Health Card Validation – HCV

UpdatedOctober 8, 2025

By Peter Hutten-CzapskiPeter Hutten-Czapski

Health Card Validation

The community has developed open source tools to allow for Ontario Health Card Validation that do not require OntarioMD certification.

You can get keys for OSCAR’s native HCV validation, however the following allows for generic access that allows for HCV for that very important schedule page with a toolbar.

These instructions depend on Dr Yang’s php program github.com/mykiBoy/OHIP-HCV that provides access to the data in JSON format via simple SOAP message. Note that by default it needs port 8080, you will need to change that if you use 8080 for something else (eg phpmyadmin). These instructions install Java 17 which can be done on an OSCAR server but ensure that Tomcat does not try to pick Java 17 up for OSCAR (Java 8 or 11 are preferred). Dr Hendy’s additional php (below) and tamper monkey script ties it all together to tap into the schedule page.

First you need credentials: apply on the form HERE:

https://forms.mgcs.gov.on.ca/dataset/81dd4dfb-831e-493f-9e7b-f16b3c2337ab/resource/900e304d-17c7-4981-9a2c-e9c42206d348/download/4860-84e.pdf

They will send a test user name, password, key, and user ID. Mock OHIP numbers will be given and you will send the response back from the browser console. Once this has been completed, they will forward your application. The process takes approximately 2 weeks total.

Once you are approved, you swap in your OHIP billing number/group number, EDT user name and password, and conformance keys. Staff then can use the toolbar to search the patient, click the Master link and verify phone number and address, and it will show status. You can also batch all the cards at the end of the day, click scan , start, then the triangle to list any invalids. If the page refreshes though you have to run it again. It’s pretty quick (2 cards per second).

Once you have the first part you need to install the OHIP-HCV program

sudo apt install git
sudo apt install -y php-cli php-common
sudo apt install -y php-xml
sudo apt install -y php-curl
sudo apt install -y git php-cli php-common openjdk-17-jre-headless openssl
mkdir -p ~/work && cd ~/work
git clone https://github.com/mykiBoy/OHIP-HCV.git
cd OHIP-HCV

Now you need keys. Note that the java keystore password default is changeit. Ignore that direction at your own risk

keytool -genkeypair -keystore testStore.p12 -storetype PKCS12 -storepass changeit -alias client -keyalg RSA -keysize 1024 -validity 7300
openssl pkcs12 -in testStore.p12 -out publicCertificate.pem -nokeys
sed -n '/BEGIN CERTIFICATE/,$p' publicCertificate.pem | sed '1d;$d' > publicCertificate_base64.txt
tr -d '\n' < publicCertificate_base64.txt | xclip -selection clipboard

Copy information from above text file into main.php (as you have obtained earlier in these instructions) including 4 info pieces from conformance (conformance testing key, username, password and MOH ID) . Otherwise you will get an authorization fault for using invalid credentials. Create loadkeystore.php (use password you used for creating keys in file under changeit) as below, adjusting if necessary for the appropriate paths.

<?php
// Read the PKCS#12 bundle created earlier (testStore.p12, password 'changeit')
$pkcs12 = file_get_contents('testStore.p12');
if ($pkcs12 === false) {
  throw new Exception("Cannot read testStore.p12 (check path/permissions)");
}

// Parse the PKCS#12 to get private key + certificate into $pkcs12Info
if (!openssl_pkcs12_read($pkcs12, $pkcs12Info, 'changeit')) {
  throw new Exception("Failed to read PKCS#12. Wrong password or corrupt file.");
}

// Provide variables for main.php
$privatekey = $pkcs12Info['pkey'];  // PEM private key string
$certificate = $pkcs12Info['cert']; // PEM public cert (not strictly required for signing)
?>

router.php as below creates an API that will pass the response

<?php
$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
if ($path === '/hcv') {
    // Avoid PHP warnings breaking JSON
    ini_set('display_errors', '0');
    header('Content-Type: application/json');
    ob_start();
    require __DIR__ . '/main.php';
    $out = ob_get_clean();
    // If main.php already returned JSON, pass it through.
    $isJson = false;
    if (is_string($out)) {
        json_decode($out);
        $isJson = (json_last_error() === JSON_ERROR_NONE);
    }
    if ($isJson) {
        http_response_code(http_response_code() ?: 200);
        echo $out;
    } else {
        // Wrap non-JSON output into JSON so jq won’t choke
        http_response_code(http_response_code() ?: 200);
        echo json_encode([
            'error'   => false,
            'note'    => 'Non-JSON output from main.php wrapped for safety',
            'raw'     => is_string($out) ? trim($out) : null
        ], JSON_UNESCAPED_SLASHES);
    }
    exit;
}
http_response_code(404);
header('Content-Type: application/json');
echo json_encode(['error'=>true,'message'=>'Not Found']);
?>

The whole thing can be made to run at boot with a crontab entry that looks like the following

@reboot cd /PATHTOYOURFILES && /usr/bin/php -S 0.0.0.0:8080 router.php >> /var/log/hcv-api.log 2>&1