News and developments

Can Singapore learn from the European Health Data Space Act (“EHDSA”)? A discussion on the NEHR and the Proposed Health Information Bill (“SG HIB”)

 Introduction

 The National Electronic Health Record (“NEHR”) system was set up with the goal of serving as a repository to collect different types of data of the patients’ summary health conditions and records based on their encounters with healthcare professions and clinicians throughout their life.

The primary purpose has always been salutary - i.e. to enable greater coordination and informed decision-making as well as to support more accurate diagnosis, better treatment and patient-centric integrated care[1]. Indeed, the Singapore Health Information Bill (“SG HIB”) appears to focus on this mission as it is stated as intended to “ensure that health information is kept updated, accurate and accessible by healthcare providers”[2].

One key way in which the SG HIB will do this is by enacting rules which require the mandatory contribution of health information into platforms such as NEHR[3], by all organisations which are licensed to provide healthcare services, under the omnibus healthcare licensing law, the Healthcare Services Act 2020 (also known as “HCSA”).

Does the SG HIB present an opportunity to do more?

Such data can have great potential value. The types of data collected include patient demographics, admission and visit history, discharge summaries, laboratory results, radiology results, medication history, history of surgeries or procedures and allergies and adverse drug reactions1. Imagine the utility of such information, if the legal and technical conditions were ripe for use of this data.

If used responsibly, such information could help pioneer medical treatments, establish disease insights, and execute fundamental improvements in healthcare. Indeed, such additional purposes can include research and innovation which can contribute towards what the Ministry of Health of Singapore targets as one of its key pillar of developing precision medicines pursuant to the MOH’s national medicines policy[4].

But what would the regulatory framework in supporting such purposes look like? Does Singapore’s current existing infrastructure have features or a framework which can be built on to free up responsible and accountable use of such data? The above 2 points will be addressed in part II to this article. For the purpose of part I, we explore the relevant parts of an European equivalent legislation in greater detail.

Lessons from the EU?

To begin with, it would be good to first look at a comparable jurisdiction and here, there are some important parallels to consider with respect to the EU’s Health Data space as embodied in the European Health Data Space (“EHDSA”). Are there key differences with the EHDSA? And if so, anything further can be done to close any gaps?[5]

First, for context, a brief summary of the position in the European Union. In May 2022, the European Commission put forward an initiative that will place citizens at the centre of their healthcare, granting them full control over their data, with the goal of achieving better healthcare access across the EU. The initiative eventually gives rise to the proposal for the EHDSA which was adopted by the European Parliament on 24 April 2024 and expected to be published in the Official Journal in autumn of 20243. The key aspect of the EHDS that regulates the secondary usage of data can be found mainly in Chapter IV of the EHDS which we will review in further details[6].

This much mirrors the stated aims of the SG HIB.

However, the EHDSA also aims to allow the use of health data for research and public health purposes, under strict conditions. This use, which is defined as a “secondary purpose”, is a key step forward.

Chapter IV of the proposed EHDSA[7] can be largely split into the following sections: (a) types of secondary uses of data; (b) distinction between a data access request and simply a data request as well as the corresponding steps for each processes; (c) issuance of the data permit and the conditions for such withdrawal; (d) the duties of the data holders; (e) the establishment of the health data access bodies; and (f) the penalties that may be imposed for breaches committed.

Types of uses for data and the types of data

The EHDSA lists, at Chapter IV, Article 33, the “minimum” categories of data that a data holder must make available for secondary use[8], and this notably includes electronic health records[9], data impacting on health, including social, environmental behavioural determinants of health, health-related administrative data (including claims and reimbursement data), pathogen genomic impacting on human health, human genetic, genomic and proteomic data, population wide health data, electronic health data from clinical trials, data from research cohorts, questionnaires and surveys related to health, and many more. Each of these categories of data hold potential for innovation and hope for medical treatment – e.g. disease prediction and prevention, identifying key trends in population health, and so on.

This is followed by Article 34 of the EHDSA, which sets out corresponding approved secondary purpose[10] and these include scientific research related to health or care sectors, development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices and training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices.

The EHDSA would therefore play a vital role in dealing with data scarcity – the difficulties in accessing health data to help transform health care[11]. Indeed, if it is remembered that there were arguments by some that the protective, yet restrictive, nature of legislation such as the EU GDPR inadvertently created data scarcity[12], the value of the EHDSA is apparent – i.e. it provides a structured framework for the accountable and responsible sharing of health data and innovation, against the backdrop of other protective legislation.

In the Singapore context, making health data available in a similar manner to the EDHSA will allow pharmaceutical companies or life science companies under trusted and legal conditions could help develop more precision medicines, promote diseases prediction and understanding, and ensure the most appropriate medicines to manage a certain disease or illness, and strengthen or reinforce the judgment of healthcare professionals, who would benefit from the availability of studies derived from the data readily available.

It should also be noted that a framework such as the EHDSA would act to prevent uses which are not connected with innovation or healthcare as it also sets out prohibited uses of the data such as advertising or marketing activities towards heath professionals, organisations in health or natural persons. This strengthens the legitimacy of how the data is intended to be used and providing further safeguards to the patients whose data are being collected and used.

