On this page

Resource Guide

The Health Information Act and NEHR: what community care providers need to know

Last updated: July 2026

The Health Information Act (HIA), passed in January 2026 and expected to take effect from early 2027, requires healthcare providers licensed under the Healthcare Services Act — including nursing homes — to contribute key health information to Singapore’s National Electronic Health Record (NEHR). Contribution is phased by service type: nursing homes must contribute by September 2028. Community care services that are not HCSA-licensed, such as home care and senior care centres, are not currently mandated to contribute, but can apply to access NEHR through the Agency for Integrated Care.

What does the Health Information Act do?

The HIA creates, for the first time, a legal duty for licensed healthcare providers to share key patient information into NEHR — the national health record operated by Synapxe — so that a patient’s allergies, medications, diagnoses, and results follow them across care settings. Before the Act, contribution was voluntary, and coverage across the sector was uneven.

The timeline in brief: the Health Information Bill was passed by Parliament on 12 January 2026, and MOH has stated the Act is expected to take effect from early 2027 — deliberately leaving providers time to put data and cybersecurity measures in place. The operative deadlines, however, are the phased contribution dates by service type (September 2027, September 2028, and March 2030 — see the next section). MOH issued its implementation circular to all licensees in March 2026 and published the HIA Implementation Guide in April 2026.

Alongside the contribution duty, the Act imposes cyber and data security requirements on providers and their system vendors, restricts what NEHR data may be used for, and gives patients controls over who can view their record.

Who must contribute to NEHR — and who doesn’t?

The contribution mandate covers providers licensed under the Healthcare Services Act (HCSA) and retail pharmacies, phased in three batches:

BatchService typesDeadline
Batch 1GP clinics, acute and community hospitals, clinical and radiology laboratoriesBy September 2027
Batch 2Specialist clinics, nuclear medicine, nursing homes, contingency care, renal dialysis, dental clinicsBy September 2028
Batch 3Ambulatory surgical centres, assisted reproduction, retail pharmaciesBy March 2030

For nursing homes, the position is unambiguous: the Nursing Home Service is an HCSA-licensed service in Batch 2, so nursing homes must be contributing to NEHR — and meet the accompanying cyber and data security requirements — by September 2028.

Most other community care services are not mandated contributors. Standalone home care, senior care and day care centres, and active ageing centres are not among the HCSA licensable service types, so they are not currently among the mandated contributors. Hospice status depends on the licence held — an inpatient hospice operating under a Nursing Home Service licence would fall in Batch 2.

Contributing and accessing are separate things. Being outside the contribution mandate does not lock a provider out of NEHR: intermediate and long-term care services can apply for access to NEHR data, with eligibility checked through the Agency for Integrated Care and onboarding run by Synapxe. For care organisations coordinating with hospitals, read access is often the more immediately valuable half of NEHR.

What data must be contributed?

MOH describes the key health information as covering allergies, vaccinations, diagnoses, medications, laboratory test results, radiological images, and discharge summaries. The exact data types each provider must contribute depend on its licence type and are set out in the First Schedule of the Act.

Four boundaries matter in practice:

Contribution is prospective. There is no requirement to upload historical records — the duty applies to records generated from a provider’s contribution start date.

Detailed notes stay local. Consultation and progress notes are not required — NEHR takes structured key information, not the full clinical record.

It applies to residents, not visitors. The duty covers Singaporeans, Permanent Residents, and long-term pass holders — not transient visitors.

Data quality is specified. Contributions must meet defined quality standards and use national coding standards — SNOMED CT, LOINC, and the Singapore Drug Dictionary. In practice this is a systems question: structured, coded documentation of the kind a care management system produces, not scanned paper.

What safeguards do patients get?

A common misreading of the Act is that patients can opt out of NEHR. They cannot — what the Act provides is an access-restriction regime: data is contributed regardless, but patients control who may view it. Care staff answering family questions should get this distinction right.

  • Access restriction via HealthHub — patients can currently restrict access to all providers, and from later in 2026 will be able to share with selected providers only.

  • Safety information stays visible — allergy and vaccination records remain viewable by providers even when access is restricted.

  • Audited emergency override — doctors can override restrictions in a medical emergency, and every such access is logged and auditable.

  • Purpose limitation — NEHR data is for patient care; use for employment or insurance decisions is prohibited, with narrow statutory exceptions.

