The Health Information Act (HIA) is Singapore's first dedicated legislation governing the collection, sharing, security, and use of health information across the healthcare ecosystem. It originated as the Health Information Bill (HIB), introduced in Parliament on 4 November 2025 (Bill No. 20/2025), and was passed by Parliament on 12 January 2026.
The Act transforms health data sharing from a voluntary, fragmented system into a mandatory, centrally governed framework โ with the National Electronic Health Record (NEHR) as the backbone.
๐ Why the HIA Matters
- Fragmented data kills: Patients seeing multiple providers across public/private sectors often have incomplete records โ leading to repeated tests, drug interactions, and suboptimal care
- Voluntary NEHR wasn't working: Only public healthcare clusters (SingHealth, NUHS, NHG) consistently contributed; private GPs/specialists participated inconsistently
- Silicon Valley of Health: Singapore aims to be a trusted hub for health data innovation โ but needs robust governance first
- PDPA alone isn't enough: Health data needs sector-specific rules beyond the general data protection framework
Who Does It Cover?
- Public Hospitals SingHealth, NUHS, NHG clusters
- Private Clinics GPs, specialists, dental, TCM practitioners
- Insurers Health/life insurers handling health data
- HIMS Vendors Health Information Management System providers
- MOH/NEHR Ministry of Health & national health records system
- Individuals Every person with health records in Singapore
1. Mandatory NEHR Contribution
The biggest shift: all licensed healthcare providers must contribute patient health information to the NEHR. This is no longer voluntary for private practitioners. It becomes a statutory duty, not a consent-based disclosure under PDPA.
โ ๏ธ Critical Legal Point
Under current law, a clinic uploads data to NEHR based on licensing conditions under HCSA. Under the HIA, NEHR contribution becomes a statutory obligation โ meaning patients cannot withdraw consent to stop their data being contributed to NEHR. This overrides PDPA's consent framework via a specific statutory exception.
2. Patient Access & Restriction Rights
- Right to view: Patients can access their own NEHR records via HealthHub
- Right to restrict: Patients can restrict specific healthcare providers from viewing their NEHR data โ with important limitations
- Emergency override: In life-threatening emergencies, any treating provider can access NEHR data regardless of restrictions
- Correction right: Patients can request corrections to inaccurate health records
- Cannot withdraw from NEHR: The contribution itself cannot be opted out of โ only who can view can be restricted
3. Cybersecurity Requirements for HIA Entities
- Mandatory cybersecurity standards for all entities handling health information
- Access controls and audit trails for all health record system access
- Cyber Essentials HIA sub-scheme โ co-developed by MOH and CSA specifically for healthcare entities
- Separate Cyber Essentials for HIMS Vendors sub-scheme for IT vendors
- Government transition support and funding available
4. Data Breach Notification โ Health-Specific
HIA introduces health-data-specific breach notification requirements that operate alongside PDPA's existing mandatory breach notification (3 calendar days). Health data breaches will likely face stricter timelines and additional reporting to MOH, not just PDPC.
5. HIMS Vendor Regulation
A new regulated category: Health Information Management System (HIMS) vendors. Any company providing IT systems that manage health information (clinic management software, EHR platforms, health data analytics) must meet HIA-compliant standards โ including cybersecurity, data handling, and audit requirements.
6. Penalties
Financial penalties aligned with PDPA framework โ up to SGD 1,000,000 or 10% of annual Singapore turnover (whichever is higher) for data breaches involving health information. Individual offences may also carry criminal penalties.
1
4 Nov 2025 โ Health Information Bill (HIB) introduced in Parliament (Bill No. 20/2025)
2
12 Jan 2026 โ HIB passed by Parliament after debate. SMS Tan See Leng addressed concerns about NEHR access for insurers/employers, access restrictions, security, and support measures
3
2026 โ Presidential assent expected. Act published in Government Gazette. Commencement notifications issued in phases
4
2027 โ First compliance deadlines. Mandatory NEHR contribution begins for public healthcare institutions. Regulations and codes of practice finalised
5
2027-2028 โ Private healthcare providers (GPs, specialists, dental, TCM) brought in via phased implementation. HIMS vendor compliance requirements enforced
6
2028+ โ Full compliance regime. Health sector audits begin. Enforcement actions for non-compliance. Cyber Essentials HIA certification expected for all HIA entities
โ ๏ธ Phased Implementation
MOH has confirmed a phased approach to avoid overwhelming smaller providers. Public institutions first, then larger private groups, then individual GPs/small practices โ with transition support and funding available. Don't assume immediate compliance โ but DO start preparation now.
