Singapore introduces landmark Health Information Bill

The national electronic health records system: Part 2 of the Bill

Summary of the NEHR

The NEHR is a Singapore Government established electronic system holding individuals’ health information. It consolidates key health data from across multiple healthcare providers into a single record. Low participation in the NEHR by health care providers has resulted in the fragmentation of patient records, which hinders continuity of patient care and disrupts the effectiveness of national health initiatives. The Bill aims to improve the usefulness of the NEHR, by mandating collection, use and disclosure of certain health information to the NEHR.

Scope

The requirements relating to the NEHR apply to health information about:

(i) Singapore citizens and permanent residents;

(ii) individuals issued with a foreign identification number; and

(iii) any other classes of individuals that may be prescribed by regulation.

Definition of health information

Part 2 of the Bill defines “health information” about an individual to cover (i) administrative information and (ii) clinical information.

(i) Administrative information is non-clinical data connected to an individual’s interaction with health services, including:

• Use of services: records of appointments, admissions, outpatient visits, referrals and encounters with healthcare or community health services.
• Provision of services: details about how a service was delivered, such as location, attending provider, service type and billing codes.
• Eligibility for public financial assistance: information used to determine or record entitlement to subsidies or other public funding for healthcare or community services.

(ii) Clinical information, on the other hand, relates to the individual’s health and medical care, including:

• Physical or mental health: diagnoses, symptoms, medical history, observations, mental‑health assessments and clinical findings.
• Diagnosis, treatment and care: test results, imaging and laboratory reports, medication prescriptions and administration, procedure and surgery reports, treatment plans, progress notes and care summaries.

Mandatory contribution of health information to the NEHR

The Bill uses the terms “user”, “contributor”, “specified contributor” and “system operator” to describe the persons or organisations that operate the NEHR or that are required to contribute and permitted to access health information in the NEHR.

Under this Part 2 of the Bill, individual consent is not required for the contribution of health information to the NEHR, nor for the accessing, collecting, disclosing or using of health information or information derived from health data (we discuss derived information in more detail below). This means that consent as required under the PDPA is dispensed in regards to the collection, use and disclosure of health information, provided such actions comply with the requirements of the Bill.

Who must contribute to the NEHR?

A broad class of licensed healthcare providers (referred to as “specified contributors” and as laid out in Part 1 of the First Schedule of the Bill) must contribute defined categories of health information to the NEHR. This includes providers licensed under the Healthcare Services Act 2020, such as:

• acute hospitals;
• community hospitals;
• ambulatory surgical centres;
• clinical laboratories;
• radiology services;
• assisted reproduction clinics;
• nursing homes;
• dental and outpatient clinics;
• renal dialysis centres; and
• retail pharmacies.

The types of health information required to be contributed to the NEHR will depend on the nature of the specified contributor’s healthcare service, and may include:

• visit events and diagnoses;
• adverse drug event history;
• prescribed and dispensed medications;
• medication lists;
• vaccines;
• cardiac and surgical reports;
• dental notes;
• discharge summaries and referral memoranda;
• emergency and urgent care summaries; and
• laboratory and radiology reports.

As mentioned, not all healthcare providers are required to submit every type of health information; the contribution requirements vary according to the healthcare service provided and are laid out in detail in Part 1 of the First Schedule to the Bill.

Access and collection of health data in the NEHR

Specified users can only access and collect health information from the NEHR for clearly defined permitted purposes, namely:

(i) providing healthcare to the individual; and

(ii) conducting specified medical examinations, which are any medical, dental, psychiatric or psychological examination, test or assessment of an individual that are required for the purposes of complying with, any written law specified in the Third Schedule of the Bill, such as the Infectious Diseases (Quarantine) Regulations (Rg 1) or Coroners Act 2010.

