Jennifer Carroll MacNeill (Dún Laoghaire, Fine Gael) | Oireachtas source

I am pleased to present the Health Information Bill to Seanad Éireann following its recent passage through the Dáil. The Bill is about something very simple but very important - making our health service safer, more joined up and more patient centred by ensuring that health information can move securely to where it is needed. Today far too much of our health information is held in totally disconnected systems. Patients repeat their stories, clinicians lack full information and vital insights for planning their care are difficult to access. This Bill begins to change that. It puts patients in control of their information. It supports better care and it lays the foundation for a modern, digital health service. Digitising services across health and social care is a Government priority and successive budgets have provided increasing funding to develop and deliver on digital health initiatives. One such initiative is the HSE patient app, launched in February 2025, which makes us all true partners in our health journey. If Senators have not already downloaded the health app, which I am sure they all have, I take this opportunity to encourage them to do so.

The Health Information Bill provides the clear legal framework needed to support digital health initiatives such as electronic health records, secure information sharing and improved planning. Crucially, it also ensures that Ireland can meet its obligations under the EU European Health Data Space Regulation, which took effect in 2025 and gives patients across Europe greater access to, and control over, their own health information. The Bill, as passed by the Dáil in November 2025, is divided into five Parts with 25 sections. It provides a clear legal basis for the creation of electronic health records. It clarifies the HSE's authority to obtain necessary information for good planning and performance oversight. The Bill is framed around each of us as patients, and our rights to have our health information managed in a way that supports integrated health and social care.

I will provide a brief explanation of the sections. Part 1 provides definitions of important terms used in the Bill as well as the standard provisions including commencement and regulation-making powers. It also provides that the operation of the Act must be reviewed within five years of enactment and a report laid before the Houses of the Oireachtas.

Part 2 provides for a statutory duty to share, and contains sections 7 to 9, inclusive. Section 7 places a statutory duty on all health services providers, whether they be public, private or voluntary. Everybody has an obligation to share personal health data with other health services providers for the purposes of patient care and treatment. The HSE is tasked with setting out guidelines on the information to be shared, how it is to be shared and within what periods.

Section 8 introduces a legal obligation on a health services provider to forward a patient's personal health data to another health services provider at a patient's request. Section 9 places an obligation on any health services provider that intends to cease providing health services to notify their patients about the date on which they intend to do so, and the arrangements they are putting in place to ensure their patients' personal health data can be made available to another health services provider for care or treatment. In essence, the health services provider does not own the data. The patient is in charge of their data and the State is the manager for that. Part 3, sections 10 to 21, inclusive, provides for the creation and assignment of electronic health records for every patient in Ireland. Ensuring that the right information is available in the right place at the right time is fundamental for delivering on Sláintecare's vision of integrated care. Electronic health records will not only support patient access to and control over their own data, but it also provides health professionals with a more complete and holistic view of patients they are treating. The creation of electronic health records will also provide vital population-based data, which will enhance the HSE's ability to carry out the core functions of service planning and management while also driving efficiency and better care.

Section 10 empowers the HSE to create and assign each person electronic health records.

Section 11 sets out the information to be contained in said health record. These contents mirror the categories under the European health data space, EHDS, regulations, such as prescriptions, dispensations, medical imaging studies, medical test results, discharge reports, etc. The patient summary contains 18 information subcategories, which together give a high-level overview of a patient's health. Those categories have been developed at EU level and contain information on diagnoses, medications, allergies, procedures, etc., while patient-provided data reflects the right of patients to insert information on their own electronic health records. That is clearly distinguishable from the information that is put in by a health services provider. The Bill provides for the best practice use of eircode and PPSN to uniquely identify patients in line with national digital strategy and public service identity management. Those stronger identification processes will help enhance patient safety, security of access and data linkage.

Section 12 confirms that providers may collect a patient's PPSN to ensure safer, more accurate information. It is really important to note that patients will not be refused a health service solely because they have not been allocated or issued with the PPSN or they are not in a position to provide that. It is an effort to streamline health services so that we know who we are treating and that we are collecting information for a single identified person.

