eReferral Repository Ontario – New Ontario eReferral Network integration with the Provincial Care Coordination Gateway (PCCG) PIA Summary

Date of PIA Addendum Report: August 22, 2025

Date PIA Summary Last Reviewed and Updated: November 20, 2025

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Ontario Health eReferral Repository is a key component of Ontario Health’s Central Waitlist Management (CWM) program and a significant advancement in health care data integration. Historically, Ontario Health collected a minimum data set from Health Information Custodians (HICs) participating in Amplify’s provincial eReferral service pursuant to its Prescribed Entity (PE) authority under the Personal Health Information Protection Act, 2004 (PHIPA).  Ontario Health collected personal health information (PHI) to support health system planning, management and evaluation and retained the minimum data set in its eReferral repository. Ontario Health is transitioning the to a new integration model using the Provincial Care Coordination Gateway (PCCG). The PCCG enables secure transmission and serves as the central routing layer for eReferral and eConsult data submitted by Health Information Custodians (HICs) through their Referral Management Systems (RMS).

To support the new Ontario Health eReferral Network, Ontario Health now will receive the full eReferral data set through the PCCG and will internally filter the data to create the Prescribed Entity (PE) data set for use in the CWM eReferral Repository. Amplify will no longer carry out filtering of the data elements before disclosure to Ontario Health.  There is a transition period during which Amplify continues to support the legacy eReferral network and data flows. However, PCCG will function as a routing layer and Health Information Network Provider (HINP) rather than as a data repository and no new PHI data elements are being collected as part of this project. As an Ontario Health operated HINP infrastructure, the PCCG supports secure message routing but does not collect or maintain PE data. Referral messages submitted through participating RMS to PCCG do not impact or alter Amplify Care’s existing PE disclosure process.

This Privacy Impact Assessment Addendum evaluates establishing connectivity between the eReferral Repository and PCCG and assessing the legislative and contractual framework supporting Ontario Health’s collection and use of PHI through PCCG as a PE.

Key Findings

The PIA concludes that the PCCG will become the routing layer for the eReferral network and will ultimately enable the decommissioning of the Amplify Care data flow to the PE Repository. The PIA Addendum describes the future-state dataflows as follows:

• HICs submit referrals (containing PHI) through their RMS, which acts as a service provider acting on behalf of Ontario Health for the purposes of submitting PE data.
• The RMS sends eReferral data to Ontario Health’s PCCG, which operates as a HINP and provides routing only. PCCG does not act as a data repository and does not retain PHI beyond what is required for secure transmission.
• Once routed, the eReferral data is ingested into CWM insights, which includes components for processing and storing eReferral data, and stored in a raw HINP dataset to support audit, validation, and operations.
• Ontario Health transforms and filters the HINP data set to create the PE data set, which is stored in the eReferral Analytics Repository and used for analytics, reporting, and health system planning.

Ontario Health’s authority for this role is found in the following agreements and in the Personal Health Information Protection Act, 2004 (PHIPA):

• PCCG Participation Agreement
• OH-HINP to HINP Agreement
• Prescribed Entity Authority: As a Prescribed Entity (PE) under the Personal Health Information Protection Act, 2004 (PHIPA), Ontario Health is authorized to collect and use PHI from HICs under sections 45(1), 45(5), and 45(6).

The privacy analysis of the new eReferral network integration with the PCCG identified two privacy-related risks, including, as per our risk exposure matrix, two high risks. All these risks have been addressed and resolved.

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: At the time of writing this PIA, non-HICs were identified as potential contributors of PHI to the PE eReferral Repository without authority under PHIPA, creating a risk of unauthorized collection and breach.

Risk Level: High

Recommendations: Project team should:

• Ensure Amplify Care notifies Ontario Health whenever a non-HIC is onboarded to submit eReferrals
• Ensures Ontario Health’s Digital Excellence Team applies filters that exclude non-HIC referral data from the PE repository
• Ensures Ontario Health only collects PHI from authorized HICs maintaining compliance with PHIPA

Status: Closed

Risk 2: Without safeguards, private Ocean RMS users could bypass Ontario Health’s onboarding process leading to risks of unmonitored eReferrals and unauthorized PHI access.

Risk Level: High

Recommendations: Project team should:

• Conduct a comprehensive technical and privacy investigation of Ocean RMS users
• Determine how Ocean users are partitioned from the broader eReferral network and from each other
• Ensure access controls, data flow configurations and any risks of unauthorized access of PHI disclosure are resolved

 Status: Closed