The Bill introduces the concept of an “authorised individual” of a user, defined as an employee, enlisted personnel, or volunteer acting on behalf of a specified user. Such authorised individuals are entitled to access and collect accessible health information about a person, but only if:

• The access and collection are necessary for the individual to perform their duties for the specified user.
• Those duties are related to the specified user carrying out a specified purpose.
• The accessible health information disclosed is no more than is necessary to enable the individual to perform or discharge those duties.

To protect against the improper use of an individual’s health information available in the NEHR, the Bill makes it clear that access and collection of health data in the NEHR is prohibited for certain excluded purposes, including:

• Assessing suitability or eligibility for employment, promotion, continued employment, or removal from employment or office.
• Deciding on engagement or terms under a contract for services, including termination or modification.
• Determining suitability or terms for entering into or modifying platform work agreements (e.g., gig economy work).
• Making decisions about insurance coverage, renewal, or claims.

Obligations of specified users

Specified users are required to implement and maintain robust procedures, policies, and controls to ensure that all authorised individuals handle health information lawfully and in accordance with the organisation’s internal policies. This includes establishing and enforcing appropriate governance frameworks and ensuring role-based access controls. These standards must be consistently applied to employees, contractors, and volunteers alike.

The use of “derived” health information

“Derived information” refers to health information that is derived from accessible health information (i.e. health information accessible on the NEHR) about an individual, and includes an extract or a copy of that health information. The Bill further distinguishes between two types of derived information:

• Type 1 derived information: Individually identifiable health information.
• Type 2 derived information: Aggregated or anonymised health information.

Who can use derived information?

Under the Bill, both eligible individuals and public agencies can apply to the Minister for access to derived information. Applications must be submitted in the prescribed form and must:

• Clearly state every purpose for which the derived information is sought.
• Indicate whether the applicant intends to disclose the derived information to any other person or class of persons.

The factors that the Minister for Health will consider when deciding whether or not to approve an application to use derived information interplay with the Bill’s broad purpose to support the effectiveness of Singapore’s public health initiatives, for example:

• Type 1 derived information: May be approved if the application relates to or promotes public health. The Minister will also consider the feasibility and reasonableness of obtaining prior consent from the individuals concerned, and whether the purpose can be achieved with type 2 derived information instead.
• Type 2 derived information: May be approved if the Minister determines it is in the public interest.
• The Minister may provide type 2 (anonymised) information instead of type 1 (identifiable) if the intended purpose can be met with anonymised data.

Penalties for non-compliance with Part 2 of the Bill

The Bill imposes strict criminal penalties for improper access, collection, use or disclosure of health information or data derived from it, and individual consent is not a defence. Penalties for improper access or collection include fines up to $50,000 and/or 2 years’ imprisonment for a first offence and up to $100,000 and/or 4 years’ imprisonment for repeat offences; offences involving excluded purposes attract higher penalties (up to $100,000/4 years for a first offence and $200,000/7 years for repeats). Persons who are not users or authorised individuals are prohibited from accessing or collecting NEHR information except as permitted by law or order and face penalties of up to $100,000 and/or 4 years’ imprisonment; consent from the individual does not excuse an offence.

Sharing of relevant information for specified use-cases: Part 3 of the Bill

Overview

This Part governs the sharing of “relevant information”, which is defined as:

• any administrative or clinical information about an individual (defined as we detailed in respect of Part 2 above); and
• any other individually identifiable information relating to the individual or to someone who provides or is responsible for that individual’s care and welfare.

“Relevant information” under Part 3 is broader than “health information” in Part 2, as it includes all administrative and clinical data about an individual plus other individually identifiable information such as caregiver details. Whereas “health information” is limited to administrative and clinical data about the individual only.

Under the Bill, data sharing is permitted only for a defined set of “use cases” between designated public healthcare bodies and agencies, who are referred to in defined terms as “disclosers” and “recipients” (note: these are distinct to the defined concepts of “user” and “contributor” used to refer to those that handle health information in the context of the NEHR in Part 2 of the Bill). These use cases are intended to support public health objectives, such as identifying, engaging, and supporting individuals, particularly the elderly, in national health initiatives like Healthier SG and Age Well SG.