  • Transparency and enforcement — patients can view an access log in HealthHub and report inappropriate access to MOH. For providers, the Act carries a graduated enforcement framework — from warnings and rectification directions to composition and prosecution — though MOH has said first-instance technical failures to contribute will be met with help, not penalties.

How should a community care provider prepare?

MOH’s implementation guide sets out a concrete path. For a mandated contributor — a nursing home planning against the September 2028 deadline — preparation looks like this:

1. Confirm your obligations. Check your HCSA licence type against the batch table and the First Schedule’s data types for that licence. Providers outside the mandate should instead decide whether to pursue NEHR access via AIC.

2. Get onto a HIA-compliant system. Contribution happens through a HIA-compliant health information management system — one holding NEHR connectivity certification, a CSA Cyber Essentials mark (or equivalent), and declared compliance with the Code of Practice for Data Portability. Synapxe maintains the list of compliant systems; onboarding with a compliant vendor — including drug inventory mapping and deployment scheduling — takes up to five weeks. If your current system is custom-built, Synapxe’s vendor engagement team advises on enhancement.

3. Close the cyber and data security gap. The Act’s cyber and data security requirements — detailed in MOH’s CS/DS Essentials, published March 2026 — apply to providers and their vendors, including breach and incident notification duties to MOH. WerkDone’s security and compliance posture maps how a care platform supports these obligations in practice.

4. Use the funding. The NEHR Connect Grant provides one-off support for mandated contributors — a fixed S$14,400 for nursing homes, covering roughly two years of system subscription or up to 40% of enhancement costs — opening progressively from July 2026 (providers that received earlier MOH IT grants are excluded; current status at healthinfo.gov.sg). NCSS-member organisations can fund cybersecurity consultancy through the Transformation Sustainability Scheme, and SME operators can use the Productivity Solutions Grant for cyber solutions. The wider funding landscape is covered in our grants guide.

5. Start with documentation quality. The hardest part of NEHR readiness is not connectivity — it is having structured, coded clinical documentation to contribute. Organisations still running paper medication charts and free-text notes should treat the HIA timeline as the deadline for digitalising clinical documentation itself.

Frequently asked questions

Is NEHR contribution mandatory for nursing homes?

Yes. Nursing homes are licensed under the Healthcare Services Act, and the Health Information Act places the Nursing Home Service in Batch 2 of the phased rollout — nursing homes must contribute key health information to NEHR, and meet the cyber and data security requirements, by September 2028.

Do home care providers and senior care centres have to contribute to NEHR?

Not currently. The contribution mandate attaches to services licensed under the Healthcare Services Act, and standalone home care, senior care and day care centres, and active ageing centres are not among the HCSA licensable service types. They can, however, apply to access NEHR data — intermediate and long-term care services should contact the Agency for Integrated Care to check eligibility.

Can patients opt out of having their data contributed to NEHR?

No. The Act provides an access-restriction regime, not a contribution opt-out: data is contributed regardless, but patients can restrict which providers may view their record through HealthHub. Allergy and vaccination records remain visible to providers even under restriction, for patient safety, and doctors can override restrictions in a medical emergency — with every such access audited.

What system do we need in order to contribute to NEHR?

Providers contribute through a HIA-compliant health information management system (HIMS). To qualify, a system must hold NEHR connectivity certification, a Cyber Essentials mark (or equivalent) from CSA, and declared compliance with the Code of Practice for Data Portability. Synapxe maintains the list of HIA-compliant systems, and onboarding through a compliant vendor takes up to five weeks.

Is there funding for NEHR onboarding?

Yes. The NEHR Connect Grant provides one-off support for mandated contributors — a fixed S$14,400 for nursing homes — covering roughly two years of system subscription or up to 40% of enhancement costs, opening progressively from July 2026. Providers that received earlier MOH IT grants are excluded. NCSS-member community care organisations can also use the Transformation Sustainability Scheme for cybersecurity consultancy, and SMEs can tap the Productivity Solutions Grant for cyber solutions.

What happens if a provider does not comply?

The Act provides a range of enforcement actions, from letters of warning and rectification directions to composition and prosecution. MOH has stated that non-contribution caused by genuine technical difficulty is not treated as an offence in the first instance — it will help providers resolve issues — but deliberate or reckless non-compliance can draw directions, and failing to comply with a direction can trigger enforcement.

Get ahead of your NEHR deadline

Book a discovery call to talk through your HIA obligations, documentation readiness, and the system path to contribution.