On 5 November 2025, the Health Information Bill (“Bill“) was introduced in Parliament to establish a framework to govern the safe collection, access, use and sharing of health information. The Bill aims to improve patient care by reducing repeated tests, prescription errors, ensuring updated and accessible health information, and strengthening data protection and privacy. It balances the need for data sharing with robust safeguards and providing some autonomy to patients.
The Bill mandates licensed healthcare providers (including general practitioner clinics and private hospitals, as well as Ministry of Health (“MOH“)-approved care providers) to contribute selected patients’ health information to the national repository of health information and the national electronic health record system (“NEHR“), to facilitate shared care and coordination across Singapore’s healthcare ecosystem.
The introduction of the Bill follows the public consultation conducted by MOH on the proposed bill, held from 11 December 2023 to 11 January 2024. For more details on the public consultation, please refer to our December 2023-January 2024 NewsBytes article titled “Ministry of Health Consults on Proposed Health Information Bill“. We also issued an earlier write-up relating to the development of the Bill. Please refer to our March 2023 NewsBytes article titled “Reviewing System Enablers to Support Healthcare Transformations – Formulating the Health Information Bill” for more information.
Scope of Health Information
Under the Bill, health information refers to an individual’s administrative and clinical information.
- Administrative information: relates to an individual’s personal information such as name, contact details and other demographic data for the use or provision of any healthcare service or community health service.
- Clinical information: relates to either or both of the following: (i) the physical or mental health of the individual; and (ii) the diagnosis, treatment or care of the individual. Such information includes information on drug allergy and medical history and past tests and scans undertaken by the individual.
Access to Health Information
An individual may choose to restrict the access, collection and disclosure of his/her health information, either in its entirety or only with respect to certain aspects of such health information. These include:
- the types of health information that may be accessed, collected or disclosed;
- the persons who may access, collect or disclose the health information;
- the purposes for which the health information may be accessed, collected or disclosed; and
- the times or periods at which the health information may be accessed, collected or disclosed.
The NEHR may only be accessed by authorised healthcare professionals directly involved in a patient’s care. This includes carrying out medical, dental, psychiatric or psychological examination and assessment. Access to the NEHR is prohibited for employment or insurance purposes.
The issue for healthcare professionals is whether they are required to access the NEHR whenever a patient seeks medical consultation, and the relevant legal risks they face should they fail to access the NEHR. There are guidelines to aid healthcare professionals as regards the appropriate collection, access and use of health information in the NEHR.
Cybersecurity and Data Protection
The Bill sets out cybersecurity and data protection standards and obligations that healthcare providers contributing to or accessing the NEHR, or sharing data, must meet and comply with. These include the following:
- Data security and handling
- Implement reasonable controls to ensure the secure processing of health information.
- Implement reasonable safeguards to protect against the unauthorised access, collection, use, disclosure, copying, modification or disposal of health information.
- Ensure every personnel who accesses or handles health information is aware of his/her responsibility in ensuring that the confidentiality and integrity of the information is protected.
- Retention and disposal of health information
- Cease the retention of health information when it is reasonable to assume that the purpose for which the health information was collected is no longer served by the retention of information.
- Cybersecurity incidents or data breaches
- Report cybersecurity incidents or data breaches to MOH within the prescribed periods.
- Notify affected individuals in the event of a notifiable data breach that is likely to cause significant harm.
The Bill is expected to be debated at the next Parliament sitting.
Click on the following links for more information:
- Full text of the Bill (available on the Parliament of Singapore website at parliament.gov.sg)
- MOH’s Health Information Bill microsite
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