The Fourth Schedule of the Bill sets out, in detail, the permitted use cases, the parties authorised to disclose and receive relevant information, and the specific programmes associated with each use case.

The table below provides a summary of the key use cases, authorised disclosers and recipients, intended purposes, and the relevant programmes:

Data sharing under Part 3 of the Bill must be done via a data sharing agreement

Disclosers and recipients may act directly or through health data intermediaries processing data on their behalf. Importantly, any information sharing under this Part of the Bill is only lawful if governed by a written Data Sharing Agreement (DSA) that is in effect at the time of disclosure. The DSA must clearly identify the parties involved, specify the permitted use case, detail the types of relevant information to be shared (limited to the minimum necessary), and list the authorised personnel from both parties or their intermediaries. Health data intermediaries may process information as required to support the recipient’s implementation of the agreed use case. If these conditions are not satisfied, data sharing is strictly prohibited.

Relevant information collected under a DSA may only be used for the specified purpose and must be accessed and processed solely to the extent necessary to implement or facilitate the use case. Further disclosure of the information is not permitted unless expressly required or authorised by law.

Is individual consent required for data sharing between disclosers and recipients for specified use cases?

Under this Part, the sharing, collection, and use of relevant information does not require the individual’s consent, even if other laws (such as the PDPA) or contractual confidentiality obligations would otherwise mandate it. Nevertheless, all data sharing must be for a permitted use case and conducted under a valid DSA.

Penalties for non-compliance with Part 3 of the Bill

Non‑compliance with the data sharing requirements under this Part attracts significant criminal penalties and, for repeat offenders, increased fines and imprisonment. It is an offence to contravene key requirements of this Part, including failing to have a valid DSA, not complying with obligations relating to disclosure, collection, use or further disclosure of relevant information, or breaching any prescribed conditions or restrictions, unless there is a reasonable excuse. Upon conviction, the penalty for a first offence is a fine of up to $50,000, imprisonment for up to 2 years, or both; for a person with a prior similar conviction, the penalty increases to a fine of up to $100,000, imprisonment for up to 4 years, or both.

Security of “health information” and “relevant information”: Part 4 of the Bill

Part 4 establishes mandatory requirements regarding the security, retention, disposal, and cybersecurity of “health information” and “relevant information” processed by the following parties (referred to as “relevant persons” in this Part):

• contributors;
• users;
• requestors;
• system operators;
• disclosers; and
• recipients.

Notably, these requirements do not apply to the Government or public authorities.

Key requirements:

1. Data security controls (Section 66)

• Obligation: All relevant persons must implement reasonable controls and safeguards to protect health and relevant information from unauthorised access, use, disclosure, modification, loss, or destruction.
• Considerations: Security measures should be tailored to the nature and sensitivity of the information and the potential consequences of any unauthorised disclosure.
• Health Data Intermediaries (HDIs): Where an HDI processes information on behalf of another party, both the HDI and the engaging party are responsible for compliance.
• Personnel awareness: All personnel, including employees and volunteers, must be made aware of their responsibilities to maintain the confidentiality, integrity, and availability of information.
• PDPA alignment: These requirements mirror the protection obligations under Section 24 of the PDPA.. Retention and Disposal (Section 67).

2. Retention and Disposal (Section 67)

• Retention: Health or relevant information must not be retained longer than necessary for the original purpose of collection. Once:

(i) the purpose for which the information was collected is no longer being served by retention of the information; and

(ii) retention is no longer necessary for legal or business purposes,

the information must be securely removed or destroyed.

• Disposal: Reasonable care must be taken during disposal or destruction to prevent unauthorised access, disclosure, or reproduction of the information.
• PDPA alignment: The retention period in respect of “health information” and “relevant information” aligns with the retention period in respect of personal data in Section 25 of the PDPA, but there is an added obligation to ensure secure disposal, exceeding PDPA requirements.

