NEHR: A Patient’s Perspective Through A Doctor’s Eyes

Privacy in Your Own Home? Think Again.

Imagine you owned a property you call home. It can be a simple 4-room HDB flat or a sprawling Good Class Bungalow (GCB) in District 10. You receive guests from time to time. Naturally, there are some guests you allow only to sit in the sitting room and maybe you allow them to go to the kitchen so that they can go to guest toilet in the 4-room HDB flat. But certainly, you will not let them go to the master bedroom or use the toilet adjoining it or your children’s bedrooms, unless they are very close relatives or friends. And I mean real close.

If you are staying in a bungalow with many rooms, it gets even more complicated. You may have a family room upstairs or private dining area away from the dining area where you entertain guests. The bungalow may have a study, an attic or a domestic worker’s room which guests are never welcome. In fact, you do not even want anyone other than your immediate family members to know that these rooms exist. These are very ‘private’ rooms not meant for anyone else to enter other that your immediate family members who live in this building or the domestic worker that cleans these areas. You would normally welcome guests in the sitting room or dining room where you entertain. But rarely would a guest be welcomed upstairs where your family and you share private times together.

Now serious problems arise when a bunch of people who now insist that once they enter through the doorway into your sitting room, they have a right to access every single area in the house, including your master bedroom toilet and your wife’s walk-in wardrobe as well as your study and your kids’ study. Not only that, this bunch of people want to rummage through your refrigerator and trash bin to gather information on what foodstuff you have been buying, eating and disposing.

Would you allow that? I wouldn’t. And I guess neither would 90% of people in Singapore.

But that is what the National Electronic Health Record (NEHR) does, in an analogical sense. Actually, the NEHR goes further than this. You don’t even have to allow the person through the front door. Any person who claims he has business or matters to deal with you can walk into your house and every room in your house. He is presumably “authorised”.

This hobbit understands that today, the NEHR has been rolled out in all Restructured Hospitals other than IMH. Any doctor who attends to you has a right to enter into your NEHR and see practically everything there (walk through every room in your house). There may be some small pockets they may not access (equivalent to the small safe in your bedroom) to. He can even go into your fridge or wardrobe and see what you have bought (look at your pharmaceutical record) or eaten.

And you do not even have to allow him in. He just has to claim he is your doctor. Of course, if he isn’t your doctor, that can be tracked, and the doctor will be punished. But that is post-fact. The damage is already done, your house/NEHR has been trampled all over already by the trespasser or unwanted visitor.

Privacy Rights – The Right To Control Who Knows What

The NEHR does not take into account the privacy rights of the patient in a contextual sense. There are some things I will tell Doctor A and there are other things I want only Doctor B to know. I do not want Doctor A and B and C (whom I see for different things and in different contexts) to know everything or have the same information about me.

The fact is, we all compartmentalise our lives. In our families, there are some things we tell certain family members and some things we tell other family members. Each family member often has different information or data-sets of us.  This is even applicable to close family members, such as siblings or children. Do you tell all you siblings or children exactly the same information about yourself?

The same applies in the workplace – certain colleagues know something of us that other colleagues do not. Of course, relatives and colleagues may share information among themselves through interaction but such interaction is usually coincidental, contextual and limited so that it is extremely unlikely that many relatives or colleagues have the same information about us. A simple example would be I would tell my sister certain information and I would tell my brother other information. I will also tell them they must tell no one. I thus retain privacy rights. Of course, if they betray my trust and tell each other the information they possessed without my permission, that is a breach in confidentiality (not privacy). We must not conflate confidentiality with privacy.

This is the essence of privacy rights being applied in our daily lives. As private individuals, we have the right to decide what each person knows about us through the selective disclosure of information to different parties by us. The control lies with me almost all the time, hence it is my right to privacy. It is not a privilege conferred by others. So, the latest reporting that states folks may opt-out of having their information onto the NEHR on a case-by-case basis (subject to approval) is manifestly not good enough. Case-by-case means it is a privilege conferred, not a right possessed. I have a right to privacy, not a privilege of privacy.

