In brief
Following the passing of the Health Information Act (HIA) in January 2026, the Ministry of Health (MOH) has published several resources to provide information regarding the implementation of the HIA.
The resources include: (a) a guidance document setting out an overview of the HIA; (b) a guidance document on cybersecurity and data security (CS/DS) essentials; (c) guidelines on appropriate contribution, use and access to the national electronic health record system (NEHR); (d) CS/DS infographics; (e) a training course; and (f) a HIA implementation guide.
Recommended actions
Licensees under the Healthcare Services Act 2020 (“HCSA”) to whom the HIA apply should familiarize themselves with the requirements under the HIA and understand the implementation timelines.
HCSA licensees who are not required to contribute to the NEHR should also note that they still need to implement cyber and data security measures by September 2028.
In more detail
The HIA establishes a comprehensive framework for managing, securing, and sharing key health information to improve healthcare delivery and patient outcomes.
The HIA governs:
- NEHR Contribution and Access – HCSA licensees and retail pharmacies under the Health Products Act 2007 are required to contribute key health information of Singaporeans, Permanent residents, and patients with long-term immigration passes to the NEHR system and provides for their NEHR access.
- CS/DS Measures – Licensed Healthcare Providers, retail pharmacies, approved users of the NEHR, and Health Information Management System (“HIMS”) providers must implement reasonable security measures to protect health information and systems and meet cybersecurity incidents / data breach notification obligations.
- Sharing of Non-NEHR Health Information – The HIA enables the select sharing of prescribed non-NEHR health information within the healthcare ecosystem to facilitate community-based care and outreach programmes.
Under the batched implementation timeline, with the first phase of contribution to the NEHR and implement CS/DS measures expected to begin by September 2027.
An overview of the applicable requirements for healthcare providers is as follows.
In relation to NEHR contribution requirements:
- There is no requirement to upload historical records, as contribution only applies prospectively to medical records upon connecting to NEHR.
- There is no requirement to upload detailed consultation and progress notes to NEHR.
- Contribution of health information of transient visitors (e.g., tourists) is not required.
In relation to NEHR access requirements:
- NEHR access should be exclusively for clinical care purposes and should not be granted to those in administrative or corporate roles even if they are Healthcare Professionals.
- Healthcare providers should only access NEHR for the particular patient(s) they are providing care to.
- Healthcare providers must implement appropriate practices to ensure that their healthcare professionals are properly trained and aware of appropriate NEHR use.
In relation to liability for data breaches involving HIMS:
- When CS/DS incidents arise, circumstances surrounding the incident are salient to determining liability. This includes considerations like whether a HIA-compliant HIMS was used and whether reasonable proper CS/DS safeguards were implemented.
- There is an obligation to develop and implement appropriate standard operating procedures and staff training to comply with CS/DS requirements
Healthcare professionals should note that the NEHR is not meant to replace good clinical practice and judgement, and the NEHR instead serves a supplementary role in complementing and aiding clinical assessment. Healthcare professionals should therefore make accurate, clear and contemporaneous medical records within their own HIMS, taking into account that the key health information from these medical records will also be contributed and viewed in NEHR and be used for clinical care purposes by other healthcare professionals. Healthcare professionals should be mindful to follow professional guidelines set by their respective professions on record-keeping, for instance requirements under the Singapore Medical Council’s Ethical Code and Ethical Guidelines.
* * * * *
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.