3. Cybersecurity of relevant computer systems (Section 68)

• Scope: Applies to any computer or system (including servers) interconnected with the NEHR or processing health or relevant information.
• Safeguards: Reasonable measures must be in place to protect the confidentiality, integrity, and availability of information, including protection against unauthorised access, interference, or tampering.
• HDI responsibility: These obligations also apply to HDIs processing information on behalf of relevant persons.
• CSA alignment: The definitions of “cybersecurity” and “cybersecurity incident” in the Bill are aligned with those same definitions in the CSA:

• “Cybersecurity” is defined as the state in which a computer or system is protected from unauthorised access or attack so that it remains available and operational, and the integrity and confidentiality of information it holds are preserved, consistent with the Cybersecurity Act 2018.
• A “cybersecurity incident” means an act or activity carried out without lawful authority that jeopardises a computer system’s cybersecurity. A “data breach” in relation to health or relevant information includes unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction of that information, or loss of a storage medium where such unauthorised acts are likely to occur; this is consistent with PDPA concepts but focused on health and relevant information.

However, the CSA primarily regulates critical information infrastructure providers, whereas the cybersecurity obligations in the Bill attach to computers interconnected with the NEHR or processing health or relevant information.

4. Policies and practices (Section 69)

• Requirement: Relevant persons must establish, implement, and regularly review policies and practices to ensure ongoing compliance with data security and cybersecurity obligations.
• Personnel compliance: All personnel, including those of HDIs, must adhere to these policies.

5. Incident management (Section 70):

Organisations must have an incident management framework in place to detect, respond to, and resolve cybersecurity incidents or data breaches, and to prevent recurrence.

Offences and penalties

Breach of the security, retention, disposal or cybersecurity obligations attract significant sanctions: individuals face fines of up to $200,000 and/or imprisonment of up to 2 years, and organisations face fines of up to $1 million.

Part 5: Notification of “cybersecurity incidents” and “data breaches”

Part 5 imposes mandatory obligations to detect, assess, and notify cybersecurity incidents and data breaches involving health information or relevant information processed on the NEHR or related systems. These duties apply to relevant persons and relevant computer systems, including contributors, users, disclosers, recipients, system operators, and health data intermediaries, but do not extend to the Government or public authorities.

Duty to assess suspected cybersecurity incidents and data breaches

(i) Cybersecurity incidents

• Where a relevant person has reason to believe a cybersecurity incident has occurred affecting the NEHR or any connected computer system, they must “promptly assess, in a reasonable and expeditious manner”, whether the incident is notifiable.
• If a HDI suspects an incident, it must notify the contributor or user without undue delay. The contributor or user must then conduct the required assessment.

(ii) Data breaches

• The same assessment duty applies to suspected data breaches involving health or relevant information. Relevant persons must assess such breaches in a “reasonable and expeditious manner.”
• If a third-party intermediary suspects a breach, it must notify the contributor or user “without undue delay”, who must then assess the incident.

Definition of data breach:

A data breach, in this context, means:

• Unauthorised access, collection, use, disclosure, copying, modification, disposal, or destruction of health or relevant information.
• Loss of any storage medium or device containing such information, where unauthorised access or use is likely.

Comparison with PDPA:

• The definition and assessment timelines mirror those in the PDPA, specifically Sections 26A and 26C, but are tailored to breaches affecting only “health information” and “relevant information”.

Duty of notification of cybersecurity incidents and data breaches

Notifiable cybersecurity incident

• If an incident is assessed as notifiable, the relevant person must notify the Minister for Health as soon as practicable, and within any prescribed period, providing all required information.

Comparison with the Cybersecurity Act (CSA): 

• The duty to report is similar to the CSA’s requirements for critical information infrastructure, but here it applies only to incidents that relate to the NEHR and related systems.

