← Back to M3MentalHealth.org

Security & Interoperability

M3 Mental Health and Pain Review · M3MentalHealth.org · Last reviewed: June 2026

Mental-health information is sensitive, and we treat it that way. This page summarizes how we protect your data and how M3 works with the broader healthcare ecosystem using open standards.

Certification & Compliance Status — June 2026

HIPAA Security Rule✓ In place — technical, administrative, and physical safeguards implemented; BAA on file with infrastructure vendors
AWS BAA✓ Executed — all data processed on HIPAA-eligible AWS services only
KMS Encryption at Rest✓ Live — all patient tables encrypted with AWS KMS managed keys
PITR (Point-in-Time Recovery)✓ Live — enabled on all PHI tables
Washington MHMDA✓ Aligned — opt-in consent, no sale, rights honored; policy at wa-privacy.html
California CCPA / CPRA✓ Aligned — health data treated as sensitive PI; access/delete rights honored
California CMIA / AB 2089✓ Aligned — mental-health digital service safeguards in place
SOC 2 Type IIOn roadmap — not yet audited
HITRUST CSFOn roadmap — not yet certified

Data security

Encryption in transit

All traffic is served over HTTPS with TLS 1.2 or higher, end to end.

Encryption at rest

Data is encrypted at rest using AWS KMS managed keys in isolated, dedicated DynamoDB environments.

HIPAA-eligible infrastructure

M3 runs only on HIPAA-eligible AWS services (Lambda, DynamoDB, S3, CloudFront, SES, KMS) under an executed Business Associate Agreement (BAA).

Aligned to the HIPAA Security Rule

Administrative, technical, and physical safeguards are designed around the HIPAA Security Rule, including a Security Risk Analysis and designated HIPAA officer.

Two-factor sign-in

Returning users sign in with a one-time 6-digit code by email — no password to steal or reuse.

Data minimization

We collect only what's needed to generate your report. Payment processing is segregated so health responses are never sent to the payment processor.

Role-based access control

Access to patient information is restricted by role — only authorized clinicians and administrators can view records and longitudinal registries.

Your data, your control

You can request a copy of your record or its deletion; deletion is handled securely with a 30-day recoverable hold before permanent removal.

No sale of health data

We do not sell your personal health information. See our Privacy Policy.

Audit logging

All PHI access, admin actions, and authentication events are written to tamper-evident audit logs in CloudWatch with 1-year retention.

HIPAA program (administrative safeguards)

Security Risk Analysis

We conduct a HIPAA Security Risk Analysis to identify and address risks to protected health information.

Designated HIPAA officer

A HIPAA Security and Privacy Officer is designated to oversee our compliance program.

Workforce training & sanctions

Workforce members complete HIPAA training and acknowledge a sanction policy for violations.

Incident response & breach notification

We maintain a documented incident-response and breach-notification plan, including the 60-day HHS notification timeline for breaches affecting 500 or more individuals.

Privacy & your rights (federal & state)

HIPAA

Safeguards aligned to the HIPAA Security Rule. Business Associate Agreements are executed with all infrastructure and data-processing vendors. Clinicians and healthcare organizations must execute a BAA with M3 before using the platform with patient data.

California — CCPA / CPRA

California residents have the right to know what personal information we collect, access it, correct it, delete it, and limit its use. We treat health assessment data as sensitive personal information under CPRA. We do not sell personal information, and we do not share it for cross-context behavioral advertising.

For California rights requests: support@m3mentalhealth.org

California — CMIA / AB 2089

Consistent with California's Confidentiality of Medical Information Act — including AB 2089's specific protections for mental-health digital services — we safeguard your mental-health information and do not disclose it without your written authorization, except as required by law or to provide the service you requested.

M3 is a mental-health digital service under AB 2089 and limits data use accordingly.

Washington — My Health My Data Act (MHMDA)

Aligned with Washington's My Health My Data Act (effective July 2024): we collect consumer health data only with your affirmative opt-in consent, do not sell it without valid written authorization, and honor your rights to access, withdraw consent, and request deletion within 45 days.

Full policy: Washington Consumer Health Data Privacy Policy

Who M3 is designed for

M3 is built for independent practices, small clinics, and solo practitioners — behavioral health, primary care, and integrated care settings — who need a validated, HIPAA-ready mental-health screening tool without the IT overhead of a hospital EHR deployment. It is not a hospital information system and does not replace EHR workflow within large health systems, though results can be exported in HL7 FHIR R4 format for import into any FHIR-capable system.

Interoperability (open standards)

HL7 FHIR R4

Results can be exported as a standards-based HL7 FHIR R4 Bundle for use by clinicians and health systems.

Standard terminologies (LOINC)

The M3 Checklist is a registered LOINC® panel (71891-6) — every item and all four domain scores carry an individual LOINC code, with each domain crosswalked to ICD-10-CM and SNOMED CT. See the full M3 LOINC code mapping.

USCDI-aligned

Data elements are structured to align with the U.S. Core Data for Interoperability.

Patient data portability

You can export your own record (FHIR and JSON), so your information travels with you.

On our roadmap

The following are planned enhancements we are actively pursuing — they are not yet in place:

SOC 2 Type II

Independent audit of our security controls over time.

HITRUST CSF

Healthcare-specific security certification.

SMART on FHIR

Standards-based sign-in and embedding within EHR systems.

Reporting a security concern

If you believe you've found a security issue, please contact our security team at security@m3mentalhealth.org. We take all reports seriously.

Note: Items listed under "On our roadmap" are planned and not yet implemented or certified. Items in the Certification Status table marked "On roadmap" are not currently in place. This page describes current safeguards in general terms and is not a warranty or legal certification. For details on how we handle data, see our Privacy Policy and Terms & Conditions.