Individuals Patients & the Public
- Better continuity of care: Any doctor you visit can see your full medical history โ allergies, medications, past surgeries โ via NEHR. No more repeating your history at every visit
- Cannot opt out of NEHR contribution: Your healthcare providers are legally required to upload records. You cannot withdraw consent for this
- Can restrict who views: You can choose to restrict specific providers from viewing your NEHR data โ but emergency access overrides this
- Right to access & correction: View your own HealthHub records; request corrections to inaccurate data
- Breach notification: If your health data is compromised, you must be notified
- Insurance claims: Insurers still need your express consent to access health records. NEHR data is NOT automatically available to insurers
Public Hospitals SingHealth, NUHS, NHG
- Minimal data upload changes: Already contributing to NEHR โ existing practices largely continue
- New cybersecurity compliance: Must meet HIA cybersecurity standards (possibly Cyber Essentials HIA sub-scheme certification)
- Audit trails: Must implement detailed access logging for all NEHR record access
- HIMS vendor obligations: Must ensure all IT systems meet HIA standards
- Breach notification procedures need updating (dual PDPA + MOH reporting)
Private Clinics GPs, Specialists, Dental, TCM
- MAJOR change โ mandatory NEHR contribution: Was voluntary; now legally required. Must upload patient records to NEHR
- IT system upgrades: Need HIA-compliant clinic management systems (HIMS). Systems must support NEHR data submission
- Cybersecurity compliance: Must meet HIA cybersecurity standards โ could require Cyber Essentials HIA certification
- Government funding support: CSA Cyber Essentials HIA sub-scheme provides subsidised certification (S$250โ725 based on endpoints)
- Breach notification obligations: Health data breaches must be reported
- Cost implications: Small practices face upgrade costs, training needs, and compliance overhead
- Record retention: Must maintain health records in HIA-compliant manner
Insurers Health & Life Insurance
- NEHR data NOT automatically accessible: Insurers do not get automatic access to NEHR records
- Express consent still required: Existing PDPA consent requirements for accessing patient health records remain
- HIA compliance if handling health data: If insurers process health information (claims data, medical reports), they become HIA entities and must comply
- Breach notification: Health data breaches require dual reporting (PDPC + MOH)
- Risk assessment & actuarial use: Health data use constrained by PDPA purpose limitation โ cannot use data beyond consented purpose
- Data governance upgrades: Must review and strengthen data governance and cybersecurity for health information
- Informal data requests prohibited: Insurance agents cannot informally request patient data from clinics โ this is a PDPA breach
HIMS / Health Tech Vendors & Startups
- New regulated category: HIMS vendors are explicitly regulated under HIA
- Cyber Essentials HIMS sub-scheme: Must achieve HIA-specific certification
- Audit trails mandatory: All health data access must be logged
- Data localisation/migration: Health data handling must meet HIA standards
- Market opportunity: Clinics rushing to become HIA-compliant creates demand for certified HIMS solutions
๐ Scenario 1: Insurance Claim โ Hospital Admission
Ahmad is hospitalised at Singapore General Hospital (SGH) for a heart condition. His insurer, Great Eastern, requests his medical records to process a claim.
- SGH uploads Ahmad's records to NEHR โ Mandatory under HIA. No consent needed for the upload itself (statutory duty)
- Ahmad signs a claim authorisation form โ Express consent for SGH to release records to Great Eastern. This is PDPA-governed
- Great Eastern receives records โ Via the consented release from SGH, not from NEHR directly
- Great Eastern CANNOT access NEHR โ Insurers have no automatic NEHR access. Claim data must come through the patient's express consent channel
โ
HIA does not give insurers a backdoor to NEHR. Patient consent remains the gateway.
