Mr Speaker,
I support the principles underlying this Bill. A population-scale set of longitudinal medical records is the "means of production" for more timely interventions, accurate diagnoses, and preventive health at large. The contribution of data to the National Electronic Health Record will create a valuable dataset - and that value should flow to all Singaporeans.
But before I move on to the question of value, I wish to state my belief: A Bill that compels contribution must also come with robust safeguards.
From my conversations with practitioners, and from my reading of the Bill, I have three sets of concerns:
"A" the disproportionate cybersecurity burden on small providers;
"B" the uploading of sensitive medical information despite patient objections;
and "C" the insurance loophole that may render our privacy protections ineffective.
I will then speak to a broader question: if we are building a national health data asset, who benefits - and how do we ensure it catalyses a dynamic ecosystem rather than becoming captured by a single monopoly provider?
(Cybersecurity Liability and the Burden on Small Providers)
First, to the cybersecurity obligations imposed on healthcare providers.
The Bill designates all HCSA licensees - from tertiary hospitals employing thousands, to single-doctor GP clinics in HDB heartlands - as "relevant persons" under Section 64. All face the same statutory obligations: to implement reasonable controls for secure processing under Section 66(1)(a), reasonable safeguards against unauthorised access under Section 66(1)(b), and cybersecurity protections under Section 68.
The penalties for non-compliance are severe. Section 66(6) provides for fines up to $200,000 or two years' imprisonment for individuals, and up to $1 million for other entities.
Now, the Bill does use the word "reasonable" - and this does imply proportionality.
But I have spoken with doctors who run small operations. They worry that when a breach occurs - and breaches are a matter of "when," not "if" - the enforcement spotlight will fall on them. Did they have sufficient firewalls? Was their antivirus updated? Were their staff trained adequately? They fear being "hung out to dry."
The structural problem is this: small providers are compelled to contribute data to a centralised system they do not control. Yet they bear liability for breaches that may originate from factors beyond their control.
I wish to speak for some of my constituents who are senior GPs still practising in the heartlands. Many are approaching retirement. They are not tech-savvy. They will struggle with the digitalisation requirements this Bill will impose.
If the transition is too abrupt, many of these senior GPs may feel forced to retire early, or sell their independent clinics to large corporate chains. We have seen this pattern before. The rapid digitalisation in other sectors - including banking a decade ago - moved too fast for some of our elderly residents, resulting in scam losses.
Without proper support, this Bill may accelerate consolidation in the primary care sector. We will see more chains. The end state of a modern, integrated health information system is desirable. But the transition must be managed carefully.
So I ask:
One. Will the Ministry issue clear, tiered guidance on what constitutes "reasonable" safeguards for practices of different sizes? A safe harbour framework, if you will.
Two. Will the Ministry consider providing or subsidising cybersecurity insurance for small providers? If the government is making NEHR contribution compulsory, should small practitioners shoulder the entire financial risk of a breach?
Three. Will there be a transition period with educational enforcement - rather than immediate punitive action - to allow smaller providers to build up their cybersecurity capabilities?
Four. Could the Ministry offer transitional support for senior practitioners nearing retirement - even something as simple as sending personnel to help digitalise records?
(Data Privacy and the Limits of Access Restrictions)
Second, to the question of sensitive medical conditions that patients seek to keep private.
There is a group of patients who pay cash, wanting to keep their records - perhaps with sexually transmitted infections, mental health conditions, or abortion records - off the system. Many foreigners also do not want to be on the NEHR.
Under this Bill, that option will no longer exist.
Section 29 provides for "access restrictions" - Class 1 restrictions that prevent all access, and Class 2 restrictions that restrict access for specific purposes or persons. This appears protective.
But Section 30(7) states clearly: "To avoid doubt, an access restriction does not prevent or restrict the contribution of health information."
The data is uploaded and is stored centrally. Any access restriction is a viewing control - it masks who can see the data. It does not exclude the data from NEHR.
If the burden of proof is on the custodian of NEHR to have a robust data privacy model, let us examine the custodian.
Synapxe, the custodian of NEHR, was rebranded from IHIS, which was responsible for allowing the 2018 compromise of 1.5 million SingHealth patient records. The Committee of Inquiry found that IHIS staff lacked adequate cybersecurity awareness, that key staff failed to take appropriate action even when there were clear signs of an ongoing attack, and that the CISO's response was - I quote - "clearly lacking, and displayed an alarming lack of concern."
I have perceived among some doctors a legacy of mistrust toward Synapxe.
So I ask:
One. How is MOH going to police unjustified access of NEHR, where rogue elements read the medical histories of unrelated people? What assurance can MOH give us that our health data is safe with Synapxe?