Of course, I do not have absolute control over privacy all the time. The elected government with the mandate of the people may take away those rights once in a while through the passing of laws. For example, the Infectious Diseases Act takes away some of these rights. Doctors have to inform MOH when their patients contract certain communicable diseases. The underlying premise is that this limitation of the individual’s privacy rights must be for a greater public good – the prevention and control of an infectious disease outbreak that affects a great many people.

However, what is the “greater public good” justification for the sharing of my medical information as a patient with all my caregivers? I would say that there is little good other than my own well-being or personal welfare. Don’t I get to decide what personal good I intend to achieve with the NEHR? Why can’t I decide what information to give each doctor or caregiver (e.g nurse)? Or even more fundamentally, If I decide to opt out completely of the NEHR, why is my doctor still forced to upload my information onto the NEHR? Yes, when I opt out, no one can access the NEHR, but that is a question of confidentiality, not privacy. My personal well-being arising from participating in the NEHR is not a public good, unlike that of the Infectious Disease Act. The decision to opt-out of the NEHR may be a medically suboptimal decision, but that is my business, not the people who operate the NEHR, as long as I know the consequences of me opting out.

NEHR: Runs Against the Grain Of Current Case Law?

It is even more confusing when you consider this in the light of the direction of medical ethics that our honourable judges are trying to steer us. The Modified Montgomery (MM) Test is now firmly established as case law in Singapore. Essentially, the MM Test firmly puts patient autonomy at the forefront of medical ethics in the country. The Chief Justice has said that patient autonomy is the “first” of the four core principles of medical ethics of beneficence, non-maleficence, social justice and autonomy.

The MM test basically says the patient has a right to decide what he wants, even if the final decision is medically-speaking sub-optimal and that the doctor’s responsibility is NOT to make that decision for the patient but simply to provide all relevant information (from the patient’s perspective) to the patient so that he can make an informed decision. An informed decision from the patient’s perspective may not be the best medical decision from the doctor’s perspective, and if the two do not match, the patient’s decision must prevail (as long as it is not against the law, such as euthanasia, surrogacy etc.). The MM test ensures that patient autonomy is expressed in its fullest sense in our society.

If that is the case with the MM test, then why are the NEHR planners and implementers forcing each patient to

  • share the same medical information with all doctors and nurses when the patient may prefer otherwise?
  • have their medical information uploaded onto the NEHR, even when the patient has opted-out?

Therefore, the NEHR as it now stands, is clearly going down the slippery slope of compromising patient autonomy.


A simple example would be, say, a married, 40 year old, working, female PMET. She would have in all likelihood most or all of the following doctors –

  • a family GP she, her spouse and her children see (who happens to be her old classmate from junior college);
  • a company doctor she sees occasionally at the workplace when she is unwell;
  • a gynae who delivered her kids and does the her pap smears and gynae checkups;
  • a breast surgeon who removed a benign breast lump a year ago and
  • an aesthetic doctor she goes to occasionally for pigmentation treatment as well as for the occasional skin peel.

We haven’t even talked about other doctors she has used whom she hasn’t any recollection of – such as the radiologist, pathologist or anaesthetist, who ALL have “rightful” access to her NEHR records as “authorised” healthcare professionals.

Do you think she wants ALL her doctors to know she has had laser treatment for face pigmentation every six months? (We are not even talking about more extensive “work” like liposuction, filler injection and breast implants, just simple laser treatment for pigmentation)

Or do you think a 45 year-old homosexual man wants all his doctors to know he has had treatment with Dr Y for anal warts excision? (He hasn’t “stepped out” yet)

Or would a 58 year-old woman who is now happily married with adult children want anyone to know she had an abortion when she was 17 (We all make mistakes when we were young, just some mistakes are bigger than others)?

Would anyone want all his or her doctors to know one is on antidepressants or erectile dysfunction drugs? Most men wouldn’t even want most of their doctors they see to know they have prostate problems, let alone be given Cialis or Viagra.

Or that all your doctors now know you have been tested for HIV before (result negative, whew) and the test is not part of a mandatory pre-employment workout?

Or that the radiology results of you, a lady, who had a fractured cheek bone as shown in an X-ray taken at the A&E 10 years ago after your then (now ex-) husband assaulted you, is now known to all doctors and nurses taking care of you now for fractured ribs, whiplash and concussion arising from a road traffic accident? Your current husband loves you, but he is wondering why he gets strange looks when he visits you in the hospital from all the hospital nurses and doctors.