๐ Scenario 2: Pre-Insurance Medical Screening
Meiling applies for a $500,000 life insurance policy. The insurer requires a medical check-up at a designated clinic.
- Screening clinic uploads to NEHR โ Mandatory under HIA โ the check-up results become part of Meiling's NEHR record
- Consent for insurer access โ The screening consent form authorises the clinic to share results specifically with the insurer. This is embedded consent, separate from NEHR
- The insurer CANNOT pull additional NEHR data โ Consent is limited to the screening results only. The insurer cannot access Meiling's full medical history from NEHR without additional, specific consent
โ
Insurers only get what the patient consents to share โ not the full NEHR record.
๐ Scenario 3: GP Visits Multiple Specialists
Uncle Tan, 72, sees his GP for diabetes, a cardiologist for hypertension, and a podiatrist for foot problems. Currently, each doctor sees only their own records.
- Before HIA: Each specialist maintains separate records. Uncle Tan must manually share lab results, medication lists, and allergy info between providers. Risk of duplicate prescriptions and drug interactions
- After HIA: All three providers must contribute to NEHR. The cardiologist can see the podiatrist's wound care notes. The GP can see the cardiologist's medication changes
- Uncle Tan's right: He can restrict specific providers from viewing his NEHR data โ but cannot stop his data from being contributed
- Emergency override: If Uncle Tan is rushed to A&E unconscious, emergency doctors can access all NEHR data regardless of restrictions
โ
The core promise of HIA: better care through complete information โ without compromising emergency access.
๐ Scenario 4: Insurance Agent Fishing for Data
Agent Raj calls Dr. Lim's clinic asking: "Can you just confirm if Mr. Wong is your patient? I'm processing his insurance claim."
- This is ILLEGAL under both PDPA and HIA. No patient data โ not even confirmation of patient status โ can be disclosed without valid consent
- PDPA breach: Violation of Consent and Notification Obligations
- Professional ethics breach: Violation of the doctor's duty of confidentiality under SMC Ethical Code
- HIA adds: If the clinic's NEHR access logs show unauthorised queries, that's an HIA audit finding
โ Casual data requests from insurers are prohibited. Clinics must verify consent documentation before any disclosure.
๐ Scenario 5: Data Breach at a Private Clinic
Dr. Chen's GP clinic suffers a ransomware attack. Patient records of 2,500 individuals are exfiltrated and posted on the dark web.
- PDPA obligation: Notify PDPC within 3 calendar days of assessing the breach as notifiable. Notify affected individuals if significant harm likely or 500+ affected
- HIA obligation: Additional notification to MOH โ likely with specific health-data timelines and requirements
- Dual reporting: Dr. Chen must report to BOTH PDPC and MOH
- Penalty exposure: PDPA penalties up to SGD 1M / 10% turnover. HIA penalties on top โ potentially doubling exposure
- Cyber Essentials HIA: If Dr. Chen had certification, this demonstrates due diligence and may mitigate penalties
โ ๏ธ Dual regulatory exposure for health data breaches. Compliance with both PDPA and HIA is essential.
๐ Scenario 6: Patient Restricts Access
Siti restricts her psychiatrist at IMH from viewing her sexual health data from DSC Clinic. How does this work?
- HIA restriction right: Siti can designate which providers can and cannot see specific categories of her NEHR data
- Both providers still UPLOAD: IMH psychiatrist and DSC Clinic both must contribute to NEHR โ Siti cannot stop that
- The restriction is on VIEWING: The psychiatrist simply cannot see the sexual health records when accessing NEHR
- Emergency override: If Siti is in a life-threatening situation, emergency doctors CAN override her restrictions to see all data
- MOH oversight: MOH has access to NEHR data for public health purposes (disease surveillance, outbreak management) regardless of individual restrictions
โ
Granular control โ you can't stop data flowing in, but you CAN control who sees what (except in emergencies).
