On December 11, 2023, Singapore’s Ministry of Health launched a public consultation exercise on a proposed Health Information Bill (Bill), with a draft expected to be tabled in Parliament in the first half of 2024.
Whilst extensive industry consultations have been conducted on the proposed provisions of the Bill involving 39 focus groups and over 1,000 stakeholders, this is the first time that the general public at large (including patients) can submit comments.
The Bill will introduce a slew of changes that will have significant impact on healthcare in Singapore.
Mandatory participation by all licensed healthcare providers in the National Electronic Health Records (NEHR)
First and foremost, the Bill will mandate participation by private healthcare providers in a centralized database of patient health records, known as the NEHR.
The policy objective of the NEHR is to achieve more seamless care delivery in Singapore. With an aging population, Singapore projects that more citizens and residents will need to consult multiple healthcare providers whose record-keeping systems are scattered and separate.
Whilst the NEHR was established in 2011, only public healthcare institutions and 15% of private providers in Singapore are using the NEHR. This is because participation in the NEHR by private institutions has to-date only been voluntary.
However, this is slated to change, as the Bill will make it mandatory for all licensed healthcare providers (whether public or private) to contribute data to the NEHR.
Contribution and access to data in the NEHR
The Bill will require key health information to be uploaded to the NEHR. This includes:
- Patient Demographics (e.g., name, address, contact details)
- Visits (e.g., admission to a hospital, general practitioner visit)
- Medical Diagnosis / Allergies
- Operating Theatre Notes / Procedures / Treatments (e.g., endoscopy, surgical reports)
- Discharge Summaries
- Investigation Reports (e.g., laboratory reports such as blood tests, radiological investigation reports such as X-Ray Reports).
Uploading data to the NEHR will be automated, in that healthcare providers using a compatible electronic medical record (EMR) system should not see a change in their practice nor any additional administrative burden when contributing data to NEHR.
All healthcare licensees will be granted access to the NEHR. As for non-licensed healthcare providers, they may also be granted access as approved users, but only to relevant information required for them to provide care to patients. For example, retail pharmacists may be granted access only to medication and allergy records.
More sensitive health information will be subject to greater restrictions of access by medical practitioners, selected nurses and pharmacists based on their specific role in the care delivery of a patient. A specified list of sensitive health information is provided for, which includes the assessment, diagnosis, treatment, prevention, or alleviation by a health professional of any of the following affecting an individual:
- Any sexually transmitted disease;
- Human Immunodeficiency Virus Infection;
- Schizophrenia or delusional disorder;
- Substance abuse and addiction;
- Subject to specified conditions, organ donation, transplants and receipt, donation or receipt of a human egg or sperm;
- Any contraceptive operation or procedure or abortion;
- The suicide or attempted suicide of the individual; and
- Domestic abuse, child abuse or sexual abuse.
Whilst the Bill will give individuals the option to restrict sharing of their health data in the NEHR generally, this can be overridden in the case of a medical emergency. For this ‘break glass’ override to be triggered, the individual must be medically assessed to be at risk of immediate and significant harm unless medical intervention is given, and is unable to provide consent; for instance, a patient with a concussion. The override is not available where an individual continues to have the ability to provide or withhold consent, even in a medical emergency situation.
A draft set of guidelines on the appropriate use and access to the NEHR can be found here.
Cyber and data security measures
The Bill will impose obligations to safeguard against cyber and data security risks (read our earlier post on this here). These will include administrative access controls, such as a double log-in function within NEHR, and mandatory incident reporting. A breach will be reportable within 2 hours from confirmation of its being notifiable, if it:
- involves sensitive health data of any patient, or
- affects 500 or more patients.
Any unauthorised use or access will be subject to penalties, of up to 10% of the organisation’s annual turnover.
Restrictions of use of data
The Bill will contain explicit prohibitions against the use of NEHR data and records to assess one’s suitability for employment, and/or eligibility for an insurance policy or claim. In short, a patient’s medical history can never be used to discriminate against his or her employability or insurability. Such a prohibition will override any consent that a patient may give, so as to ensure that such patient is never coerced into giving their consent for such assessments and discriminatory use.
Comments can be submitted here and the consultation closes on January 11, 2024.
If you need assistance in understanding how these changes will impact on your business and operations, do reach out to the author or your usual SPB contact.