← Back to M3MentalHealth.org

Clinical Overview & Security

For clinicians and practices using M3 to measure and monitor patients · M-3 Information, LLC · Last reviewed: June 2026

This page is for clinical practices, behavioral-health groups, and health systems that use M3 to screen, measure, and monitor their patients over time. It explains how clinical use works, the safeguards in place today, the certifications M3 inherits from its cloud infrastructure, and the items on our roadmap. For the consumer-facing overview, see our Security & Interoperability page.

Business Associate Agreement required before clinical use. Any clinician, practice, or organization that uses M3 with identifiable patient data must first execute a Business Associate Agreement (BAA) with M-3 Information, LLC. Our intake process tracks BAA status for every practice, and clinical features are enabled only after the BAA is in place.
Certification & compliance status — plain language (as of June 26, 2026). We describe our security accurately and update this page as items change. Throughout this page: In place means built and operating today; AWS means inherited from the Amazon Web Services infrastructure that hosts M3 — Amazon’s certification of the infrastructure layer, not a certification of M3 itself; Planned means on our roadmap and not yet in place. M3 is well suited to individuals, small and mid-sized practices, and medical clinics. SOC 2 Type II and HITRUST CSF are enterprise procurement certifications requested by hospital systems, health plans, and large provider organizations — not required for HIPAA compliance or for use by individuals, small or mid-sized practices, or medical clinics. Today they apply to M3’s AWS infrastructure, not to M3 itself; we pursue M3’s own certifications to support these enterprise customers.

How clinical practices use M3

  1. Register your practice and receive a unique promo code that links patients to your clinic.
  2. Order an assessment for a patient from your dashboard — M3 generates a secure, one-tap assessment link you share with them. The link automatically applies your promo code.
  3. Patients complete the M3 Checklist (depression, anxiety, bipolar, and PTSD domains) and the optional PEG pain scale on their own device.
  4. Review results in your clinician dashboard: per-patient scores and severity ranges, score distribution for your panel, and longitudinal tracking as patients re-screen.
  5. Set re-assessment cadence per patient (as close as weekly for those who need closer monitoring) to measure change over time.

M3 is a measurement-based-care and screening tool that supports clinical judgment. It does not provide a diagnosis and does not replace clinical evaluation.

Security controls in place today

In placeEncryption in transit

HTTPS / TLS 1.2+ everywhere via CloudFront and the application load balancer.

In placeEncryption at rest

AWS KMS-managed keys on S3, RDS, and EBS volumes.

In placeRole-based access

Four distinct roles enforced in code — Patient, Clinician, Health System, and M3 Admin — each with a separate sign-in flow.

In placeTwo-factor at sensitive paths

Returning users sign in with a 6-digit one-time code; export of clinical data is gated by a second factor sent to the registered channel.

In placeAudit logging

Activity feed on every admin action; AWS CloudTrail captures every underlying API call.

In placeData minimization

We collect only what is needed to generate a report. Payment processing is segregated, so health responses are never sent to the payment processor.

In placeDe-identification

Anonymous records contain no name, email, phone, or address by design — only age range, sex, scores, and source.

In placeControlled deletion & export

Raw-data export and deletion run through an administrative path with a second factor and a defined process, not ad-hoc.

In placeSession controls

Session-scoped authentication with timeout and explicit sign-out on every dashboard.

In placeBAA tracking

Every approved practice is recorded with proposal status and a BAA-signed timestamp before clinical features are enabled.

Infrastructure & inherited certifications (AWS)

M3 runs entirely on Amazon Web Services under the shared-responsibility model. AWS owns and certifies the infrastructure layer; M3 owns the application layer on top.

AWSInherited certifications

The AWS infrastructure M3 runs on maintains SOC 1/2/3, ISO 27001, HITRUST CSF, FedRAMP, and PCI DSS. Those certifications cover the controls AWS owns under the shared-responsibility model. (M3's own SOC 2 Type II and HITRUST certifications are on the roadmap below — M3 itself is not yet independently certified.)