Two. If such unauthorised access occurs, does proactive monitoring exist or will the system rely solely on whistleblowers and complaints?
Three. What is the technical architecture for access-restricted data? Is it encrypted separately? Is it stored in a segregated environment? Or is it simply flagged in the same database, such that a breach would expose it alongside unrestricted records?
Four. What is the access model for NEHR data? In Taiwan, the National Health Insurance system uses a dual-card approach: the patient must present their Health IC smart card, the doctor uses their professional IC card, and both are required for access, with written patient consent. This dual-authorisation prevents rogue access because no single party can retrieve records alone. Will Singapore's NEHR access model include such safeguards?
Five. Will MOH consider specific carve-outs for defined sensitive conditions, where patients can opt out of contribution entirely - not just access?
(The Insurance Loophole and Downstream Coercion)
Mr Speaker, I commend the drafters of this Bill for their attention to the concern regarding the use of medical information for insurance underwriting.
Section 6 defines "excluded purposes" to include deciding whether to insure an individual, continuing or renewing insurance, and processing insurance claims. Section 19(2) prohibits specified users from accessing NEHR for any excluded purpose. Section 38(5) imposes enhanced penalties - up to $200,000 and seven years' imprisonment - for accessing records for excluded purposes.
Section 11(2) provides that nothing in Part 2 allows access to health information "on the basis that the individual consents." Section 16(2) reinforces this: consent under the Personal Data Protection Act does not make access permissible.
So, insurers cannot access NEHR directly. Healthcare providers cannot access NEHR on behalf of insurers. And a patient's consent cannot be used to circumvent these protections.
Is it watertight? Let me offer two possible scenarios.
Scenario One. Section 17(1) provides that an individual may access and collect their own accessible health information. A Singaporean applies for insurance. The insurer's application form includes a new requirement: "Please attach a complete printout of your National Electronic Health Record." No printout, no policy.
Once the data leaves the system through legitimate patient access, it is beyond the Bill's reach.
Scenario Two. According to Section 3.1.2.2 of the Draft Guidelines on Appropriate Use and Access to National Electronic Health Record, released by MOH in 2023:
(quote) "In the event that such information was previously transcribed from NEHR into the patient's clinical notes, it would be treated as part and parcel of the medical record belonging to the healthcare institution." (end quote)
Meanwhile, Integrated Plan insurers are increasingly requiring doctors to sign contracts containing "Inspection and Right to Audit" clauses. These clauses grant insurers the right to inspect full medical records to verify claims.
The result is that doctors check NEHR for relevant history - past abortions, IVF treatment, mental health conditions, STIs - and note it in their files for clinical safety. Because of these audit clauses, insurers then gain access to this sensitive, transcribed NEHR data, even if it is irrelevant to the current claim. A patient going in for gallbladder surgery may find their insurer reviewing their psychiatric history.
So I ask:
One. Does MOH agree that requiring a patient to provide a complete NEHR printout as a condition of insurance coverage would defeat the legislative intent of Section 6's excluded purposes provision?
Two. If so, will the Government work with MAS to issue regulations or guidelines explicitly prohibiting insurers from requiring NEHR records, or NEHR-derived information, as a condition of coverage, claim processing, or policy renewal?
Three. Does the Minister intend for Section 3.1.2.2 in the 2023 guidelines to allow insurers, through audit clauses in Integrated Plan contracts, to access NEHR-derived information that would otherwise be prohibited under Section 6 of this Bill?
Four. If an insurer is found to utilise either pathway, what enforcement mechanisms exist? Will this be a matter for MAS, MOH, or both?
(Competition and Consumer Value)
Mr Speaker, I now wish to speak to a broader question:
This Bill will create, for the first time, a comprehensive national health database. Social determinants such as postal code, education, marital status. Clinical outcomes such as blood pressure readings over decades, medications prescribed. And soon, perhaps, genomic data from the SG100K project.
This is a formidable dataset. It is a "means of production" - not just of population health outcomes, but of significant economic value. So how do we ensure that value from this national health data infrastructure flows to citizens?
In the telecoms sector, when SIMBA - then TPG - entered Singapore's mobile market in 2017 as the fourth operator, it competed aggressively on price. The incumbents were forced to respond. Mobile plan prices fell. Consumers benefited. Value flowed to consumers because the market was contestable.
Globally, startups are experimenting with patient-centric data models - where individuals can choose to share their data for research and receive compensation. A monopoly may not experiment with such models. But a contestable market will. Some players will try patient-centric approaches. The best models will emerge.
To create the conditions for competition to discover it, that requires open APIs, interoperability standards, and a contestable application layer.
