The Health Information Act (HIA) marks a significant shift in the governance of health data since the introduction of the National Electronic Health Record (NEHR). It represents a significant move towards a unified national health information system, enabling “One Patient, One Health Summary, One Care Journey.” The legislation establishes a unified framework for collecting, contributing, and sharing health information across the national healthcare ecosystem, with the NEHR positioned as a central infrastructure to support safer, higher-quality, and more coordinated continuity of care.
The Act is underpinned by three key frameworks, which are
1) NEHR Contribution and Access
2) Sharing of Non-NEHR Health Information, and
3) Protection of Health Information.2
Under the Act, licensed healthcare service providers will be required to have access to NEHR, contribute key health information to NEHR, and comply with applicable cybersecurity and data protection requirements. Implementation will be phased, with the Ministry of Health (MOH) providing guidance, implementation resources, training, and funding support to assist providers and professionals in meeting the HIA requirements.
The Act formalises the NEHR as a national health information repository, designed to collect and maintain a consolidated copy of selected health records for all Singapore citizens, Permanent Residents, and patients holding long-term immigration passes.
All licensed healthcare providers will be required to use HIA-compliant Health Information Management Systems (HIMS) to contribute key patient health information to the NEHR. Depending on the licence held, this will include, but is not limited to, data such as allergies, immunisations, diagnoses, medications, laboratory results, radiological images, and discharge summaries. Healthcare providers are also held to quality standards for data contribution, ensuring that information submitted is timely, compliant, complete, attributable, accurate, and correct.3
The overarching intent is to enable more coordinated and continuous care across settings, enhance the quality and safety of care delivery, and support greater system efficiency and cost-effectiveness.
The HIA clearly outlines what appropriate access to NEHR is and what constitutes inappropriate access. The "Guidelines on Appropriate Contribution, Use and Access to National Electronic Health Record (NEHR)" provide guidance on the use of NEHR4. Of note, healthcare providers are not allowed to access NEHR for employment or insurance purposes. NEHR should only be accessed for direct patient care and for whitelisted specific examinations carried out for the purposes of section 19(3), as set out in the Third Schedule of the HIA.
To safeguard patients’ health information, the HIA introduces legislative provisions that allow patients to place restrictions on access to their records. This is carefully balanced with patient safety considerations, whereby a core set of essential health information remains accessible to support safe and appropriate care. In addition, a “break-glass” mechanism permits healthcare providers to override access restrictions in emergency situations; such access is subject to audit and oversight to ensure it is appropriate and justified.
One area of ongoing uncertainty relates to the circumstances under which access to the NEHR is required. Section 4.2.1.1 of the guidelines emphasises that history-taking and physical examination remain the primary basis of clinical assessment, with the NEHR serving as a supplementary tool to support care. Accordingly, healthcare providers are not expected to access the NEHR at every consultation, but to exercise clinical judgement in determining when access is appropriate.
However, while the guidelines outline relevant considerations and reference professional standards such as the Singapore Medical Council Ethical Code and Ethical Guidelines, neither the HIA nor the guidelines provides explicit thresholds for when NEHR access is required, nor the expected depth of review during a consultation. This could raise concerns about the tension between clinical judgement, time constraints, and the increasing volume of digital health information, as well as the potential medicolegal implications when NEHR is not accessed or reviewed adequately.
During the government debate2, the Senior Minister of State, Tan Kiat How said: “Healthcare professionals are encouraged to consider a range of factors before deciding whether NEHR access is required for a particular consultation, such as whether more information is required based on the information gleaned from the history-taking and physical examinations or whether health records in NEHR would be relevant to the particular consultation [..] we will continue to work with respective professional bodies to disseminate these guidelines to all healthcare professionals.”