Other features of the EDHSA

Other key features of the EDHSA provide an array of checks and balances for the responsible and accountable operation of any health data exchanges that would arise from the EDHSA:

  • Data permits are a key piece of licensing for the use of any data exchanges[13] and they would require disclosure of information, in applications for permits, about safeguards in place to protect the data and the rights and interests of the data holder and the names of the natural persons concerned. The permits issued can also prescribe the manner in which the data will be provided and conditions.
  • A health data access body[14] would be responsible for the administration of Chapter 4 of the EHDSA. Such a body would issue or revoke data permits, impose penalties[15], examine proposed uses, supervise data users’ compliance with the conditions set out in the data permits, and maintain a management system to keep track of the data permits used during their lifecycle. They would help translate principles into practice.
  • The EHDSA balances interests in requests for access and use of the data. Data requests can either result in direct access to the health data or they may only result in the provisions of answers to requests with anonymized statistics, without having to grant access to the actual data per se[16].
  • Data holders, the organisations contributing to the exchanges would be responsible for ensuring the quality of the data being processed and remain accountable for the maintenance of the data.
  • Data quality would also be a key focus point for compliance. Article 41 sets out in details the duties of the data holders which include ensuring the data quality and utility label accompanies the dataset including sufficient documentation to the health data access body for that body to confirm the accuracy of the label. There would be commitments to put the data at the disposal of the health data access body within 2 months from receiving request for access as well as undertakings to ensure that enriched datasets are made available unless the data holder considers such data enrichment as unsuitable in which case the data holders will have to inform the health data access body.
  • The EHDSA[17] also sets out the need for datasets made available through health data access bodies to have a EU data quality and utility label provided by the data holders which will have to comply with the following key elements: technical quality showing the completeness, uniqueness, accuracy, validity, timeliness and consistency of the data; information on data enrichments: merging and adding data to an existing dataset, including links with other datasets; and for data quality management process, level of maturity of the data quality management processes, including review and audit processes, biases examination.
  • As envisaged, secondary purposes do not appear flagged in proposals for the SG HIB

    Singapore is a uniquely positioned territory within Asia.

    She has diverse multi-ethnic make up in her population, according to the views of local media, its world-class healthcare is somewhat under-utilised[18] but there is recognition of the excellence of the sector[19]. It is a first world city with a racially diverse and technologically advanced society that brings with it a culture of compliance and rigorous standards of governance.

    Its government-led approach has also allowed it to move forward with the development of a robust technological ecosystem, now ripe for further innovation. It would seem to present a clear and compelling case for an EHDSA style or EHDSA inspired approach.

    Whilst no doubt key differences apply in the Singapore and EU context, Singapore is well-positioned to take, if not entrench, a regional, if not global, leadership role in healthtech. To do this, its legislation would need to help propel such leadership.

    The SG HIB presents an opportunity to enact legislation in this regard. And whilst the SG HIB’s focus on use of health data for primary purposes is absolutely critical and right-focused, one would be hard pressed to identify any substantive discussion on health data exchanges or the controlled sharing of health data for innovation.

    Without taking anything away from the importance of its current mandate to promote healthcare, might this be a missed opportunity?

    Conclusion

    A fuller comparison of the SG HIB and the EDHSA is beyond the scope of this article, but the premise of whether the existing frameworks in Singapore can allow for a possible expanded use of the data in our NEHR the same way that the secondary purpose is envisaged under the EHDSA is a key one to explore We will do this further In Part II of this series, where we will discuss further whether Singapore is able to emulate and allow for similar secondary uses of the data under its NEHR.

    Part 1 of 2 part article on Healthcare Information Innovation in Singapore

    Authors: Jeffrey Lim and Frederick Tay

    Footnotes

    [1] NEHR FAQ (synapxe.sg)

    [2] https://www.healthinfo.gov.sg/overview/introduction/

    [3] As at this time, the intended date by which such contribution is to be made is stated as “end-2025” �� See Q12 FAQs - Should the HIB be passed, MOH intends to implement mandatory contribution in phases, starting from end-2025, depending on the readiness of each category of healthcare provider. This is to allow sufficient time for HCSA licensees and approved contributors to meet the requirements stipulated in the Bill.

    [4] Refer to objective 4 of the national-medicines-policy.pdf (moh.gov.sg) that was last updated on 22 November 2022.

    [5] https://ec.europa.eu/commission/presscorner/detail/en/IP_24_2250

    [6] Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [7] Chapter IV of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [8] Article 33(1) of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [9] Defined as “collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes”.

    [10] Article 34 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [11] For an article that further argues that this data scarcity could lead to inequality in societies, see “Health data poverty: an assailable barrier to equitable digital health care”, The Lancet, Volume 3, Issue 4, E260-265, April 2021, Ibrahim, Liu, Zariffa, Morris and Kenniston - https://www.thelancet.com/journals/landig/article/PIIS2589-7500(20)30317-4/fulltext

    [12] For instance, see “Enablers and barriers to the secondary use of health data in Europe: general data protection regulation perspective”, accessible at NIH National Library of Medicine, National Center for Biotechnology Information https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8994086/, 9 April 2022, by Vukovic, Ivankovic, Habl and Dimnjakovic. And this echoes earlier arguments made when the EU GDPR was still relatively new, certain authors had argued that its rules would have a negative impact on the development and use of A.I. – see “The Impact of the EU’s new Data Protection Regulation on AI”, Center for Data Innovation, 27 March 2018, Wallace and Castro  - at https://www2.datainnovation.org/2018-impact-gdpr-ai.pdf

    [13] Article 45 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [14] Articles 36-39 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [15] Article 43 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [16] Article 47 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [17] Article 56 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD)

    [18] See “Commentary: Healthcare in Singapore is world-class – and under-utilised”, Channel News Asia, 13 July 2023, Richard Hartung, at https://www.channelnewsasia.com/commentary/singapore-healthcare-system-healthier-sg-healthy-living-3623296

    [19] See – Brookings Institute “The Singapore Healthcare System: an Overview” at https://www.brookings.edu/wp-content/uploads/2016/07/affordableexcellence_chapter.pdf or “The Remarkable Healthcare Performance in Singapore” September 2019, Ramesh and Bali at https://academic.oup.com/book/42635/chapter/358101444.