Of that that a well-known 60-year-old CEO of a bank (or Professor) was once admitted to a hospital for observation after a fight and had lost consciousness and fractured his nose 40 years ago?

The list goes on and on.

What NEHR Will Contain….

In case you are wondering if these examples are realistic, well – according to the official NEHR brochure: the following information will be uploaded onto the NEHR:

  • Admission and visit history
  • Hospital discharge summaries
  • Laboratory test results
  • Radiology results
  • Medication history
  • History of surgeries or procedures
  • Allergies and adverse drug reactions
  • Immunisations

So all the above scenarios can happen in real life.

Seriously, from my personal viewpoint, I would like to share only the last two points onto the NEHR without reservation so that all my doctors and care-givers (i.e. who are “authorised healthcare professionals, according to the abovesaid brochure) can know this about me: allergies, adverse drug reactions and immunisations.

This hobbit has serious reservations about the rest, and thinks they should be handled with extreme care.


The last point I would like to deal with is that of security. Security can basically be defined as measures put in place to prevent breaches of confidentiality. How secure is the NEHR? I am confident that the planners and implementers have tried their reasonable best to ensure best practices in IT security have been put in place or are being put in place. After all, the NEHR, being backed by government, has enormous resources to do so.

Even then, no IT system, especially one that is internet-based and cloud-based, with literally unlimited number of entry points (every clinic or hospital computer that is linked to the internet is an entry point into the NEHR) is hack-proof. If it were not so, there would be no need for the government to delink civil servants’ work computers and intranet from the internet last year. It was reported this affected all 143,000 civil servants. That is a tacit admission that no security system is fool-proof or hack-proof. I suppose this shows cyberthreats cannot be wished away, but they can be effectively partitioned away.

This hobbit is sure the NEHR is as secure as can be, but not quite more secure from the civil servants’ work computers before they were delinked from the Internet. In fact, the fact that the NEHR exists must in itself be a very tempting trophy database for hackers from all over the world to try and test and breach.

In the event a breach happens and records and medical information are stolen, what is the liability of the NEHR or  the government with regard to this breach, and what are the rights of the affected patients? Can he seek redress, compensation, damages etc.?

This hobbit is unsure. These are not stated in the aforementioned NEHR brochure. Theoretically, the NEHR is exempt from the provisions of the Personal Data Protection Act (PDPA) as it is a government programme. Today, if there is unauthorised access to your data with say, your mobile phone network operator, the mobile phone network company MUST inform you so, because the company has to comply with the requirements of the PDPA. If your GP record has been hacked into today (Pre-PDPA) or physically stolen, your GP has to inform you too. You can probably sue your GP or the mobile phone network company for civil damages and the regulators can use the provisions of the PDPA to punish the GP, or the mobile phone network company.

If there is a breach of the NEHR and your record is stolen, will the administrators inform you? No one knows. Will the penalties of the PDPA apply? Probably not. Can you sue the NEHR for civil damages? Again, this hobbit really doesn’t know.


In conclusion, is the NEHR a bad thing? No. But a lot of work needs to be done with the NEHR as it now stands; beginning with:

  • We need to discuss openly about the potential downsides of the NEHR as the NEHR currently stands and not just only extol the positives of NEHR.
  • We need to recognize that privacy rights need to be adequately addressed. The patient has to retain the power to give and retain information to the healthcare professionals or settings as he sees fit. It is natural to compartmentalise our lives and our interaction with people, and this compartmentalisation extends to the healthcare realm. You cannot talk about confidentiality and security without settling the issue of privacy rights first.
  • We need to clearly spell out the rights of the patient and the responsibilities and  liabilities of the NEHR owner(s) when there is a security breach. Some sort of a patient charter should extend to the realm of NEHR too.

And we are only talking about looking at the NEHR from the patient’s perspective. We haven’t even talked about the NEHR from the perspective of the people who record and use the information – the healthcare professionals.

