Introduction
The National Electronic Health Record (NEHR) is the backbone of Singapore's vision for "One Patient, One Health Record." Under the Health Information Bill (HIB), connecting to NEHR isn't optional—it's mandatory.
But for many clinic owners, the technical aspects of NEHR integration can seem overwhelming. This guide breaks down the process into manageable steps.
What is NEHR?
NEHR is Singapore's centralized repository of patient health records, managed by Synapxe (Singapore's HealthTech Agency) on behalf of the Ministry of Health.
╔═════════════════════════════════════════════════════════════════╗
║ NEHR Ecosystem Overview ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ┌──────────────────┐ ║
║ │ NEHR │ ║
║ │ (Central │ ║
║ │ Repository) │ ║
║ └────────┬─────────┘ ║
║ │ ║
║ ┌───────────────────┼───────────────────┐ ║
║ │ │ │ ║
║ ▼ ▼ ▼ ║
║ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ║
║ │ PUBLIC │ │ PRIVATE │ │ COMMUNITY │ ║
║ │ HOSPITALS │ │ CLINICS │ │ CARE │ ║
║ │ Polyclinics│ │ Hospitals │ │ Pharmacies │ ║
║ └─────────────┘ └─────────────┘ └─────────────┘ ║
║ ║
║ All contribute and access health records through NEHR ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Current NEHR Participation
- •100% of public healthcare institutions connected
- •~30% of private providers currently participating
- •All 9 private hospitals committed to integration by 2025
- •Target: 100% of licensed providers by HIB enforcement (2027)
The NEHR Integration Process
Overview: 6 Phases to Go-Live
╔═════════════════════════════════════════════════════════════════╗
║ NEHR Integration Roadmap ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ PHASE 1 PHASE 2 PHASE 3 PHASE 4 ║
║ ──────── ──────── ──────── ──────── ║
║ Assessment → Vendor → Technical → Security ║
║ & Planning Selection Setup Compliance ║
║ ║
║ │ │ │ │ ║
║ ▼ ▼ ▼ ▼ ║
║ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ║
║ │2-4 │ │2-4 │ │4-8 │ │4-6 │ ║
║ │weeks │ │weeks │ │weeks │ │weeks │ ║
║ └──────┘ └──────┘ └──────┘ └──────┘ ║
║ ║
║ PHASE 5 PHASE 6 ║
║ ──────── ──────── ║
║ Testing & → Go-Live & ║
║ UAT Support ║
║ ║
║ │ │ ║
║ ▼ ▼ ║
║ ┌──────┐ ┌──────┐ ║
║ │4-6 │ │Ongoing│ ║
║ │weeks │ │ │ ║
║ └──────┘ └──────┘ ║
║ ║
║ Total Timeline: Approximately 4-6 months ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Phase 1: Assessment & Planning (2-4 weeks)
Step 1: Evaluate Your Current System
Answer these questions:
| Question | Why It Matters |
|---|---|
| What CMS do you currently use? | Determines if upgrade or replacement needed |
| Is your CMS NEHR-compatible? | Some systems have built-in integration |
| What data do you currently capture? | Identifies gaps in mandatory data fields |
| How is data currently stored? | Affects migration strategy |
Step 2: Identify Data Gaps
Compare your current data capture against NEHR mandatory fields:
╔═════════════════════════════════════════════════════════════════╗
║ NEHR Mandatory Data Fields Checklist ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ PATIENT DEMOGRAPHICS CLINICAL DATA ║
║ ──────────────────── ───────────── ║
║ □ NRIC/FIN □ Diagnoses (ICD-10) ║
║ □ Name □ Allergies ║
║ □ Date of Birth □ Medications ║
║ □ Gender □ Vaccination records ║
║ □ Contact Information □ Lab test results ║
║ □ Radiology reports ║
║ □ Discharge summaries ║
║ ║
║ ENCOUNTER DATA ADMINISTRATIVE ║
║ ────────────── ────────────── ║
║ □ Visit date/time □ Provider details ║
║ □ Visit type □ Clinic/facility info ║
║ □ Chief complaint □ Consent records ║
║ □ Clinical notes ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Step 3: Define Your Integration Scope
Decide between:
- •Full Integration - Both contribute data TO and access data FROM NEHR
- •Contribution Only - Submit data to NEHR (minimum requirement)
- •Phased Approach - Start with contribution, add access later
Phase 2: Vendor Selection (2-4 weeks)
Option A: Upgrade Existing CMS
If your current CMS vendor offers NEHR integration:
- •Request integration module pricing
- •Verify MOH approval status
- •Check security certification (HIPAA, MTCS)
Option B: Switch to NEHR-Ready CMS
If you need a new system, evaluate:
| Criteria | Weight | Questions to Ask |
|---|---|---|
| NEHR Certification | Critical | Is the system approved by Synapxe? |
| Security Standards | Critical | HIPAA compliant? MTCS certified? |
| Local Support | High | Singapore-based support team? |
| Integration Experience | High | How many clinics successfully integrated? |
| Cost | Medium | Implementation + ongoing fees |
| Training | Medium | What training is provided? |
MOH-Approved CMS Vendors
Check the official list at Synapxe's NEHR page for current approved vendors.
