Navigating Singapore's Evolving Healthcare Landscape: An Update on the Health Information Bill

  • 22 décembre 2023 22 décembre 2023
  • Asie-Pacifique

  • Droit des sociétés

The Ministry of Health in Singapore has introduced the Health Information Bill (“HIB”) to facilitate the collection and sharing of patients' health data through the National Electronic Health Record (“NEHR”). The bill aims to ensure data accuracy, simplify data sharing, and establish cybersecurity safeguards. All licensed healthcare providers are mandated to contribute to the NEHR under the HIB, with stricter regulations for Sensitive Health Information. The legislation outlines the rights and obligations of both patients and healthcare professionals, emphasising data protection measures and penalties for non-compliance. The HIB reflects Singapore's commitment to leveraging technology for enhanced healthcare but underscores the importance of legal compliance and adaptability in this evolving landscape.

First announced in 2022, the Health Information Bill (“HIB”) seeks to facilitate the collection of patients’ health data and allow healthcare providers to share health and administrative data with one another for specific purposes through the National Electronic Health Record (“NEHR”). As Parliament intends to table the HIB within the first half of 2024, the Ministry of Health (“MOH”) is conducting a public consultation from 11 December 2023 to 11 January 2024 on the proposed HIB.

Through the HIB, the MOH intends to achieve the following objectives:

  • ensure health information is kept updated, accurate and accessible;
  • simplify the health data sharing framework to facilitate flow of information between healthcare providers and social care services; and
  • set in place cybersecurity and data security safeguards which providers must comply with.

In this client update,[1] we discuss the significance of the HIB and provide our brief insights on what this new bill may mean to you.

Types of health information covered

In Singapore, the NEHR serves as a central repository of patient health records. Through the HIB, health information recorded on the NEHR will facilitate the flow of information between healthcare providers and social care services to enhance care continuity. Examples of health information include prescribed medications, blood test reports, doctor's notes, etc. Notably, what is not considered health information includes an individual’s name or NRIC alone.

Another category of information, known as the Sensitive Health Information, is managed by additional controls and safeguards because this information exposes a patient to greater harm such as stigmatisation and discrimination during a data breach. Examples of Sensitive Health Information are the HIV status of patients, history of substance abuse and addiction, instances of abortion, among others. Sensitive health information can only be accessed by authorised healthcare providers, based on their role in the delivery of care to the patient.

Who is affected?            

To have an accurate and complete centralised national repository of patient health records, the HIB proposes that all licensed healthcare providers are mandated to contribute data to the NEHR. This is distinguished from the existing policy, where participation by private providers is only voluntary.

Under the HIB, all healthcare providers involved in the patient’s care such as doctors, pharmacists, nurses, allied health professionals, and even social services can access patient health records. However, healthcare providers must fulfil all three legal requirements under the HIB to share their patient’s health information:

  • first, healthcare providers who intend to share and receive your health information must be 'appointed parties' listed in the HIB;
  • second, only the types of data listed in the HIB can be shared; and
  • last, the patient’s health information can be shared only for allowable purposes listed in the HIB.

The following table illustrates examples of the types of data and allowable purposes listed in the HIB:

Type of Data

Allowable purposes

  • Administrative Data (names, contact details, etc)
  • Clinical Data (diagnoses, prescriptions, etc)
  • Supporting continuity of care for the patient
  • Assessing the eligibility of financial scheme for patients
  • Purposes falling under national healthcare initiatives such as Healthier SG

Should any one of the three legal requirements not be met, the healthcare provider will not be allowed to share the information. As such, the provider will need to rely on other legislations or seek consent before such data can be shared. Penalties will be imposed on healthcare providers and individuals who share health information without consent or if they are unable to justify the sharing on any other legal basis.

Rights and Obligations of Parties

Patients

Presently, anyone regardless of residency or citizenship status, will have a record in the NEHR if they have seen an authorised healthcare professional in an institution which contributes data to the NEHR.

