eReferral Ontario - Health Information Network Provider (HINP) to HINP PIA Summary

Date of PIA Report: June 26, 2025

Date PIA Summary Last Reviewed and Updated: September 29, 2025

The following is a summary of the HINP to HINP: Ontario Health and Amplify Care Referral Network PIA, including a brief background, key findings, and risks and recommendations as applicable. See our Contact Us page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Government of Ontario introduced "Your Health: A Plan for Connected and Convenient Care", a plan dedicated to enhancing health care delivery, released in February 2023. A key objective of this initiative is to eliminate outdated fax communication in favor of digital alternatives, thereby supporting the delivery of the Right Care in the Right Place. Central to this transformation is the Patients before Paperwork (Pb4P) initiative, a five-year initiative designed to streamline provider communications and reduce administrative burdens, ultimately improving patient care.

The Pb4P initiative seeks to implement a coordinated set of digital solutions for frontline health care providers, focusing on primary care. It aims to alleviate the administrative challenges faced by providers and their patients, facilitating a seamless integration of digital health care solutions. As part of this effort, the Ontario Health eReferral network is being established, which will serve as a province-wide digital referral solution aligned with the Ontario Health Referral Management Blueprint.

Amplify Care currently operates the Amplify Care (Ocean) eReferral Network as a Health Information Network Provider (HINP). Amplify Care (Ocean) eReferral Network utilizes the OceanMD Referral Management System (RMS), which facilitates simplified and expedited electronic referrals, allowing primary care providers to communicate efficiently with specialists. This network will be decommissioned, and referral services will be transitioned to the Ontario Health eReferral HINP network, which will integrate approved RMS vendor solutions to enhance provider experience and maintain consistency in referral processes.

Both HINP networks will operate in parallel for an undetermined period, necessitating a comprehensive assessment of the privacy implications of both systems functioning simultaneously. PIA’s have been conducted for each RMS vendor of record and for the newly developed PCCG solution to ensure compliance with privacy regulations and to protect personal health information during this critical transition phase.

This Privacy Impact Assessment evaluates the HINP-to-HINP authority model, with a decision made to operate both the current Amplify Care network and the newly established Ontario Health network in parallel, each functioning as a HINP. This approach is essential for minimizing impacts on health care services and patient care during the transition, ensuring that patient care remains uninterrupted and secure until the Amplify Care network is decommissioned. This assessment highlights the commitment to safeguarding patient information while optimizing health care delivery, aiming to create a cohesive and efficient digital referral system across Ontario.

Key Findings

The PIA concludes that Ontario has one main role in the collection, use and disclosure of PHI as part of the eReferral Ontario initiative: 

"Health Information Network Provider (HINP) Role” - in providing PHI-related services to participating Health Information Custodians (HICs).

Ontario Health’s authority for this role is found in the following agreements and; in the Personal Health Information Protection Act, 2004 (PHIPA):

• eReferral Network to Network Agreement between Ontario Health and Amplify Care
• Health Information Network Provider (HINP) Agreement with all participating HICs; and the provider / HINP requirements under subsection 10(4) of PHIPA and section 6 of the Regulation to PHIPA.

The initial privacy analysis of the HINP to HINP eReferral Network identified nine (9) privacy-related risks, including, as per our risk exposure matrix:  nine (9) medium risks. Most of these risks have been addressed and resolved, those that remain open are outlined below along with corresponding recommendations.

In accordance with Ontario Health’s Privacy Risk Management policy and procedures, the Chief Privacy Officer (CPO) approves and endorses the results of the PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:

• review and sign off the Risk Acceptance Form;
• prepare a supporting documentation (briefing note) addressing possible consequences as a result of accepting the risk(s) and not implementing the recommendation(s) provided by Strategy, Planning, Privacy, Analytics and Risk; and
• submit the Risk Acceptance Form and supporting documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Strategy, Planning, Privacy, Analytics and Risk for review and approval.

Ontario Health’s PIA standard recommends that all high and moderate risks be mitigated to an acceptable level (low) prior to a project going live.

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1:  Absence of clearly defined accountability of HINP networks may lead to regulatory violation, and reputational damages.

Recommendation: Project team should:

• ensure clearly defined roles and responsibilities for the management of both HINP networks.
• ensure relevant contracts and agreements are in place prior to go-live.
• ensure accountability of each HINP environment is clearly defined.
• ensure users are only authorized to use HINP networks that are assigned to them.
• ensure there is no use of cross networks by users without appropriate authorities or agreements in place.
• ensure plain language description of services is communicated with the users that includes roles and responsibilities.

Status: Closed

Risk 2: Reliant on vendors and service providers to operate and manage HINP network may lead to compromise or unauthorized access to PI/PHI leading to reputational damages.