AWSExecuted BAA

AWS has signed a Business Associate Agreement with M3 under its HIPAA program — the foundation for handling PHI on their infrastructure.

AWSHIPAA-eligible services only

M3 runs only on services AWS has declared HIPAA-eligible (S3, RDS, CloudFront, Lambda, KMS, CloudWatch, Route 53).

AWSPhysical security

Datacenters managed by AWS — biometric access, 24/7 monitoring, redundant power, and fire suppression.

AWSBackup & disaster recovery

Point-in-time recovery on RDS, versioning and lifecycle policies on S3, and EBS snapshots. S3 is designed for 99.999999999% (11 nines) durability.

AWSDDoS protection

AWS Shield Standard is on by default, with Shield Advanced and WAF available for higher-tier protection.

HIPAA administrative program

Security Risk Analysis

A documented HIPAA Security Risk Analysis identifies and addresses risks to protected health information, re-performed at least annually and on material change.

Designated HIPAA officer

A HIPAA Security & Privacy Officer oversees the compliance program.

Workforce training & sanctions

Workforce members complete HIPAA training and acknowledge a sanction policy for violations.

Incident response & breach notification

A documented incident-response and breach-notification plan is maintained.

Executed and signed copies of these documents (Security Risk Analysis, HIPAA Officer Designation, Sanction Policy, Workforce HIPAA Training Acknowledgment, Notice of Privacy Practices) are available to practices on request as part of due diligence.

Privacy & state law

HIPAA

Safeguards aligned to the HIPAA Security Rule, with executed BAAs with our infrastructure and data-processing vendors. Practices must execute a BAA with M3 before clinical use.

California — CCPA / CPRA

We honor rights to know, access, correct, delete, and limit use of personal information; we treat health data as sensitive personal information and do not sell it.

California — CMIA (incl. AB 2089)

Consistent with the Confidentiality of Medical Information Act, including AB 2089's protections for mental-health digital services.

Washington — My Health My Data Act

Consumer health data is collected only with consent, never sold without authorization, with rights to access and delete. See our Washington policy.

Interoperability (open standards)

HL7 FHIR R4

Validated FHIR R4 Bundle export — Patient, Practitioner, Organization, Observation (LOINC), QuestionnaireResponse, and Condition.

LOINC panel 71891-6

The M3 Checklist is a registered LOINC® panel; every item and all four domain scores carry a LOINC code, with each domain crosswalked to ICD-10-CM and SNOMED CT. See the LOINC code mapping.

USCDI-aligned

Data elements are structured to align with the U.S. Core Data for Interoperability.

Portability

Records export as FHIR and JSON so patient information travels with the patient.

On our roadmap

The following are planned enhancements we are actively pursuing. They are not yet in place or certified.

PlannedSOC 2 Type II

Independent audit of M3's own security controls over time.

PlannedHITRUST CSF

Healthcare-specific certification (e1 entry-level, then r2) of M3's own program.

PlannedSMART on FHIR

Standards-based sign-in and embedding within EHR systems, paired with the existing FHIR export.

PlannedAnnual penetration test

Independent, recurring third-party penetration testing.

What we ask of practices

To keep patient data protected end to end, practices using M3 agree to: execute a BAA before clinical use; share assessment links only with the intended patient; limit access to authorized workforce members on a minimum-necessary basis; and report any suspected security concern to us promptly.

Contact

Security questions: security@m3mentalhealth.org · General & account: support@m3mentalhealth.org · Contact page.

Items under "On our roadmap" are planned and not yet implemented or certified. Certifications referenced under "Infrastructure & inherited certifications" belong to Amazon Web Services and apply to the infrastructure layer under the shared-responsibility model; they are not certifications of M3 itself. This page describes current safeguards in general terms and is not a warranty. See our Privacy Policy and Terms & Conditions.

If you are in crisis or thinking of harming yourself, dial or text 988 or go to your nearest emergency room.