A patient may opt to restrict any healthcare professional from accessing their health record. However, such restrictions can be overridden in situations which constitute a medical emergency. In such situations, healthcare professionals must determine whether the patient’s life is at risk of immediate and significant harm unless medical intervention is provided; and if the patient is unable to provide consent.

It should be noted that the healthcare professional will not be able to access the patient’s NEHR record when the patient has the capability to provide consent and refused access despite being in a medical emergency.

Healthcare Professionals

Under the HIB, authorised healthcare professionals (i.e. only healthcare professionals involved in the patient’s care) may access NEHR to provide direct care for patients. However, they are not allowed to access a patient’s health records for employment or insurance purposes.

How is the data protected?

While the HIB facilitates an improved continuity and seamless transition of care in Singapore’s healthcare ecosystem, many are concerned with medico-legal liabilities, cybersecurity, and data security. As such, the MOH have implemented initiatives and guidelines under the HIB to address these issues:

Initiatives

Details

Improved Cybersecurity

  • IT systems, especially in data intermediaries are required to ensure that their IT systems and services maintain good cyber hygiene.
  • Data and systems must undergo regular backups and updates.
  • Healthcare staff must adopt good cybersecurity practices

Additional safeguards for Sensitive Health Information

  • Sensitive Health Information can only be accessed by the authorised healthcare providers when they require the information.
  • A double log-in mechanism is implemented such that healthcare providers will need to consciously assess that they require this information for their care delivery.
  • An identity management feature is implemented to notify when an unauthorised access to Sensitive Health Information occurs.
  • Routine audits involving access to Sensitive Health Information. Healthcare professionals found to have inappropriately accessed or disclosed Sensitive Health Information may be penalised under the HIB or other written laws such as the Infectious Diseases Act.

Enforcement

To ensure the effective compliance of the HIB requirements, the MOH will be empowered to issue directions to rectify noncompliance of the HIB and may require healthcare providers to report cybersecurity incidents or data breaches to MOH.

Under the HIB, an initial report of the confirmed cybersecurity incident or data breach must be provided to MOH within 2 hours, and a detailed incident report must be submitted after 14 days. Additionally, healthcare providers are also required to notify the affected individuals in the event of a notifiable data breach such as breaches involving Sensitive Health Information; or breaches involving more than 500 individuals. The HIB will not require healthcare providers to report data breaches involving non-health information, such as the loss of only financial data or account login details. However, they may still be required to report such data breaches to the Personal Data Protection Commission if it meets the Personal Data Protection Act 2012’s (“PDPA”) data breach notification criteria.

Moreover, the HIB also implements a penalty framework which complements existing applicable legislations such as the PDPA, where fines of up to SGD 1 million or 10% of the organisation's annual turnover (whichever is higher) may be imposed for severe non-compliance.

Concluding Words

The HIB demonstrates Singapore’s move to alleviate the increasing medical demands through the utilisation of technology. Presently, establishing a central repository for patient health records in Singapore holds immense potential to revolutionise healthcare delivery as it does not only enhance efficiency and coordination among healthcare providers but also empowers patients with greater control over their own health data. The seamless exchange of information across the healthcare ecosystem can lead to more accurate diagnoses, timely interventions, and ultimately improved patient outcomes.

At this juncture, while a central repository for patient health records in Singapore offers significant advantages in terms of healthcare coordination and efficiency, it also brings forth a complex landscape of legal considerations. With the introduction of the HIB, healthcare providers are probed to ensure a strong level of compliance with existing legislations such as the PDPA to safeguard patient confidentiality and trust. Thus, as the healthcare landscape evolves, ongoing legal scrutiny and adaptability will be essential to address emerging challenges and ensure that the central repository serves as a secure and ethically sound foundation for advancing healthcare practices in Singapore.

To discuss what the latest development in the Health Information Bill may mean to you, please reach out to the authors below:


[1] The authors would like to thank legal intern Ryan Seah for his assistance with this article.

Fin

Restez au fait des nouvelles de Clyde & Cie

Inscrivez-vous pour recevoir de nos nouvelles par courriel (en anglais) directement dans votre boîte de réception!