All healthcare service providers must contribute and share patients’ key health information

(Photo credit: ST File)

Source: The Straits Times

As more people receive care beyond hospitals and polyclinics, the Health Ministry is making it compulsory for all providers, including private specialist clinics, dental clinics and laboratories to contribute patients’ key health information to the country’s national repository.

To help them come on board, the Government will offer various support measures. Recalcitrant providers could face fines or even jail time if they continue to fail to meet the requirements.

Under the Health Information Bill (HIB) passed in Parliament on Jan 12, healthcare providers will be given until early 2027 to meet the various data contribution and protection requirements.

Introduced in 2011, the National Electronic Health Record (NEHR) system serves as a centralised repository for key health information crucial for continuity of care, such as diagnoses, medications, allergies, vaccinations, laboratory reports, radiological images and discharge summaries.

With NEHR, patients do not need to repeat medical tests or take along paper medical reports and scans when visiting different healthcare providers. A central repository also minimises the risk of patients being prescribed medication they are allergic to.

With the time saved, doctors can make better and faster decisions for their patients.

“The HIB will help us achieve the goal of ‘One Patient, One Health Summary, One Care Journey’,” said Senior Minister of State for Health Tan Kiat How at the debate of the HIB in Parliament on Jan 12.

“We will work with and support healthcare providers and professionals in achieving this goal.”

Public hospitals, which handle 90 per cent of the country’s acute hospital workload, have been using NEHR since 2011. Primary care providers such as polyclinics and GP clinics on the Healthier SG initiative have also progressively been on board since then.

Under the HIB, healthcare providers, including public and private hospitals, private specialist clinics, outpatient dental clinics, dialysis centres, retail pharmacies, and clinical and radiological laboratories, will be required to contribute key patient data into NEHR.

Mr Tan said the key features of HIB were adopted to suit the local context after the authorities studied frameworks governing the sharing of health information across healthcare providers in Australia, Estonia, Finland and Norway.

As at Oct 31, 2025, about 70 per cent of the more than 2,000 GP clinics have joined the effort. Based on information on the Ministry of Health’s (MOH) website, there are more than 2,000 GP clinics in Singapore.

Out of the nine private hospitals here, five are on board NEHR, said the Ministry of Health. Four – Thomson Medical, Mount Alvernia Hospital, Farrer Park Hospital and Crawfurd Hospital – have yet to come onboard despite earlier commitments to do so by end-2025.

Mr Tan pointed out that only the key health information of Singaporeans, permanent residents and those with long-term immigration passes will be added into the system as they are more likely to seek care in Singapore over time. Health information of transient visitors, including medical tourists, will not be included.

To allow for timely and effective care, healthcare professionals need not seek consent from the patient each time they access the patient’s NEHR records.

Safeguarding patients’ health information, including those of a more sensitive nature such as records of mental conditions, was one of the key concerns raised by several MPs during the debate. Fourteen MPs spoke in support of the Bill.

Mr Tan stressed that NEHR is not a new system and various safeguards have been built into it over the years, including role-based access, where authorised healthcare professionals can only access the types of health information required for their specific patient care role.

Those who contribute to and access NEHR will also need to meet cybersecurity and data security requirements, and will be responsible for assessing and notifying the authorities on cybersecurity incidents and data breaches.

He also emphasised that accessing NEHR for purposes relating to employment or insurance will be prohibited. This would mean healthcare professionals will not be allowed to access NEHR to fill out medical reports required for insurance claims or pre-employment medical screening forms.

There are also technical safeguards in place, such as limiting the number of patient records that can be accessed within a stipulated timeframe.

MOH said that regular audits are conducted, and more measures and processes will be added to limit and detect unauthorised access.

Patients can monitor access of their NEHR information through their HealthHub account, and report any suspicious activities to MOH.

Mr Tan said those who have privacy concerns may restrict access to their NEHR information, so that only select healthcare providers have access to it, which is similar to restrictions in Australia, Estonia and Hong Kong systems.

This restriction feature is already available in NEHR. Since 2011, more than 2,300 patients have placed access restrictions on their NEHR records, which translates to less than 0.1 per cent of all patients with NEHR records. More than 180 of them have lifted the restrictions after being counselled on its benefits.

Currently, access restrictions can be requested through public healthcare institutions. From the second half of 2026, patients can do so directly through their own HealthHub account, said Mr Tan.

Nonetheless – even for these patients – healthcare providers will still be able to view their critical allergies and vaccination information as this is meant to ensure patient safety by preventing inappropriate prescriptions or immunisation.

Doctors may be allowed to “break glass” and access the patient’s NEHR information during medical emergencies even if there are access restrictions. They would be asked to re-verify their credentials and declare the medical emergency. All such instances will also be subject to audits, with penalties in place for inappropriate “break glass” cases.

Several MPs also raised concerns about small GP clinics not being able to meet the requirements, such as older doctors who may still be relying on pen-and-paper records, or intend to retire in a few years’ time and may not want to spend on digitalisation.

MOH will be providing various support measures to help them. This includes a support package to defray NEHR onboarding costs and a white list of NEHR-compatible systems which meet the cybersecurity and data security requirements.

The amount of funding to be made available to providers is still being discussed, said MOH.

Mr Tan pointed out that with the use of NEHR-compatible systems, healthcare providers will only need to ensure their data security measures are in place, such as training relevant staff to access and use NEHR appropriately.

He also spoke about offences under the HIB and corresponding penalties. For those which do not comply with data contribution, it will not be an offence in the first instance as they may face “genuine challenges onboarding to NEHR”.

But for deliberate or reckless non-compliance or breaches, the authorities may issue directions to the provider to comply. Failing which, the provider could be liable to a fine of up to $20,000 and/or one year’s imprisonment upon conviction.

Those who are convicted of unauthorised access of NEHR information will face a fine of up to $50,000 and/or two years’ imprisonment for their first offence. The maximum penalty is doubled for a repeat offence, or if the unauthorised access was for employment or insurance purposes.

Providers which fail to put in place the cybersecurity or data security measures required under the HIB may face a fine of up to $1 million as the health information of many patients could be compromised.

“Nevertheless, these are maximum penalties, which are aimed at addressing the most egregious of breaches. We would like to reassure healthcare providers and healthcare professionals, as well as Singaporeans, that should potential breaches occur, MOH will look at the facts of each case carefully,” said Mr Tan.