The HIA operates alongside the PDPA, not as a replacement. Where HIA provisions are more specific, they take precedence. Where HIA is silent, PDPA fills the gap.
| Aspect | PDPA (General) | HIA (Health-Specific) |
|---|
| Scope | All personal data, all sectors | Health information only, healthcare ecosystem |
| Data Type | Personal data = any data about an identifiable individual | Health information = data about an individual's physical/mental health, healthcare services, health-related registrations |
| Consent Model | Primary model: express/deemed consent required for collection, use, disclosure | Mixed: mandatory contribution (no consent required for NEHR upload) + consent framework for other uses |
| NEHR Contribution | N/A โ no concept of mandatory data sharing | Mandatory statutory duty. Cannot opt out. Overrides PDPA consent requirement via specific statutory exception |
| Can Individual Withdraw Consent? | Yes โ individuals can withdraw consent for collection, use, or disclosure | No โ cannot withdraw from mandatory NEHR contribution. Can only restrict who views data |
| Access Rights | Access & correction rights (S.21/22 PDPA) | Enhanced rights: access via HealthHub, correction, and ability to restrict provider access (with emergency override) |
| Breach Notification | PDPC + individuals. 3 calendar days. Threshold: 500+ individuals or significant harm | PDPC + MOH. Likely stricter timelines for health data. Dual reporting obligation |
| Cybersecurity | General "reasonable security arrangements" (S.24) | Specific mandatory standards for HIA entities. Cyber Essentials HIA sub-scheme certification. Audit trails required |
| Government Access | Government bodies generally exempt from PDPA (S.4) | MOH access to NEHR data expressly provided for public health purposes |
| Vendor Regulation | Data intermediaries governed โ but generic obligations | HIMS vendors explicitly regulated โ new compliance category with specific certification requirements |
| Penalties | Up to SGD 1M or 10% SG turnover (higher of the two) | Similar framework, potentially dual liability (PDPA + HIA for same breach) |
| Insurer Access | Consent-based only. Clinic must have patient authorisation | Same โ no automatic insurer access to NEHR. Must still obtain express consent |
| Purpose Limitation | Data can only be used for consented purpose | NEHR contribution is a statutory purpose; data in NEHR governed by HIA access controls |
๐ Key Takeaway: Overlap is Complementary, Not Conflicting
Think of it as two layers:
- PDPA = baseline โ always applies to personal data (including health data)
- HIA = healthcare overlay โ adds mandatory sharing, enhanced security, patient restriction rights, and HIMS regulation on top of PDPA
- Where HIA is more specific (NEHR contribution, health breach notification, cybersecurity) โ HIA takes precedence
- Where HIA is silent (consent for insurance claims, purpose limitation for non-NEHR uses) โ PDPA fills the gap
โ ๏ธ DPO Critical Note
For DPOs managing healthcare clients, compliance means BOTH PDPA and HIA. A data protection programme that satisfies PDPA alone may be insufficient for health data. Key gaps:
- Does your client's breach response plan include MOH notification?
- Are HIA-entity cybersecurity standards met (not just PDPA S.24 "reasonable arrangements")?
- Has NEHR access restriction capability been implemented?
- Are HIMS vendor contracts updated with HIA-compliant data handling clauses?
NEHR โ National Electronic Health Record
The NEHR is the central health data exchange platform that the HIA builds upon. Key interface points:
| Aspect | Before HIA | After HIA |
|---|
| Data Contribution | Voluntary for private providers; mandatory for public clusters via HCSA licensing conditions | Mandatory statutory duty for ALL licensed healthcare providers |
| Patient Consent for Upload | Deemed consent (HCSA licensing) or explicit opt-in (some private) | No consent needed โ statutory exception to PDPA. Cannot opt out |
| Access Governance | MOH Healthcare Data Sharing Framework (admin policy, not legislation) | Legislated under HIA โ access controls, audit trails, patient restriction rights |
| Insurer/Employer Access | Informal/policy-level restrictions | Explicitly excluded โ NEHR data NOT accessible to insurers or employers without patient consent |
| Security | MOH guidelines (not enforceable standards) | Legally mandated cybersecurity requirements + audit trails |
| Vendor Management | Synapxe (formerly IHiS) manages NEHR under contract | Same operator + HIA oversight of NEHR operator with enforceable obligations |
๐๏ธ NEHR Operator: Synapxe
The NEHR is operated by Synapxe (formerly Integrated Health Information Systems / IHiS), MOH's health tech arm. Under the HIA, Synapxe has specific obligations as the designated health information system operator, including security standards, incident reporting, and ensuring system availability.