Recommendation: Project team should:

• ensure contracts and agreements are in place and up-to-date with all relevant parties.
• ensure contracts with vendors details regulatory requirements for the management of the PI/PHI by all relevant vendors.
• ensure vendors supporting or involved in management of the Amplify Care HINP environment have formal policies and procedures in place particularly from privacy and security breach perspective.
• ensure roles and responsibilities for all involved vendors are clearly documented along with other obligations mandated by regulation.
• ensure that Ocean user base is isolated for each network especially from their other clients.

Status: Open

Risk 3:  Management of two HINP networks could lead to inability to react in a timely manner related to incident leading to prolonged breach resulting in reputational damages.

Recommendation:  Ontario Health and Amplify Care should establish clear roles and responsibilities, service level agreements, strict access controls and incident management practices.  Both parties should establish regular meetings to discuss any issues related to their respective network.  Share documentation and material to ensure both networks have relevant security patches and updates to prevent weaknesses from one network is not exploited to target another network.  As a guideline, Ontario Health and Amplify Care should follow the Joint Policy and Procedure in Support of the HINP to HINP eReferral Agreement for the management of both networks.

Status: Closed

Risk 4:  Absence of detailed network diagrams, there is a potential for eReferral solution may not be able to recover in a timely manner during system outage or compromise leading to eReferral solution inaccessible resulting in reputational damages.

Recommendation:  Amplify Care should update the network diagrams as well as all other relevant documentation to include eReferral solution. Amplify Care should also provide details on eReferral solution including network diagrams, data flows and other material to vendors involved in supporting and managing the HINP environment to ensure appropriate steps taken for continuous availability of the eReferral solution.

Status: Open

Risk 5:  Unknown of split referrals may result in delay of services leading to extensive wait time for patients resulting in reputational damages.

Recommendation: Project team should:

• ensure that the person in charge for creating new referrals have proper authority and agreements in place for creating referral on behalf of the PCP.
• ensure the original PCP is aware of the split in referral services, and the patient is also notified.
• ensure splitting of referrals are properly planned out and managed to avoid cross boundaries of two networks.

Status: Closed

Risk 6:  In absence of clear communication and agreements between Amplify Care and Ontario Health for migrating users from existing HINP to Ontario Health PCCG HINP network may violate regulatory requirement leading to punitive and reputational damages.

Recommendation:  Ontario Health and Amplify Care should finalize agreements and obtain signatures from authorized personnel prior to moving users between HINP networks. Ensure users are informed to terminate their agreements with Amplify Care and onboard to Ontario Health. Ontario Health and Amplify Care to ensure proper migration plans are in place prior to moving data from exiting network to new network.  Ensure both parties are informed on the explicit project plans and timelines, etc. Work closely with legal to draft relevant agreements and contracts to ensure regulatory requirements are not violated.

Status: Open

Risk 7:  Amplify Care is advised by the Treasury Board not to enroll any new users on their existing network.  As such all new users are to be enrolled onto new Ontario Health PCCG HINP network.  This approach may lead to confusion, fragmentation, inefficiency, management and maintenance of two separate networks, etc., resulting in duplicated services.

Recommendation:  Project team should clearly plan out the appropriate timelines for discontinuing of Amplify Care’s duplicated network.  If both networks are required to run simultaneously for testing, it should have a target end date based on industry best practices.  This timeline should not lead to years of running two networks as it can introduce other risks such as larger threat landscape, privacy and security breaches based on misaligned security controls, etc.. Project team should work closely with Amplify Care to create a roadmap for both network governance model.  

Status: Open

Risk 8:  In absence of clearly defined transition plans and processes, there is a risk of data being left behind or data stored at various location may be accessible to unauthorized users and result in unauthorized disclosure after the termination of the contract.

Recommendation:  In absence of clearly defined transition plans and processes, to address the risk of data being left behind or accessed by unauthorized users after the contract termination between Amplify Care and Ontario Health, it is crucial to establish clear data transition and destruction procedures beforehand. The project team must understand Amplify Care's asset inventory and ensure all assets are accounted for, with unnecessary data appropriately purged or destroyed.

Key elements of the process should include:

• data transfer procedures between HINP networks.
• testing for data compatibility with the new network.
• validation controls, including pre-test and post-test protocols.
• encryption measures during transfer to prevent unauthorized access.

Additionally, Amplify Care should clarify its responsibilities for sensitive data retention and destruction plans. Ontario Health must obtain a certificate of destruction from Amplify Care to confirm that sensitive data has been securely destroyed. The project team should conduct security assessments, including TRA, vulnerability assessments, and penetration testing, to ensure terminated organizations do not have access to the Ontario Health PCCG HINP environment or data post-termination.

Status: Open

Risk 9:  Absence of contractual agreements between Amplify Care and Ontario Health can have negative impact on the following but not limited to operation of networks, legal compliance, security safeguards and business continuity leading to regulatory violation and reputational damages.

Recommendation:  Finalized relevant agreements for the HINP-to-HINP Networks.

• ensure contracts and agreements with all relevant parties are agreed and signed off prior to go-live.
• ensure HICs inform users of the use of both networks and obtain consent and approval prior to go-live.

Status: Closed