A reader of this article may well ask “The typical or average patient in Singapore will in all likelihood not know the issues this article has raised and will not be concerned as such”. It is because this Hobbit is a doctor that he can understand and bring up issues such as privacy, confidentiality and security which dogs the planning and implementation of NEHR.

But that is besides the point. We are actually all in the same boat as “patient advocates”, working for the patient’s best interests and betterment of patient’s well-being: politicians, civil servants, IT experts, healthcare professionals such as doctors, nurses etc., and of course the patients themselves. If we are sincere and serious about being patient advocates, then the questions raised in this article need to be communicated to the public, recognised, considered and addressed by all stakeholders. These issues cannot be ignored, dismissed or simply swept aside if we truly work in the best interests of the patients from a holistic and comprehensive perspective.

The residency rollout was one bad example where those in power then were dismissive of the issues and reservations raised. They steamrolled ahead and adopted the ACGME-I system and the results are for all of us to see now. It is still early days, the NEHR need not go down the same  painful route as residency.


9 thoughts on “NEHR: A Patient’s Perspective Through A Doctor’s Eyes

  1. Hello Hobbit,

    Although I am new to the healthcare industry, I am a little familiar with the soon-to-be-enacted Healthcare Services Act, and thus may be in a position to comment on the regulatory aspect of NEHR.

    Most GPs and hospital staff will be aware that soon, all healthcare establishments will have to contribute patient data to this national platform large enough to host and detail the health history of all patients, local or foreign. There will be no luxury of choice in this matter – it will be compulsory by legislation.

    From a patients’ or a layman’s perspective, it almost feels like you’re being pushed into a corner to accommodate the governments’ penchant for centralising everything and safekeeping your precious toys ‘for your own good’. In doing so, the cost is clear – your privacy on health matters.

    My stand is: it’s a necessary evil. I cannot disclaim the bedrock of which your disdain for NEHR stems from – the loss of privacy – but I feel that your pathos lacks a little context and balance. Maybe if i could offer some insight on the regulatory aspects of NEHR, you might find your stand shift some.

    Your opening analogy on letting anyone into the private confines of your home is a fair bit myopic I must say (Im really sorry for the ironic wordplay but i just had to). To me, a more qualified analogy would be that you are looking for a redesign for your house. It would make the layout of your home more sensible to you and more appealing to those who wish or have to visit. To do so, you engage an interior designer. A contractor. A carpenter. Whoever that needs to be there to get the job done. The renovation of your home is not unlike the move from EMR to NEHR. It does come at a cost – your house gets dirty, everyone goes into every corner of your house – yet you bear with it because you know (or hope) something good will come out of it. I find it reasonable to open my house to these people as and when you need more works and procedures done. After all, it’s hard to work blind isnt it? And of course not everyone can get away with messing up your house. Only those who have reason to. I guess that is the premise of NEHR.

    I suppose the NEHR is there for utilitarian reasons. I believe they only keep information that will be of use to clinicians thereby benefiting patients. Aesthetic procedures (as you mentioned) are not even in the scope of the healthcare services act, and thus will not be obliged to comply with the whole part on NEHR in the new Bill (23 of 106 pages currently). It makes sense. Doctors responsible for your care do not need to know if you have had lasers coming out of your face. Only the ones that matter and perhaps a little more. They did stipulate the set of core patient data to be contributed; but it doesn’t extend beyond the self. What would be unreasonable and un-purposeful is if your family history, genomic profile, sexuality, sexual history and vital statistics all goes up together into the cloud.

    It is also a little unfair to say that ushering in NEHR throws away your right to confidentiality and privacy so carelessly and nonchalantly. The implementation of NEHR comes at a time when privacy and data protection is of top priority and of paramount importance in the hospital setting. Even this new bird here is starkly aware that more often that not, PDPA concerns stem from the handling of patient data rather than corporate intelligence. All hospital staff can say with absolute certainty that they will not know a thing about your medical history unless you are directly in their care. I believe there will be measures in place to ensure your data, if made available to patients, are handled appropriately and responsibly.