Notifiable data breach

• Grounds of notification: A data breach is notifiable if it is likely to cause significant harm to individuals or is of significant scale (e.g., affects a prescribed number of individuals or involves certain types of information).
• Significant harm: A breach is deemed to cause significant harm if it involves prescribed health or relevant information, or a prescribed class thereof. These classes have not yet been prescribed.
• Significant scale: A breach is significant if it affects at least the prescribed number of individuals. This number has not yet been prescribed.

• Comparison with PDPA: These thresholds of “significant scale” and “significant harm” mirror those for notifiable personal data breaches as laid out in Section 26B of the PDPA.

• Notification to Minister for Health (Section 79): If a breach is notifiable, the relevant person must notify the Minister for Health “as soon as practicable”, and no later than the prescribed period after making the assessment.
  • Comparison with PDPA: Unlike the PDPA, where notification is to the PDPC, here it is to the Minister for Health. In line with the obligation to notify the PDPC under Section 26D of the PDPA, this notification to the Minister for Health must be done “as soon as practicable”. The prescribed period under the Bill is not yet elaborated, however, it is likely to align with the PDPA’s standard of “no later than 3 days after assessment”.
• Notification to affected individuals (Section 80): Relevant persons must notify affected individuals of notifiable data breaches unless:

  (i) after assessing the breach, they take prescribed actions that make it unlikely the breach will cause significant harm to the individual; or

  (ii) before the breach occurred, they had already implemented technological measures that make it unlikely the breach will cause significant harm to the individual.

  • Comparison with PDPA: This mirrors the individual notification requirements under Section 26D of the PDPA.

Penalties

Penalties for non‑compliance are significant. Failure to comply with assessment or notification duties can attract for individuals fines up to $200,000 and/or imprisonment up to 2 years, and for organisations fines up to $1 million. Failure to comply with prescribed notification form or manner requirements carries lower but still material penalties (up to $20,000 and/or 12 months’ imprisonment).

Portability requirements: Section 7 of the Bill

The new legislative framework introduces specific obligations for Health Data Intermediaries (HDIs) regarding the portability of electronic health information. These requirements are designed to ensure that health information can be transferred accurately, completely, and promptly at the request of contributors or users.

Portability requirements (Section 87)

• Transfer requests: HDIs must establish and implement robust practices and processes to facilitate the transfer of electronic health information, upon request, either to:
• The contributor or user themselves.
• Another relevant HDI designated by the contributor or user.
• Quality of transfer: Transfers must be accurate, complete, and timely.
• Operational practices: Required practices and processes include:
• Selection, preparation, extraction, and transformation of health information for transfer.
• Use of appropriate and secure formats for the transfer.

Comparison with the PDPA’s data portability obligation

It is noteworthy that the Personal Data Protection Amendment Act 2020 introduced a Data Portability Obligation, which will require organisations to transmit specified data to another organisation upon an individual’s request, subject to prescribed requirements. However, the PDPA’s data portability provisions are not yet in force, as the necessary regulations from the Personal Data Protection Commission (PDPC) are still pending. This means that, if passed, the portability requirements under the Bill could take effect before the PDPA’s data portability regime is operational.

Legal protections for good faith actions: Part 9 of the bill

The Act provides legal protections for contributors, users, requestors, system operators, disclosers, recipients, and certain officers when they act in good faith, with reasonable care, and in accordance with the Act:

• No liability: These parties are shielded from civil or criminal liability for actions taken in the contribution, access, collection, use, or disclosure of health or relevant information, provided they comply with the Act’s requirements.
• No breach of confidentiality or copyright: Such actions do not constitute a breach of confidentiality, professional obligations, or copyright infringement, except where specific laws prescribe otherwise.
• Scope: Protections extend to authorised individuals, employees, contractors, and officers acting within the scope of their duties.
• System operators: Additional protections apply for errors, delays, or interruptions in the operation of the national electronic records system, and for actions taken to impose or revoke access restrictions.

