In brief: digital healthcare in Singapore

Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

The Private Hospitals and Medical Clinics Act (PHMCA), which adopts a premises-based regulatory framework, will be replaced with a new Healthcare Services Act (HCSA), which adopts a services-based regulatory framework. This was partly prompted by the increasing use of digital healthcare solutions, which may not involve physical premises. Under the HCSA, telemedicine services will be licensable healthcare services.

In this connection, the Ministry of Health (MOH) launched the Licensing Experimentation and Adaptation Programme (LEAP) on 18 April 2018, a regulatory sandbox initiative for telemedicine and mobile medicine to facilitate the development of innovative healthcare models in a controlled environment. As of February 2021, MOH has closed the sandbox for telemedicine and mobile medicine after successfully achieving the objectives it had set out. As a transition approach prior to licensing under HCSA in 2022, MOH will start to list direct telemedicine service providers online.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

Currently, telemedicine services are not licensable per se under the PHMCA, which adopts a premises-based regulatory framework, and all registered medical practitioners may provide telemedicine services. However, telemedicine services are regulated under the MOH’s 2015 National Telemedicine Guidelines (NTG), as well as the SMC Ethical Code and 2016 Handbook on Medical Ethics. The NTG provides guidance to healthcare providers on clinical standards and outcomes, human resources, organisational issues, and technology and equipment. The SMC Ethical Code, to which all registered medical practitioners are required to adhere, sets out how such services are to be provided responsibly. For instance, it provides that doctors engaging in telemedicine must endeavour to provide the same quality and standard of care as in-person medical care, otherwise they must state the limitations of their opinion.

However, the PHMCA is expected to be replaced by the HCSA. Under the HCSA, telemedicine services will be licensable healthcare services. That said, the MOH has stated that it will adopt a risk-based approach in regulating telemedicine, and that only direct doctor and/or dentist-led tele-consultation will be licensable for a start. At the time of writing, MOH will be licensing indirect telemedicine providers. Indirect telemedicine providers refer to those who do not provide direct medical care, and only offer the technology support for telemedicine, such as platforms offering software-as-a-service for teleconsultation, directory listings, and payment solutions.)

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The Personal Data Protection Act 2012 (PDPA) is Singapore’s main personal data protection legislation, and is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPA prescribes baseline standards relating to the collection, use, disclosure, access, protection, retention and transfer of personal data to which all organisations must adhere.

The Personal Data Protection (Amendment) Act 2020, which introduces amendments to the PDPA aimed at strengthening public trust, enhancing business competitiveness, and providing greater organisational accountability and assurance to consumers, in support of Singapore’s digital economy, was passed by Parliament on 2 November 2020. The first phase of the Personal Data Protection (Amendment) Act came into effect on 1 February 2021 and permits disclosure of personal data about an individual who is a current or former patient of a licencee under the PHMCA, a licensee under the HCSA, and a prescribed healthcare body to a public agency for the purposes of policy formulation or review.

The PDPC has also issued the Advisory Guidelines for the Healthcare Sector, which aim to address the unique circumstances facing the healthcare sector in complying with the PDPA.

Other regulatory instruments relating to data protection and privacy in the healthcare sector include the following:

the Medicines Act and the Health Products Act which contain regulations relating to pharmacovigilance, adverse event reporting and the conduct of clinical trials;
the PHMCA and the HCSA (when it comes into effect), which contains provisions relating to the protection of confidential information such as patients' medical records, diagnosis or treatment; the Specific Licensing Terms and Conditions on Medical Records for Healthcare Institutions, to which all healthcare institutions licensed under the PHMCA must adhere to;
the 2015 Guidelines for the Retention Periods of Medical Records issued by the MOH; and
the SMC Ethical Code and the Allied Health Professions Council's Code of Professional Conduct, which set out standards of conduct expected of medical practitioners and allied health professionals respectively, such as those relating to patient confidentiality.
the Healthcare Cybersecurity Essentials (HCSE), which was developed by MOH and meant as a 'guidance document' for licensees under the PHMCA and HCSA, as well as entities providing intermediate and long-term care services, in adopting basic safeguards for their IT assets and data.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

The PDPA prescribes baseline standards relating to the collection, use, disclosure, access, protection, retention, and transfer of personal data to which all organisations must adhere.

Under the PDPA, organisations are required to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, as well as prevent the loss of any storage medium or device on which personal data is stored.

Additionally, the PDPA generally requires organisations to seek consent from an individual before collecting, using, or disclosing his or her personal data. In seeking such consent, the organisation is required to notify the individual of the purposes for such collection, use, or disclosure, which must be what a reasonable person would consider appropriate in the circumstances The organisation may not, as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonably required for the provision of the service.

The PDPA also requires organisations to designate one or more individuals to be responsible for ensuring the organisation’s compliance with the PDPA. These individuals are typically known as Data Protection Officers (DPOs). Key responsibilities of a DPO include the following:

ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data;
fostering a personal data protection culture among employees;
communicating personal data protection policies to stakeholders;
handling access and correction requests to personal data;
managing personal data protection-related queries and complaints;
alerting management to any risks that might arise with regard to the personal data handled by the organisation; and
where necessary, liaising with the PDPC on personal data protection matters.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

Organisations are required to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, pursuant to the PDPA.

The PDPC has stated that among the various data protection obligations under the PDPA, breaches of the above protection obligation is the most common in its reported decisions. Notably, in January 2019, the PDPC fined the Integrated Health Information Systems, the central national IT agency for Singapore’s public healthcare sector, and Singapore Health Services Pte Ltd, one of Singapore’s three public healthcare clusters, S$750,000 and S$250,000 respectively for failing to comply with that obligation, in respect of a data breach in which the non-medical personal data of around 1.5 million patients and the outpatient prescription records of around 160,000 patients were exfiltrated in a major cyberattack.

Register now for your free, tailored, daily legal newsfeed service.

In brief: digital healthcare in Singapore

Filed under

Popular articles from this firm

In brief: financial services compliance programmes in Singapore *

At a glance: construction contracts and insurance in Singapore *

At a glance: cryptoassets for investment and financing in Singapore *

In brief: telecoms regulation in Singapore *

In brief: media law and regulation in Singapore *

Professional development

Related practical resources PRO

Related research hubs

Singapore

Healthcare & Life Sciences