Key Security Requirements for CMS Vendors
╔═════════════════════════════════════════════════════════════════╗
║ CMS Security Requirements Checklist ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ MANDATORY │ ║
║ ├───────────────────────────────────────────────────────────┤ ║
║ │ □ Data encryption at rest (AES-256) │ ║
║ │ □ Data encryption in transit (TLS 1.2+) │ ║
║ │ □ Multi-factor authentication support │ ║
║ │ □ Audit logging of all data access │ ║
║ │ □ Role-based access controls │ ║
║ │ □ Regular security updates │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ RECOMMENDED │ ║
║ ├───────────────────────────────────────────────────────────┤ ║
║ │ □ SOC 2 Type II certification │ ║
║ │ □ Penetration testing (annual) │ ║
║ │ □ Data backup and recovery │ ║
║ │ □ Singapore-based data hosting │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Phase 3: Technical Setup (4-8 weeks)
The Onboarding Process
NEHR integration involves a structured onboarding with Synapxe:
╔═════════════════════════════════════════════════════════════════╗
║ Synapxe Onboarding Process ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ┌────────────┐ ┌────────────┐ ┌────────────┐ ║
║ │ 1. │ │ 2. │ │ 3. │ ║
║ │APPLICATION │ → │CONNECTIVITY│ → │ SECURITY │ ║
║ │ │ │ SETUP │ │ REVIEW │ ║
║ └────────────┘ └────────────┘ └────────────┘ ║
║ │ │ │ ║
║ ▼ ▼ ▼ ║
║ Submit NEHR Setup secure Security ║
║ application connection to assessment & ║
║ via Synapxe NEHR gateway vulnerability scan ║
║ ║
║ ┌────────────┐ ┌────────────┐ ┌────────────┐ ║
║ │ 4. │ │ 5. │ │ 6. │ ║
║ │ DATA │ → │ TESTING │ → │ APPROVAL │ ║
║ │ MAPPING │ │ │ │ │ ║
║ └────────────┘ └────────────┘ └────────────┘ ║
║ │ │ │ ║
║ ▼ ▼ ▼ ║
║ Map your data Test data Receive formal ║
║ fields to NEHR transmission in authorization to ║
║ standards sandbox env go-live ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Data Mapping: A Critical Step
Your CMS data must map correctly to NEHR's standardized format:
| Your CMS Field | NEHR Standard | Format |
|---|---|---|
| Diagnosis | ICD-10-CM | Code + Description |
| Medications | SNOMED CT | Drug code + dosage |
| Allergies | NEHR Allergy Codeset | Allergen + reaction type |
| Lab Results | LOINC | Test code + result + units |
Network Requirements
╔═════════════════════════════════════════════════════════════════╗
║ Network Architecture for NEHR ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ YOUR CLINIC NEHR SYSTEM ║
║ ┌─────────────┐ ┌─────────────┐ ║
║ │ CMS │ │ NEHR │ ║
║ │ Server │ │ Gateway │ ║
║ └──────┬──────┘ └──────┬──────┘ ║
║ │ │ ║
║ │ Secure Connection │ ║
║ │◄─────────────────────────────►│ ║
║ │ (TLS 1.2+ / VPN) │ ║
║ │ │ ║
║ ┌──────┴──────┐ ┌──────┴──────┐ ║
║ │ Firewall │ │ Firewall │ ║
║ │ (Clinic) │ │ (MOH) │ ║
║ └─────────────┘ └─────────────┘ ║
║ ║
║ Required: Static IP, Minimum 10 Mbps, 99.5% uptime ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Phase 4: Security Compliance (4-6 weeks)
The 39 Controls Framework
MOH's Cyber & Data Security Guidelines specify 39 parent controls for healthcare providers. Key areas include:
╔═════════════════════════════════════════════════════════════════╗
║ Security Controls Overview ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ACCESS CONTROLS (8 controls) ║
║ ─────────────────────────── ║
║ • User authentication (MFA required) ║
║ • Role-based access ║
║ • Session management ║
║ • Password policies ║
║ ║
║ DATA PROTECTION (10 controls) ║
║ ───────────────────────────── ║
║ • Encryption at rest ║
║ • Encryption in transit ║
║ • Data classification ║
║ • Secure disposal ║
║ ║
║ SYSTEM SECURITY (12 controls) ║
║ ───────────────────────────── ║
║ • Patch management ║
