On the Healthcare Information Bill (Bill No. 20/2025)
Mr. Speaker, the Bill advances necessary and timely updates to our healthcare ecosystem and I am supportive of the Bill's intentions.
The Bill establishes a statutory framework to consolidate key medical data into an integrated longitudinal view of an individual’s health record. This is in line with the vision of the “One Patient, One Health Record” when the National Electronic Health Record (NEHR) commenced a decade ago.
I understand that patient records from our public healthcare institutions are already in the NEHR. Let’s say that you sought treatment in SGH. Information about your visit, such as your admission and discharge records, your lab test results, the procedures you did, the medication you were prescribed — those information are already in the NEHR.
And following that, if you were to visit CGH, perhaps to see a specialist for a different medical issue, the CGH doctor will be able to use the NEHR to view the medical summary information of your SGH visit.
However, with this Bill, private healthcare providers will now also be mandated to contribute to the NEHR.
This is significant, since one of the reasons why patients opt for private healthcare is so that their health information is not included in the NEHR. This is especially a concern for patients dealing with sensitive medical issues, including those relating to mental health, sexual health, or addiction.
Sir, it is a given that a national electronic healthcare database will clearly help to optimise patient care and continuity of care. However, the success of the NEHR hinges on fostering the trust that the Government can collect, collate, and consolidate our health information safely and responsibly.
That trust can only exist if we keep patient privacy and patient autonomy at the forefront. By patient privacy, I mean that patients must have the assurance that their confidential health data remains private and secure, with access granted only to particular persons for what is medically necessary or for public health purposes.
Patient autonomy, on the other hand, means that patients should be able to meaningfully determine who has access to their data and how their data is used. In general, patients should be able to know when and why their data is accessed, and by whom.
I believe the Government can agree with me that the NEHR must leave patients feeling empowered, not exposed. And for that to happen, we cannot compromise on either patient privacy or patient autonomy.
The scope of health information
Mr Speaker, the Bill defines a person’s “clinical information” to include both “the physical and mental health of the individual” and “the diagnosis, treatment or care of the individual”, while Part 1 of the First Schedule outlines the different types of health information to be contributed by specific healthcare providers.
Altogether, there are thirteen different types of health information, though only the providers of acute hospital service need to contribute all thirteen. However, I want to focus on the category of “visit diagnoses/reasons for visit or patient problem list”, which many healthcare providers are mandated to contribute.
If I may, I would like to ask the Minister about this category of health information. How lengthy or extensive should the contribution pertaining to “diagnoses”, “reasons for visits”, or “patient problem list” be for the purposes of the NEHR?
I also want to note that, as of 8 January, the FAQ on Synapxe’s website — Synapxe being our national HealthTech agency responsible for running the NEHR — states that the NEHR is meant to receive and consolidate key health summary information, but “not doctor's notes”.
Here is a hypothetical example. Let’s say a person were to meet a private psychiatrist and discuss their recent psychological difficulties, due to a recent breakdown in his or her marriage. The psychiatrist then records these details in their own doctor’s notes.
My first question: When contributing health information to the NEHR about the visit, is the psychiatrist mandated to include those personal and private details of the patient’s life under the category of “visit diagnoses/reasons for visit or patient problem list”?
My second question: Even if the private psychiatrist was not mandated to share their doctor’s notes, can such information still be contributed to the NEHR, including without the patient’s knowledge?
I believe the public will benefit from an assurance from the Ministry that the scope of health information contained in the NEHR will only relate to key health summary data, and will not include “doctor’s notes”, especially intimate and confidential details about a patient’s personal life, even if that information were in some way medically relevant to the provision of care.
Law enforcement activities as an “excluded purpose”
Mr Speaker, the Bill explicitly identifies certain “excluded purposes”. I’m sure that all patients appreciate the assurance that their healthcare information cannot be used for employment and insurance purposes.
However, I want to ask the Minister whether the Police and other law enforcement agencies will be similarly barred from using information from the NEHR? For instance, if a substance abuser sought treatment on his own to battle his addiction, would law enforcement be able to use the NEHR records to arrest and/or charge him?