(The Synapxe Question: Contestability and the Original Vision)
Mr Speaker, let me turn to the System Operator.
Section 8 provides that the Minister may designate a System Operator to operate, administer, and maintain the national electronic records system. In practice, this will be Synapxe.
Synapxe - formerly known as IHiS - today employs approximately 3,500 people. It serves as the technology backbone for our entire public healthcare system.
When IHiS was set up in 2008, I believe the original vision was that it would operate on contestable principles. MOH would issue tenders. IHiS would compete - win some, lose some. It would have enough work to survive, but face enough competition to stay efficient.
This model was what worked for MINDEF and ST Engineering. Dr Goh Keng Swee, speaking at NTUC Income's 1977 annual meeting, articulated the principle. He said:
(quote) "We do not own and run enterprises on ideological grounds... We expect government-owned enterprises to be efficient, to make money and to expand whenever feasible. [...] If a government-owned enterprise loses money, it is allowed to go bankrupt and this has happened, fortunately, in very few instances." (end quote)
This was the discipline of contestability. Government-linked enterprises were to be subject to market forces.
But Mr Speaker, the current model for Synapxe has drifted from this vision. Today, MOH relies almost exclusively on Synapxe to implement its technology integrations. There is capture and cost inflation. An engineer is hired at $5,000 a month; that engineer's services are sold to public healthcare clusters at significantly higher rates. This markup is of questionable value for taxpayers. It crowds out innovation. The market is not contestable.
I believe a different model is possible and necessary.
(A Proposal: Returning to Contestable Principles)
My vision for Synapxe is different. It would return to the original contestable principles surrounding IHiS's creation.
First, I would seek to separate Synapxe into two entities.
The first entity would be a core infrastructure company. It would handle standards-setting, data exchange protocols, security baselines, and the NEHR plumbing. This stays government-owned and lean - perhaps a few hundred people. It runs the pipes and sets the protocols, but does not compete at the application layer.
The second entity would be a commercial services company. It would handle system integration, consulting, and vendor management. This gets spun off - perhaps privatised, perhaps converted into a GLC that must compete commercially, both domestically and internationally.
Second, MOH must reacquire in-house capacity to be an intelligent buyer of technology services. Before or concurrent with any Synapxe restructuring, MOH needs a technical unit of 50 to 100 people. Not administrators - but engineers, data architects, security specialists. People who can evaluate bids, write specifications, and challenge cost claims. Without this capacity, the ministry cannot escape capture.
Third, I would legislate interoperability standards and open API requirements for all Health Data Intermediaries, including any entity that emerges from Synapxe. The goal is to ensure that the application layer - the layer where innovation happens - is open and contestable.
I think all this can be done in a few years.
(Three Outcomes from a Reformed Model)
Mr Speaker, with such contestability - and with opening for opt-in mechanisms where citizens can choose to share their data for specific purposes and receive compensation - I believe the NEHR can be the means of production for three outcomes:
"A" Better population-scale health outcomes. This is the primary purpose and I support it fully.
"B" A fair stake in data monetisation for each citizen. If value is being extracted from their data, we should create conditions where citizens can likely share in it - not just bear the risk.
"C" An ecosystem catalyst for health-based startups. With open APIs and interoperability, Singapore can become a hub for health technology innovation. Startups can build on the NEHR platform. SMEs can compete for contracts. We can export health-tech capabilities regionally.
The NEHR can become a flywheel for a more dynamic Singapore health technology ecosystem - one that benefits the government, citizens, and entrepreneurs alike. Not merely a government-only-benefits asset.
(Closing)
Mr Speaker, in conclusion.
I support the principle of a unified national health record. It can improve care, reduce waste, and enable the precision medicine of tomorrow.
But a Bill that compels contribution must also come with robust safeguards.
Those compelled to contribute must be protected from disproportionate liability - through tiered guidance, safe harbours, and transitional support.
Privacy controls must be real. If access restrictions do not exclude data from NEHR, then a breach exposes everything regardless of restrictions.
Possible loopholes must be closed. The self-access provision in Section 17, combined with the transcription guidelines, creates pathways for insurers to circumvent the excluded purposes protection.
And if we are building a national data asset, we must ensure it is governed by contestable principles - not captured by a monopoly provider. The original vision for IHiS was discipline through competition. We should return to it.
I look forward to the Ministry's reply on my structural concerns.
Thank you, Mr Speaker. I support the Bill.
Sources
- 2018 SingHealth Data Breach - Wikipedia
- COI Findings - Healthcare IT News
- Goh Keng Swee on State Enterprises - SCMP
- Taiwan NHI MediCloud System
- BNM Open Finance Framework - Fintech News MY
- NEHR Private Sector Uptake - MOH