    There are also several privacy safeguards in place despite NEHR. It seems that the health authorities can define the access rights of healthcare institutions and specify which items of health information that the approved user may access. While we both do not agree with the implied consent model of the NEHR, again I believe its a evil borne out of necessity. It will be an administrative nightmare if each and every person had to provide his explicit consent, and frankly I can’t imagine it working out at all. To me it’s like a scaled up model of the EMR some hospitals have in place, and no one is complaining about it. It just needs a little bit of perspective (please correct me if I’m wrong). In other words, if a person goes to the same hospital or clinic always, then the NEHR will never have any presence in his life, considering that the doctors will have all his records anyway, and in more detail at that.

    Which brings me to the point about the opt-out procedures. As far as i know, there are two ways a patient can protect his privacy. The milder option is to ‘opt-out’, which results in patient data being uploaded onto NEHR still, but under a lock and key. Like a password-protected file, it’s there when you need it, but out of reach to anyone else. That sounds like a fair compromise and some semblance of autonomy on your privacy. The other option is to completely not have your data uploaded to NEHR at all. Yes, the case-by-case basis is a caveat that almost sounds conditional, but I thought the intent was firstly to ensure that patients who choose this have rationalised their decision, and secondly to bring to attention that it would cause a big gaping hole which will still remain a big gaping hole should you need to retrieve your past medical records for any reason.

    While I cannot comment on the security of the NEHR, mishandling patient information is not going to be condoned. What’s new in the Bill are offenses pertaining to NEHR and its misuse, and this extends to anyone who is privy to any form of data in NEHR. Penalties are harsher, and implication of the Licensee in the event of breaches will mean that they simply have to pay more attention to security and proper management of sensitive data. Third-party entities and agencies outside of the healthcare industry may have access to health information on NEHR, however they may come anonymised and with several strings attached – either you use it for research, or you use it with the person’s informed consent, or if it is for the public’s interest.

    As much as a proponent of the NEHR that I am, I am not convinced that the NEHR was built with a patient-centric focus. Instead of the the individual himself being able to determine which information is made available and to who, its the big guys up there who set out the requirements and the rules. Ideally, it shouldn’t be a lock, stock and barrel approach – either you go all-in, or fold. It literally can be do or die in some cases. More autonomy should be given to the beneficiary to peg his comfort level to how much he wants to give. That being said, NEHR as a young, foolish and carefree thing, may mature to become an indispensable tool for many.

    I’m getting tired so I’ll share a pretty irrelevant quote from a movie I’ve just managed to watch and love. From the film Call me by your name,

    ‘Is it better to speak or to die?’


  2. Great write up, all decision stakeholders should seriously study and think through issues of privacy, confidentiality, and Internet breaches that are bound to occur.


  3. I must voice out that it is very disturbing that patients are not given a provision to choose not to have any of their records, including pre-existing NEHR records, stored in their NEHR. The proposed bill specified that patients may choose to not have any of their records contributed to their NEHR on a case-by-case basis if they were to opt out of NEHR after the bill is enacted, but what happens to the NEHR records which are already added before a patient opts out?

    Are they retained despite having ceased data contribution to the NEHR upon opting-out?

    Should patients not be given the autonomy to opt for a 100.00% CLEAN opt-out, it would very wrong, for many patients were not even well-informed during the point of consultation that their medical information would be put into such a database.

    Accessing NEHR for any non-patient-care purposes can be prohibited, patients can also impose access restriction on their NEHR via the currently available opt-out form, but it only takes a prata-flip in the legislation for someone’s records to be unlocked, reviewed, and the information conveyed to third-parties.

    Like you had shared above, sensitive medical histories on the NEHR are like ticking time-bombs waiting to ruin the dignity, reputation, career and even marriage of many Singaporeans.

    The move to compel mandatory contribution is purely rash, and the current amount of opt-out provision is downright orwellian and short-sighted.


    1. “what happens to the NEHR records which are already added before a patient opts out?”

      I asked an officer this question before. He said that it will remain within the system but cannot be accessed by anyone. After opting out, new records will not be added. They don’t have an option to delete the already added records, but they say that it is locked.


  4. I am wowed by your foresight, SingHealth was hacked a few months after your article. On the bright side, your point on opting out is now outdated. Doctors are no longer required to upload patient records if the patient has opted out.

    I only wish that they allow you to selectively opt out. Right now if you opt out, you opt out of everything, including allergy records.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s