║ • Anti-malware ║
║ • Network security ║
║ • Backup & recovery ║
║ ║
║ OPERATIONS (9 controls) ║
║ ───────────────────────────── ║
║ • Audit logging ║
║ • Incident response ║
║ • Staff training ║
║ • Third-party management ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Security Assessment
Before go-live, your system must pass:
- •Vulnerability Scan - Automated scanning for known vulnerabilities
- •Configuration Review - Verify security settings
- •Access Control Audit - Review user permissions
- •Penetration Test (for larger implementations)
Phase 5: Testing & UAT (4-6 weeks)
Testing Stages
╔═════════════════════════════════════════════════════════════════╗
║ Testing Progression ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ UNIT INTEGRATION SYSTEM UAT ║
║ TESTING → TESTING → TESTING → TESTING ║
║ ║
║ Individual CMS + NEHR End-to-end Real users, ║
║ components connection workflows test data ║
║ ║
║ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ║
║ │ Vendor │ │ Vendor │ │ Clinic │ │ Clinic │ ║
║ │ Led │ │ Led │ │ +IT │ │ Staff │ ║
║ └─────────┘ └─────────┘ └─────────┘ └─────────┘ ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
UAT Checklist
| Test Case | Expected Result | Pass/Fail |
|---|---|---|
| Patient lookup | Retrieve existing NEHR records | □ |
| Data contribution | Submit consultation to NEHR | □ |
| Medication recording | Medication appears in NEHR | □ |
| Allergy alert | Alert displays for known allergies | □ |
| Audit trail | Access logged correctly | □ |
| Error handling | Graceful failure, no data loss | □ |
Phase 6: Go-Live & Support
Go-Live Checklist
- • Security assessment passed
- • UAT sign-off obtained
- • Staff training completed
- • Support escalation path defined
- • Rollback plan documented
- • Go-live date communicated to Synapxe
Post Go-Live Support
╔═════════════════════════════════════════════════════════════════╗
║ Ongoing Support Requirements ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ DAILY WEEKLY MONTHLY ║
║ ───── ────── ─────── ║
║ • Monitor sync • Review error • Security patch ║
║ status logs updates ║
║ • Address user • Check data • Access review ║
║ issues quality • Compliance check ║
║ • Backup verify ║
║ ║
║ QUARTERLY ANNUALLY ║
║ ───────── ──────── ║
║ • Staff refresher • Security ║
║ training assessment ║
║ • DR drill • Penetration test ║
║ • Policy review • Vendor review ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Funding Support
CSA Cybersecurity Grant
The Cyber Security Agency (CSA) provides funding support for clinics to engage MOH-approved vendors for cybersecurity measures.
Eligibility: Licensed healthcare providers Coverage: Up to 70% of qualifying costs Application: Through CSA's grant portal
Common Integration Challenges
| Challenge | Solution |
|---|---|
| Legacy CMS incompatible | Consider phased migration to NEHR-ready system |
| Staff resistance | Comprehensive training + change management |
| Data quality issues | Data cleansing before migration |
| Network reliability | Redundant internet connection |
| Cost concerns | Explore CSA funding, phased implementation |
Key Takeaways
- •
Start early - 4-6 month timeline means you need to begin now for 2027 compliance
- •
Choose wisely - CMS vendor selection is critical; prioritize NEHR certification and security
- •
Security first - Meet the 39 controls framework before attempting NEHR connection
- •
Test thoroughly - Don't rush UAT; data quality issues are hard to fix post go-live
- •
Train your team - Technology is only as good as the people using it
Next article: "HIB Penalties and Fines: What Happens If You Don't Comply"
For official NEHR onboarding information, visit Synapxe NEHR