These legal protections are designed to encourage compliance and participation in the health information framework, while minimising legal risk for those acting responsibly and in accordance with the law.

Interaction with the Personal Data Protection Act 2012 and Cybersecurity Act 2018: Key legal analysis

The Bill introduces a sector-specific regime that both mirrors and departs from the frameworks established under the PDPA and the CSA, with significant implications for compliance and risk management in respect of health information.

• Assessment and notification: Dual regimes

  While the Bill’s assessment and notification thresholds for data breaches and cybersecurity incidents are closely modelled on the PDPA, they are expressly tailored to health and relevant information. Crucially, notification to the Minister for Health is required under the Bill, in addition to any parallel obligations to notify the Personal Data Protection Commission (PDPC), the Cyber Security Agency (CSA), or affected individuals for personal data breaches under the PDPA or cybersecurity incidents under the CSA. This creates a dual-reporting regime in respect of health or relevant information, increasing the complexity of incident response and regulatory engagement.

• Displacement of consent and statutory basis for processing

  A fundamental shift under the Bill is the displacement of individual consent as the primary legal basis for the contribution, access, collection, or disclosure of health information within the NEHR framework or for sharing relevant information between specified users. The Bill enables specified processing and sharing of health and relevant information without patient consent, provided the Bill’s substantive requirements are met. Furthermore, consent under the PDPA alone is insufficient to legitimise access or sharing under the NEHR regime.

• Security, retention, and disposal: Enhanced statutory duties

  The Bill aligns with the PDPA’s core principles by mandating reasonable technical and organisational measures to protect health information and by limiting retention to what is necessary for the original purpose. However, it goes further by imposing an express statutory duty to ensure secure disposal, requiring reasonable care to prevent unauthorised access, disclosure, or reproduction during destruction or deletion, an obligation that exceeds the PDPA’s requirements.

• Cybersecurity incident reporting: Divergence in scope and channels

  Although the Bill’s definitions of “cybersecurity” and “cybersecurity incident” are consistent with those in the CSA, the reporting obligations differ materially. The CSA’s reporting regime is limited to critical information infrastructure, whereas the Bill’s apply to any system processing health or relevant information, including the NEHR itself. As a result, organisations may be subject to overlapping but distinct reporting duties, with the Bill requiring notification to the Minister for Health, in addition to any obligations under the CSA.

• Notifiable data breaches

  Data breaches affecting health or relevant information must be reported to the Minister for Health. This reporting obligation is in addition to any separate requirements to notify the Personal Data Protection Commission (PDPC) and affected individuals under the PDPA for breaches involving personal data.

  Organisations must be aware that a single data breach may trigger multiple notification obligations under different laws, and compliance with one regime does not discharge the duty to notify under the Bill.

• Practical implications: Increased compliance complexity

Practically, the Bill increases privacy‑management complexity by layering sector‑specific obligations on top of existing regimes as the obligations under the Bill operate alongside existing obligations under the PDPA and CSA. Organisations must therefore carefully map their data flows to determine when health information-specific rules apply, when PDPA safeguards continue to govern, and how to co-ordinate multi-agency notifications and responses in the event of incidents that trigger obligations under more than one statute.

Conclusion

If enacted, the Bill will fundamentally reshape the governance of health data in Singapore, imposing mandatory health information contribution requirements and a comprehensive suite of duties relating to access, sharing, security, retention, disposal, and incident management, backed by significant criminal and financial penalties. Although the Bill remains in draft form and may be subject to further changes, organisations should begin preparing by reviewing their health information data flows, updating internal policies, and ensuring readiness for the new compliance landscape.

If you require further advice on the Bill’s potential impact or assistance with compliance planning, please contact your usual Hogan Lovells representative or the authors of this update.

Authored by Charmian Aw and Ciara O'Leary.