I ask this because patients seek treatment and care with some expectation of confidentiality, that their sensitive health information will be kept private. We need to ensure that patients continue to feel comfortable to seek treatment.
Ease of access restrictions
Mr Speaker, other than safeguarding their privacy, we need to ensure that patients are able to retain autonomy over their health information. Clauses 29 and 30 allow for access restrictions, which patients can use either to restrict all access to their healthcare information in the NEHR, or to restrict access for specific users or purposes.
And if I understand Clause 30(7) correctly, these Class 1 and Class 2 access restrictions do not prevent or restrict the contribution of healthcare information by a medical provider. In other words, healthcare information about every medical visit and treatment in Singapore will be recorded in the NEHR, but patients can block other healthcare providers from having access to that information.
Sir, these access restrictions will only work if these options can be exercised easily and in a patient-friendly manner. Currently, there is an option to opt out of the NEHR. but this involves a slightly elaborate and tedious process of making an appointment at one of the polyclinics and restructured hospitals to obtain and submit an opt-out form. Patients wishing to opt out will also be — and here I quote directly from the Synapse FAQ — they will be “counselled, to ensure that they fully understand the implications of this decision to their care as their providers will not have access to their records.”
Even then, opting out does not mean your healthcare information gets deleted from the NEHR. What happens is that healthcare providers don’t get to view them. Moreover, these access restrictions can be — understandably — overridden in a medical emergency.
I thus want to ask how the Ministry intends to implement the access restriction mechanisms under the Bill. Firstly, will the Ministry continue to counsel those who wish to invoke access restrictions, and can we have further details about the content and duration of that counselling process? Secondly, is the Ministry considering the possibility of allowing patients to invoke or revoke these access restrictions online through HealthHub? Thirdly, is the Ministry planning to conduct regular public campaigns to educate patients about their access restriction rights?
Transparency about accessed data and data breaches
Mr Speaker, another important dimension to patient autonomy is being transparent about the who, when, and why of access to our healthcare information.
I understand that patients can view which healthcare providers have accessed their health records through the NEHR Access History section in HealthHub. I want to clarify with the Minister about how granular this data would be. Would the patient only be able to see which healthcare institutions have accessed their records, or will it also list out the specific healthcare professionals who were accessing their records?
Moreover, at GP clinics, how can patients be sure that only their doctor is able to view the health information on the NEHR, and not their non-clinical staff?
This relates to another question about unauthorised access to the NEHR. Clause 77 identifies what is a “notifiable data breach”, namely, a breach which “(a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale”.
Can I ask the Minister to clarify how the Ministry intends to define “significant harm” and “significant scale”, and why it has settled on such a standard? Would it not be more reasonable, not to mention the right thing to do, to notify affected individuals in any and all cases of unauthorised access to their health information?
R&D collaborations using NEHR data
Looking ahead, once the national electronic healthcare system is fully up and running, our citizen’s pooled health data will be a valuable goldmine for clinical researchers and pharmaceutical companies. While this can accelerate drug development and spur medical innovation, the public needs assurance that their personal health data will not be monetised for profit.
Here, my question is whether the Government intends to make healthcare information in the NEHR available to the private, academic, or any other sectors, and whether the current Bill makes provisions to regulate such a possibility.
While in principle I am not opposed to such collaborations, I hope that it can be explicitly legislated that any dataset from the NEHR must be anonymised, if this has not been done already.
Moreover, if the data is used for commercial research, the Government should consider a "Social Dividend" which ensures that the benefits return to the people. Any revenue or benefits derived should be reinvested directly into patient subsidies or national health funds, ensuring that the value generated by the people's health data is returned back to the people.
I would also suggest exploring the model of data cooperatives. One example of this model is non-profit Swiss cooperative MIDATA where citizens control their data and can choose to contribute it to specific research projects they believe in. This has enabled research and tailored care plans for diseases such as multiple sclerosis.
Conclusion
Mr Speaker, my foregoing questions and suggestions/ are intended to safeguard the integrity of the NEHR to strengthen public confidence in the system. To this end, we continue to emphasise patient privacy and patient autonomy to ensure Singaporeans are empowered, not exposed.
