eReferral Ontario - Patients Before Paperwork (PB4P) Provincial Care Coordination Gateway (PCCG) PIA Summary

Date of PIA Report: March 31, 2025

Date PIA Summary Last Reviewed and Updated: September 22, 2025

The following is a summary of the Patients Before Paperwork (PB4P) Provincial Care Coordination Gateway (PCCG) PIA, including a brief background, key findings, and risks and recommendations as applicable. See our Contact Us page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Government of Ontario is committed to delivering connected and convenient care to Ontarians. In February 2023, the Government of Ontario announced the Your Health: A Plan for Connected and Convenient Care (the Plan), in which the goal to “finally axe the fax” was called out to support Right Care in the Right Place. The Plan described commitment to replace “antiquated fax machines with digital communication alternatives” in the next five years.

This commitment by the Ontario Ministry of Health (MOH) will address privacy concerns associated with fax machines that have risen to the forefront. Privacy Commissioners across Canada have taken a clear and consistent public position with respect to the use of fax and other unsecure technologies in communicating personal health information.

To enable this clinical transformation, the MOH and Ontario Health have developed a comprehensive proposal to modernize provider communications through an initiative called Patients before Paperwork (Pb4P). This five-year initiative aims to reduce the administrative burden of frontline providers by creating a more seamless, digitally connected system that health care providers can leverage to plan, coordinate, and deliver patient care. Specifically, Pb4P will implement a coordinated and integrated set of digital solutions to frontline providers through a clinically guided change program with a focus on primary care.

The vision of Pb4P is to put patients before paperwork, by making improvements and expanding digital healthcare solutions that alleviate the most burdensome administrative tasks faced by providers and their patients.

This PIA will focus on development of the Provincial Care Coordination Gateway (PCCG) Solution.  The Provincial Care Coordination Gateway is an Ontario Health digital asset that supports the routing of referrals in the new eReferrals Network.  The PCCG Solution is an Ontario Health owned, managed and delivers comprehensive health services for the province that leverages One Access Gateway (OAG) to support the end-to-end referral workflow.

It ensures that referrals are delivered electronically from source to destination without the need of point-to-point integration to connect the Referring Practitioner’s RMS and Receiving Provider’s RMS. It will leverage the OAG to ensure that only verified care providers are able to send Referral transactions.  The PCCG engages with Ontario Health major provincial assets (Provincial Health Services Directory (PHSD), ONE ID, Provincial eForms, etc.) in the creation of an effective and secure Referral Network. 

The service will enable real-time routing, allowing for real-time wait times to be collected at the different states of a referral.  All transactions passing through the PCCG will be logged and tracked. Appointment information will be contributed to the eReferral Repository to support wait time calculation, patient access, and appointment reminders. HL7-v2 mapping will be supported by the PCCG Solution, allowing for better interoperability between community and hospital-based systems.

The development of the PCCG is based on Fast Healthcare Interoperability Resources (FHIR) Implementation Guide.  The Ontario eReferral - eConsult FHIR Implementation Guide (IG) was written to support implementers of systems that will use HL7 FHIR to support communication between health care practitioners and service providers performing electronic patient referrals and/or electronic consultations in the province of Ontario. It provides business context, use cases and information flows that are specific to the Ontario eReferral and eConsult ecosystem and is designed to be generic enough to support many different pathways.

This Pb4P PIA is limited to the development of the PCCG Solution only.  Other PIAs are planned and will commence in January 2025 for the overall solution involving vendors and integration of vendors’ Referral Management System (RMS) solutions.

Key Findings

The PIA concludes that Ontario has one main role in the collection, use and disclosure of PHI as part of the eReferral Ontario initiative: 

Ontario Health’s authority for this role is found in agreements between the HICs and Ontario Health; in the Personal Health Information Protection Act, 2004 (PHIPA).

For the PCCG solution the initial privacy analysis of the initiative identified ten (10) privacy-related risks, including, as per our risk exposure matrix:  one (1) high risk, ten (9) medium risks. Most of these risks have been addressed and resolved, those that remain open are outlined below along with corresponding recommendations.

In accordance with Ontario Health’s Privacy Risk Management policy and procedures, the Chief Privacy Officer (CPO) approves and endorses the results of the PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:

• Review and sign off the Risk Acceptance Form;
• Prepare a supporting documentation (briefing note) addressing possible consequences as a result of accepting the risk(s) and not implementing the recommendation(s) provided by Strategy, Planning, Privacy, Analytics and Risk; and
• Submit the Risk Acceptance Form and supporting documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Strategy, Planning, Privacy, Analytics and Risk for review and approval.

Ontario Health’s PIA standard recommends that all high and moderate risks be mitigated to an acceptable level (low) prior to a project going live.

