHR from being accessed wrongfully. Health care providers may only access relevant information they require for providing patient care. Any sensitive health information that could lead to social stigma or discrimination will be accessible only to certain medical practitioners, nurses, and pharmacists in public institutions. Access will be limited using administrative access controls, such as a double login function and mandatory reporting of any breach of access.
For the avoidance of doubt, the Bill explicitly disallows health information from being used to assess a person’s suitability for employment and whether a person can qualify to be an insurance policyholder or claimant.
Individuals can take control of the sharing of their NEHR health information. The Bill provides individuals with the option to restrict all persons from accessing their information, including their own attending doctor. However, individuals must note that this may affect their attending doctor’s ability to deliver appropriate health care. This is similar to the right to withdraw consent to access personal data (and the implications of withdrawing consent) established in the PDPA.
The Bill recognises that health care providers are increasingly targeted by cybersecurity threats. Thus, the Bill introduces reporting requirements that enable the MOH to take prompt action in the face of the evolving cyber threat landscape. This is part of a broader push by the Singapore government to address cybersecurity threats, as seen in recent proposed amendments to the Cybersecurity Act 2018 (the CSA)
See recent alert
Conclusion
The Bill is timely in expanding the use of the NEHR to improve patient care, while improving access safeguards and taking measures to mitigate cybersecurity threats in line with the PDPA and recent proposed amendments to the CSA. More importantly, it defines the parameters governing the use of this specific dataset and entrenches the individual’s right to control their data.
Client Alert 2024-009