HCSA โ Healthcare Services Act 2020
The HCSA is the primary licensing regime for healthcare service providers. The HIA adds a data-sharing and cybersecurity layer on top of HCSA licensing:
A
HCSA = WHO can practice. Licenses healthcare service providers. Sets clinical standards, scope of practice, and licensing conditions.
B
HIA = HOW health data must be shared and secured. Imposes data-sharing obligations (NEHR contribution), cybersecurity requirements, access controls, and breach notification on HCSA-licensed entities.
C
Interface: HCSA already requires licensees to contribute data to NEHR as a licensing condition. HIA upgrades this from a licensing condition to a statutory duty โ meaning non-compliance is not just a licensing offence but a breach of legislation with financial penalties.
๐ Overlap: HCSA Licensing + HIA Data Duties
A private cliniclicensed under HCSA must:
- Meet HCSA clinical and licensing standards AND
- Meet HIA data-sharing and cybersecurity obligations
- Non-compliance with HIA can result in financial penalties independent of HCSA licensing action
PHMCA โ Private Hospitals and Medical Clinics Act
The PHMCA is being progressively replaced by HCSA (transition ongoing). During the transition:
- PHMCA-licensed private hospitals and clinics are also subject to HIA during transition
- HIA obligations apply to PHMCA-licensed entities as well as HCSA-licensed entities
- Both PHMCA and HCSA contain record-keeping provisions โ HIA adds the data-sharing and cybersecurity layer
- Once transition is complete, HCSA + HIA will be the primary regulatory framework (PHMCA repealed)
"Under the Health Information Bill, healthcare providers will be required to share patients' health information through the NEHR, ensuring that every Singaporean's medical history is available when needed for their care."
SMS Tan See Leng โ Parliament Debate, 12 Jan 2026
๐ด Immediate (Before 2027)
- Identify if you're an HIA Entity: Healthcare provider, health tech vendor, insurer handling health data, clinical research org โ if yes, HIA applies
- Audit NEHR readiness: Can your clinical systems submit data to NEHR? If not, start planning integration
- Start Cyber Essentials HIA certification: Government funding available. S$250โ725 for certified assessors. HIMS vendors should pursue the dedicated sub-scheme
- Map data flows: Where does health data enter/exit your organisation? What third parties receive it? Update your Data Protection Impact Assessment
- Review vendor contracts: HIMS vendor agreements must include HIA-compliant data handling clauses
๐ก 6-Month Horizon
- Update breach response plan: Add MOH notification pathway alongside PDPC notification. Define health-data-specific escalation triggers
- Implement access controls: NEHR access must be role-based and auditable. Implement restriction capabilities for patient access rights
- Train staff: Frontline staff must understand HIA obligations โ especially around NEHR access restrictions and breach reporting
- Review insurance processes: Ensure claims processing does NOT access NEHR data without explicit consent. Audit any informal data-sharing practices
๐ข 12-Month Horizon
- Achieve Cyber Essentials HIA: Full certification before compliance deadlines
- Develop patient restriction workflow: Implement systems for patients to restrict/allow NEHR data access by specific providers
- Engage DPO for dual compliance: Ensure your DPO understands both PDPA and HIA obligations for health data
- Monitor MOH regulations: Subsidiary legislation and codes of practice will be published โ stay current
๐ฐ Government Support Available
- CISOaaS: 70% co-funding for cybersecurity consulting
- Cyber Essentials HIA: Subsidised assessment and certification for healthcare entities
- SMEs Go Digital: ICT vendor sub-scheme for HIMS compliance
- Enterprise Development Grant (EDG): Up to 50% funding for broader capability building
For KNQX clients: these programmes are the entry point for HIA compliance consulting engagements.