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1:  Absence of Threat and Risk Assessment prior to go-live with PCCG Solution could lead to exploitation of unknown vulnerabilities resulting in reputational damages and privacy violations.

Recommendation: It is strongly recommended that a comprehensive Threat and Risk Assessment conducted on PCCG Solution prior to go-live. 

Status: Closed

Risk 2: Absence of Penetration Test for the PCCG Solution may lead to unauthorized disclosure of sensitive information leading to reputational damages.

Recommendation: It is recommended that the project teams conduct a Penetration Test prior to go-live with the PCCG Solution. The test will identify security weaknesses that could be exploited by unauthorized personnel.

Note:  At the time of the assessment, project team indicated that the Penetration Test will be completed in January 2025. The identified weaknesses should be mitigated based on its severity levels.

Status: Closed

Risk 3: Unsecure configuration of Actuator may expose sensitive information to unauthorized personnel.

Recommendation:  To ensure confidentiality, and integrity of the application and its data, the project team should properly configure and secure the Actuator endpoints prior to go-live with the solution.  The project team should also implement remediation activities identified in the VA report.  At the time of this assessment, the project team was working in progress to remediate this vulnerability.

Note: This vulnerability was identified within the VA report.

Status: Closed

Risk 4:  Absence of training material for the PCCG eReferral Solution could lead to administrative or technical errors or omissions.

Recommendation:  To ensure a smooth transition, it is recommended that the project team develop a comprehensive training material for easy adoption.  The training material should be easily accessible to all involved parties to reduce negative consequences.

Status: Open

Risk 5:  Absence of consent notice and agreements for the PCCG Solution may lead to privacy breaches.

Recommendation:  Although Ontario Health is permitted to use PHI it received from HICs without consent for the purposes related to the management and planning of the health system.  The project team should have separate agreements with involved HICs and any other parties for the use of newly build PCCG eReferral solution.

Status: Closed

Risk 6:  The PCCG solution utilizes current Ontario Health services, although a privacy assessment of the service agreements was not conducted to ascertain whether the solution complies with regulations for offering new services. The lack of visibility into these existing agreements poses a risk of unauthorized access, use, or disclosure of personal information (PI) and protected health information (PHI), potentially resulting in privacy breaches.

Recommendation:  Privacy recommends that the agreements for the services being utilized for the PCCG be thoroughly reviewed to ensure compliance with existing contracts, thereby preventing excessive use or over-collection of PI/PHI in relation to the PCCG solution.

Status: Open

Risk 7:  In the absence of Business Requirements Documentation (BRD), there is a potential for the solution not meeting privacy and security requirements, unclear scope of the project, poor planning, over/under budget, not meeting defined timelines, etc., leading to financial, regulatory, and reputational damages. 

Recommendation:  The project team should develop a comprehensive business requirement document clearly illustrating privacy and security requirements in protecting sensitive information.  In addition, the BRD should include details on the following but not limited to roles and responsibilities, functional requirements, solution availability, disaster recovery, etc.,

Status: Closed

Risk 8:  The project team has taken an agile approach for the development of the PCCG Solution. As such, Use Cases were developed instead of following the traditional process of BRD.  At the time of this assessment, although Use Cases were documented, it is unknown if there are any other use cases required.  Implementation of Use Cases will follow phased approach.  If not all Use Cases are defined, and clearly documented, there is potential for PCCG Solution not meeting user expectations, introduce unknown risks and may lead to financial, regulatory, or reputational damages.

Recommendation:  The project team should ensure all relevant use cases are developed and tested prior to go-live with the PCCG Solution.    In addition, finalize the implementation plan and phased approach to ensure Use Cases are implemented in specific order to avoid project delay. Project team should also conduct delta PIAs on additional phases of the project. 

Status: Closed

Risk 9:  Data elements for the PCCG Solution are not clearly documented for the PCCG Solution.  Although the data elements are defined within Ontario eReferral – eConsult HL7 FHIR Implementation Guide, they are in draft version at the time of this assessment. 

Recommendation:  Project team should clearly document, confirm and finalize the data elements for the PCCG Solution.

Status: Closed

Risk 10:  Roles and responsibilities are not clearly defined for the PCCG Solution.  In the absence of roles and responsibilities, there is potential for misunderstanding or unable to respond to privacy / security breaches in a timely manner. 

Recommendation:  The PCCG Solution is a brand-new build, managed and supported internally by Ontario Health.  The project team should clearly define and document roles and responsibilities for the management of the overall PCCG Solution.  Since the PCCG Solution is brand new, ensure dedicated personnel are fully trained and backup personnel are also trained in managing key components of the PCCG Solution.

Status: Closed