Five essential measures that Healthcare Providers should adopt to comply with the Health Information Bill (HIB)

The Health Information Bill (HIB) aims to govern the safe collection, access, use, and sharing of health information across the healthcare ecosystem in Singapore. The HIB is expected to establish a framework to facilitate better continuity and seamless transition of care by making it mandatory for all licensed healthcare providers to contribute data to the National Electronic Health Record (NEHR).  Healthcare providers will be obligated to contribute key health information – including diagnosis, medications, allergies, or laboratory reports – to the NEHR. This will ensure that healthcare providers have access to up-to-date, accurate, and a centralised national repository of key health information whenever care is provided. 
 

This initiative is part of Singapore’s efforts to address the challenges of a diverse healthcare system where patient data is currently held by various providers in separate systems. By having a common set of patients’ key health information, healthcare providers can make better clinical decisions, and patients can benefit from not having to undergo repetitive tests or recount their medical history to different providers. In addition to healthcare providers and patients, the HIB will also impact the existing healthcare system and those responsible for policy and governance.
 

Licensed healthcare providers (both public and private) including hospitals, clinics and other healthcare institutions will be mandated to contribute data to the National Electronic Health Record (NEHR). 
 

For HIB to be effective, security is a critical aspect, as it involves the handling of sensitive health data. Five essential measures that healthcare providers should adopt are summarised as follows:
 

 1. Cyber & Data Security Guidance  

These guidelines, policies, and procedures aim to improve the security posture among healthcare providers. They provide clarity on requirements to secure the confidentiality, integrity, and availability of health information against unauthorised access, inappropriate modification, use, disclosure, disposal, or other similar risks. Healthcare providers can refer to the guidance on Cybersecurity Agency of Singapore (CSA), Infocomm Media Development Authority (IMDA), and Personal Data Protection Commission (PDPC).  

2. Access Controls 

The HIB will require healthcare providers to meet cyber and data security requirements to contribute and access the National Electronic Health Record (NEHR) safely. This includes implementing access control measures to manage access to data and services, using secure settings for procured hardware and software, and employing anti-malware and anti-virus solutions. 

3. Formal Incident Reporting 

Healthcare providers will be obligated to implement safeguards for data security risk, including mandatory incident reporting. A breach must be reported within 2 hours of confirmation if it is deemed notifiable. 

4. NEHR Safeguards and Independent Assessment

A comprehensive set of security measures and processes to protect the NEHR against cyberattacks is essential. To ensure this, the system and users’ access are periodically subjected to third-party audits to ensure compliance with security standards for government-owned systems. 

5. Sensitive Health Information

Some health information exposes a patient to greater harm during a data breach. These are categorised as Sensitive Health Information, and additional controls and safeguards would be in place for managing these within the NEHR and HealthHub. Measures include restricting which healthcare professions can access the sensitive information, implementing a double log-in mechanism, auditing access, and blocking the display of sensitive health information from the NEHR in HealthHub. These measures are designed to protect health information from cyber threats and ensure that patient data is handled securely and responsibly.