This page is for clinical practices, behavioral-health groups, and health systems that use M3 to screen, measure, and monitor their patients over time. It explains how clinical use works, the safeguards in place today, the certifications M3 inherits from its cloud infrastructure, and the items on our roadmap. For the consumer-facing overview, see our Security & Interoperability page.
M3 is a measurement-based-care and screening tool that supports clinical judgment. It does not provide a diagnosis and does not replace clinical evaluation.
HTTPS / TLS 1.2+ everywhere via CloudFront and the application load balancer.
AWS KMS-managed keys on S3, RDS, and EBS volumes.
Four distinct roles enforced in code — Patient, Clinician, Health System, and M3 Admin — each with a separate sign-in flow.
Returning users sign in with a 6-digit one-time code; export of clinical data is gated by a second factor sent to the registered channel.
Activity feed on every admin action; AWS CloudTrail captures every underlying API call.
We collect only what is needed to generate a report. Payment processing is segregated, so health responses are never sent to the payment processor.
Anonymous records contain no name, email, phone, or address by design — only age range, sex, scores, and source.
Raw-data export and deletion run through an administrative path with a second factor and a defined process, not ad-hoc.
Session-scoped authentication with timeout and explicit sign-out on every dashboard.
Every approved practice is recorded with proposal status and a BAA-signed timestamp before clinical features are enabled.
M3 runs entirely on Amazon Web Services under the shared-responsibility model. AWS owns and certifies the infrastructure layer; M3 owns the application layer on top.
The AWS infrastructure M3 runs on maintains SOC 1/2/3, ISO 27001, HITRUST CSF, FedRAMP, and PCI DSS. Those certifications cover the controls AWS owns under the shared-responsibility model. (M3's own SOC 2 Type II and HITRUST certifications are on the roadmap below — M3 itself is not yet independently certified.)
AWS has signed a Business Associate Agreement with M3 under its HIPAA program — the foundation for handling PHI on their infrastructure.
M3 runs only on services AWS has declared HIPAA-eligible (S3, RDS, CloudFront, Lambda, KMS, CloudWatch, Route 53).
Datacenters managed by AWS — biometric access, 24/7 monitoring, redundant power, and fire suppression.
Point-in-time recovery on RDS, versioning and lifecycle policies on S3, and EBS snapshots. S3 is designed for 99.999999999% (11 nines) durability.
AWS Shield Standard is on by default, with Shield Advanced and WAF available for higher-tier protection.
A documented HIPAA Security Risk Analysis identifies and addresses risks to protected health information, re-performed at least annually and on material change.
A HIPAA Security & Privacy Officer oversees the compliance program.
Workforce members complete HIPAA training and acknowledge a sanction policy for violations.
A documented incident-response and breach-notification plan is maintained.
Executed and signed copies of these documents (Security Risk Analysis, HIPAA Officer Designation, Sanction Policy, Workforce HIPAA Training Acknowledgment, Notice of Privacy Practices) are available to practices on request as part of due diligence.
Safeguards aligned to the HIPAA Security Rule, with executed BAAs with our infrastructure and data-processing vendors. Practices must execute a BAA with M3 before clinical use.
We honor rights to know, access, correct, delete, and limit use of personal information; we treat health data as sensitive personal information and do not sell it.
Consistent with the Confidentiality of Medical Information Act, including AB 2089's protections for mental-health digital services.
Consumer health data is collected only with consent, never sold without authorization, with rights to access and delete. See our Washington policy.
Validated FHIR R4 Bundle export — Patient, Practitioner, Organization, Observation (LOINC), QuestionnaireResponse, and Condition.
The M3 Checklist is a registered LOINC® panel; every item and all four domain scores carry a LOINC code, with each domain crosswalked to ICD-10-CM and SNOMED CT. See the LOINC code mapping.
Data elements are structured to align with the U.S. Core Data for Interoperability.
Records export as FHIR and JSON so patient information travels with the patient.
The following are planned enhancements we are actively pursuing. They are not yet in place or certified.
Independent audit of M3's own security controls over time.
Healthcare-specific certification (e1 entry-level, then r2) of M3's own program.
Standards-based sign-in and embedding within EHR systems, paired with the existing FHIR export.
Independent, recurring third-party penetration testing.
To keep patient data protected end to end, practices using M3 agree to: execute a BAA before clinical use; share assessment links only with the intended patient; limit access to authorized workforce members on a minimum-necessary basis; and report any suspected security concern to us promptly.
Security questions: security@m3mentalhealth.org · General & account: support@m3mentalhealth.org · Contact page.