Section 13 provides that an electronic health record may be accessed by the patient, a health services provider or an employer or agent for the purposes of record maintenance. It also provides that patients can request rectification of information contained in their record and that a health services provider can restrict access by a patient or appropriate person to information where that would be likely to cause harm to the physical or mental health to the patient. Any such restriction has to be necessary and proportionate and should only apply to the part of the electronic health record that would give rise to concern. The HSE will also be required to adopt the necessary safeguards to ensure the security of records to guard against improper access, meeting the requirements of the EHDS regulations and complying with EU-wide legislation on cybersecurity, including the NIS2 directive.

Section 14 provides that a patient can restrict access to information in his or her record so that it cannot be seen by health services providers. The HSE is required to inform the patient that such a restriction could impact on the care that he or she receives but, again, we are trying to empower patients to make the decisions they wish to make. The section also provides that health service providers may access such restricted information in emergency situations where access is needed to protect the vital interests of the patient. Any use of that break-glass provision needs to be recorded and the details made available to the patient.

Section 15 provides that a patient has the right to obtain information on access to his or her electronic health record. The HSE will be required to put in place appropriate logging and auditing functions to enable patients to know what has been accessed, by whom and when.

Section 16 provides for the Minister's regulation powers.

Section 17 provides that electronic health records may be used by health service providers for the purposes of care and treatment and by the HSE for specified public interest purposes relevant to the statutory remit, namely, public and occupational health policymaking regulatory activities.

Section 18 provides that the HSE may enter into a reciprocal agreement with equivalent bodies and so-called third countries.

Section 19 sets out the manner which the HSE can request the provision of personal health data.

Section 20 sets out the process in the event of non-compliance with any requests.

Section 21 provides for HSE guidelines in relation to the Act and persons who have to be consulted, etc.

Part 4 is very important. It sets out a number of specified public interest purposes, including service planning and performance management, for which the HSE can request and receive health information from entities across the healthcare sector. The provisions set out under Part 4 will support greater and effective use of health information. They are an absolutely critical step to moving beyond our current, often fragmented and, may I say, even reluctant approach to information sharing. As an example of that reluctant approach, Senators may be interested to learn of the challenges we continue to have in fulfilling Ireland’s obligation under EU statistical Regulation 2294 of 2022. The objective of that regulation is to provide internationally comparable data on healthcare facilities, resources and utilisation, offering a transparent and accessible view of the broader healthcare system and population-based data sharing.However, while there is now good engagement with the majority of private hospitals in this regard, it has taken us 18 months to get to this point and, even still, one private hospital remains unwilling to share the data required with the Department in order for Ireland to fully comply with this EU regulation. One private hospital is unwilling to share its patients' data, so that Ireland can comply with an EU regulation to gather patient data for the broader benefit of Irish patients. This is completely unacceptable. I propose to update Senators on the nature of this engagement on Committee Stage.

Likewise, Senators may be aware of the delays that I have seen, or the barriers to the implementation of the integrated financial management system, IFMS, among certain section 38 hospitals in receipt of enormous recurring public funding on an annual basis. These are hospitals like, for example, the Mater and St. James's, the voluntary hospitals. People going into a hospital may not be aware if they are in a HSE hospital or a section 38 hospital. Indeed, they may not care as long as they are getting good healthcare but what they will care about is the fact that the State funds all of those hospitals and that the legislation that we are now introducing makes absolutely clear that we expect that hospitals that benefit from the use of public funds across the health sector have a requirement for greater efficiency, oversight and, fundamentally, transparency.

IFMS is a single, integrated financial management system designed to improve financial reporting, expenditure analysis and forecasting across the health sector. It is part of the wider health service financial reform programme. It is my belief that the alignment of financial reporting across the publicly funded health sector through the use of IFMS is a crucial transparency measure for the State to ensure value for investment across the health service. As of July 2025, IFMS had been deployed to all hospital sites directly managed by the HSE, which means some 80% of all hospital expenditure is now managed through IFMS. Planning is under way on the timeline for further extending IFMS to the voluntary hospitals, as well as to other voluntary providers.

I appreciate that I am out of time. It is important that I can come back to this in the closing remarks. I am in the hands of the Cathaoirleach.