A key feature of the HIA is the shift in how patient consent is treated in the collection, use, and disclosure of health information. Under Section 11, healthcare providers may collect, use, and disclose such information without obtaining explicit patient consent where this is authorised for purposes including direct care, care coordination, and broader healthcare system functions. This represents a significant departure from traditional consent-based frameworks, such as those under the Personal Data Protection Act, where consent is typically required prior to disclosure. Instead, the HIA establishes a statutory basis for data sharing across the healthcare ecosystem.
While this approach facilitates more seamless and coordinated care, it raises important considerations regarding patient autonomy, expectations of confidentiality, and transparency in the use of health information. Healthcare providers should therefore be mindful of how this shift is communicated to patients, particularly in managing expectations around privacy and the extent to which their information may be shared across the system.
To safeguard health information, licensed healthcare providers will be required to implement measures governing the storage, access, use, and sharing of data. These requirements span three key domains: cybersecurity, data security, and organisational practices.
Cybersecurity measures relate to IT and system-level protections, including regular software updates, anti-malware and anti-virus safeguards, access controls, secure system configurations, data backup, and the management of hardware and software assets to ensure governance and accountability. Data security focuses on the proper identification and classification of information, as well as on appropriate processes for access, storage, disclosure, and transmission of health data. The third domain, organisational practices, encompasses staff training and education, secure data disposal, vendor management, regular reviews and audits, and business continuity planning and incident response.
These requirements will necessitate many healthcare providers to modernise and strengthen their existing systems and processes. To support this transition, MOH has introduced the Cybersecurity and Data Security Essentials for Healthcare Providers5, which provides guidance on implementation and clarifies expectations. In addition, government grants are available to support the adoption of cybersecurity solutions and the engagement of consultancy services where needed.
The Essentials framework has been refined in response to feedback from providers, particularly concerns regarding the resource demands, cost implications, and technical complexity of compliance, challenges that are especially pronounced for solo and small-group practices without in-house IT expertise. While the latest iterations reflect a more calibrated and practical approach, uncertainties remain regarding the precise technical standards required, the sustainability of long-term costs, and the risks of breaches or non-compliance arising from operational and technical limitations.
There are ongoing concerns about the implications for clinicians, particularly around when they are expected to access the NEHR and the potential liability if relevant information is not reviewed.
As highlighted in parliamentary debate6, uncertainty remains over what constitutes “reasonable care” in practice – how much of a patient’s record must be checked, and in what circumstances. Clearer guidance will therefore be needed to define expectations and help establish safe, consistent, and routine use of the system.
In summary, the HIA marks a transformative shift in clinical practice, moving healthcare towards a more integrated, data-driven, and system-oriented model of care, anchored by the NEHR. While it enables safer, more coordinated, and higher-quality care through enhanced information sharing, it also redefines healthcare providers’ responsibilities, who must now navigate new expectations around data contribution, appropriate access, consent, and cybersecurity, while exercising sound clinical judgement amidst increasing data complexity and time pressures. Ultimately, the HIA will not only reshape workflows and systems but also challenge and evolve how professionalism, patient trust, and ethical practice are upheld in everyday care.
Members can contact Medical Protection at any time with specific queries to get information and support.
1 https://sso.agc.gov.sg/Act/HIA2026/Uncommenced/20260221020925?DocDate=20260212
2https://www.healthinfo.gov.sg/
3 HIA Implementation Guide (April 2026) https://www.healthinfo.gov.sg/files/HIA_Imple_Guide_Release_1.pdf
4 Guidelines on Appropriate Contribution, Use and Access to National Electronic Health Record (NEHR) (March 2026) https://www.healthinfo.gov.sg/files/Guidelines_on_Appropriate_Contribution__Use_and_Access_to_National_Electronic_Health_Record__NEHR__March_2026.pdf
5 Cybersecurity and Data Security Essentials https://www.healthinfo.gov.sg/files/CYBERSECURITY_AND_DATA_SECURITY_ESSENTIALS.pdf
6 https://sprs.parl.gov.sg/search/#/sprs3topic?reportid=bill-774