Singapore: Introduction of the Health Information Bill in parliament

28 Nov 2025 7 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

In brief

The Health Information Bill (HIB) was read for the first time in parliament on 5 November 2025. This follows the initial announcement made by the Ministry of Health (MOH) in March 2023 that it intended to table the HIB in parliament in the second half of 2023.

The HIB mandates all licensed healthcare providers, including private clinics, clinical laboratories and radiological services, to contribute selected health information to the National Electronic Health Record (NEHR). The HIB will also enable and regulate the sharing of non-NEHR individually identifiable health information within the healthcare ecosystem in support of national health programs and initiatives. The HIB also sets out cybersecurity and data security standards for healthcare providers and health information management systems.

Key takeaways

When passed, the HIB will not only regulate the use of and access to health information in Singapore, but will also impose robust data security and cybersecurity measures, including stringent breach notification timelines. While the HIB has not been finalized and will be further debated in parliament, industry members should monitor further developments and start examining the potential impact of the HIB on their existing operations.

In more detail

Background

The background of the HIB, including its genesis and objectives, can be found in our client alerts of March 2023 and December 2023. In summary, after the first announcement of the HIB in December 2022 and plans for its release in the second half of 2023, the HIB was finally read in parliament for the first time on 5 November 2025.

Key sections of the HIB

We provide further detail on the key sections of the HIB below.

The NEHR

Under the HIB, all healthcare providers licensed under the Healthcare Services Act, retail pharmacy licensees and any other person or public agency specified in the HIB (together, “Contributors”) are expected to contribute designated health information about their patients to the NEHR. Individuals’ consent is not required for Contributors to add their health information to the NEHR.

The “health information” to be contributed under the HIB differs based on the class that the Contributor falls under. It generally includes the patients’ administrative information and clinical information.

The data on the NEHR can only be accessed by certain “specified users” (i.e., Contributors) and “authorized individuals” (i.e., employees, enlisted personnel or volunteers acting on behalf of the specified users).

Specified users can access and collect health information about an individual to provide healthcare services or conduct medical examinations for that individual. Authorized individuals can access or collect health information to perform or discharge their duties for the specified user.

Specified users are also obliged to establish and implement appropriate policies and practices to ensure that authorized individuals access this healthcare information for the proper purposes and in accordance with the applicable policies and practices.

It would be an offense to access or collect health information for improper purposes, such as determining a person’s suitability or eligibility for employment, including promotion or removal from employment. It would also be an offense to access or collect health information for matters related to insurance, such as for renewing insurance or processing a claim.

Sharing of relevant information for specified use cases

The HIB also governs the sharing of “relevant information,” i.e., any administrative or clinical information, and any other individually identifiable information relating to the individual or to someone who provides or is responsible for that individual’s care and welfare. Therefore, “relevant information” is a broader category than “health information.”

Sharing of “relevant information” is only permitted for prescribed use cases, such as the sharing of relevant information between public agencies to support the Healthier SG and Age Well SG programs.

Security of health information and relevant information

The HIB mandates certain data security and cybersecurity requirements for all persons that may interact with health information and relevant information under the HIB (“Relevant Persons”).

Relevant Persons and health data intermediaries are subject to certain data security requirements, including the following:

Implement reasonable controls and safeguards to ensure that health information or relevant information is processed and used securely
Ensure that every person who accesses or handles health information or relevant information is aware of their role and responsibility in ensuring that this information is protected or used for proper purposes
Ensure that health information or relevant information is only retained for as long as necessary for the original purpose for which it was collected (Afterward, it must be disposed of with reasonable care to prevent unauthorized access, disclosure or reproduction.)

Relevant Persons and health data intermediaries are also subject to cybersecurity requirements, including implementing reasonable safeguards to do the following:

Protect the confidentiality and integrity of the health information or relevant information
Ensure that the health information or relevant information is available
Protect the relevant computer or computer system against unauthorized access, interference or tampering

Relevant Persons should also do the following:

Establish, implement and regularly review their policies and practices to ensure ongoing compliance with the data security and cybersecurity requirements above
Implement an incident management framework that provides for the mechanisms and processes in place to detect, respond, resolve and prevent the recurrence of any cybersecurity incidents and data breaches

Notification of cybersecurity incidents and data breaches

Cybersecurity incidents

Where a Relevant Person has reason to believe that a cybersecurity incident has occurred affecting the NEHR or any relevant computer system used by the person to process health information or relevant information, the person must, in a reasonable and expeditious manner, assess whether the cybersecurity incident is a notifiable cybersecurity incident.

If a health data intermediary suspects that there has been an incident, it must notify the Contributor or user without undue delay. The Contributor or user of the data will then assess the incident upon receiving the notification.

Data breaches

The definition of “data breach” substantively mirrors the definition set out in the Personal Data Protection Act 2012, but with reference to health information and relevant information.

Therefore, a data breach arises where there is unauthorized access to, or unauthorized collection or general use of, the health or relevant information, or the loss of any storage medium containing this information.

Data breaches are considered notifiable if they are likely to result in significant harm or are likely to be of a significant scale:

“Significant harm” refers to when the data breach relates to certain health or relevant information or other circumstances, which are yet to be prescribed.
“Significant scale” refers to when the data breach affects a certain number of individuals, which is yet to be prescribed.

Notification

Where a Relevant Person assesses that a cybersecurity incident or data breach is notifiable, they must notify the MOH as soon as practicable, no later than the prescribed period after the day that the Relevant Person makes that assessment. The individuals affected by the data breach must also be notified in certain situations.

In the FAQ published by the MOH in 2023, the initial notification reporting requirement to the MOH was within two hours after the healthcare service provider assesses the incident to be a notifiable cybersecurity incident or a data breach meeting the reporting threshold. An incident report was to be provided within 14 days of the initial notification. We expect the MOH to publish further details on this issue shortly.

Portability of health information in electronic form

The HIB also sets out obligations for health data intermediaries to ensure that health information can be transferred accurately and completely at the individual’s request. In particular, health data intermediaries must do the following:

Establish and implement practices and processes for transferring health information to the individual or to another relevant health data intermediary, as the case may be
Ensure that the health information transferred is accurate and complete and that the transfer is done in a timely manner
Ensure that there are practices and processes for transferring health information relating to the selection, preparation, extraction and transformation of the health information, and the format in which the health information is to be transferred

Penalties

The penalties for noncompliance with the HIB can be considerable. Individuals face potential fines of up to SGD 200,000 or imprisonment for up to seven years. Where companies fail to comply with the requirements relating to notifying cybersecurity incidents and data breaches, the fines may be up to SGD 1 million.

Company officers who consented, connived or conspired with others to commit an offense; who were, whether by act or omission, knowingly involved in or party to the commission of an offense; or who knew or ought reasonably to have known that an offense would be or is being committed and failed to take all reasonable steps to prevent or stop the commission of the offense, may also be guilty of the same offense as the company.

The HIB is expected to be debated at the next parliamentary sitting.

* * * * *

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Andy Leck
Principal
Singapore
Read my Bio
andy.leck@bakermckenzie.com

Ren Jun Lim
Principal
Singapore
Read my Bio
ren.jun.lim@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.