Mental-health information is sensitive, and we treat it that way. This page summarizes how we protect your data and how M3 works with the broader healthcare ecosystem using open standards.
| HIPAA Security Rule | ✓ In place — technical, administrative, and physical safeguards implemented; BAA on file with infrastructure vendors |
| AWS BAA | ✓ Executed — all data processed on HIPAA-eligible AWS services only |
| KMS Encryption at Rest | ✓ Live — all patient tables encrypted with AWS KMS managed keys |
| PITR (Point-in-Time Recovery) | ✓ Live — enabled on all PHI tables |
| Washington MHMDA | ✓ Aligned — opt-in consent, no sale, rights honored; policy at wa-privacy.html |
| California CCPA / CPRA | ✓ Aligned — health data treated as sensitive PI; access/delete rights honored |
| California CMIA / AB 2089 | ✓ Aligned — mental-health digital service safeguards in place |
| SOC 2 Type II | On roadmap — not yet audited |
| HITRUST CSF | On roadmap — not yet certified |
All traffic is served over HTTPS with TLS 1.2 or higher, end to end.
Data is encrypted at rest using AWS KMS managed keys in isolated, dedicated DynamoDB environments.
M3 runs only on HIPAA-eligible AWS services (Lambda, DynamoDB, S3, CloudFront, SES, KMS) under an executed Business Associate Agreement (BAA).
Administrative, technical, and physical safeguards are designed around the HIPAA Security Rule, including a Security Risk Analysis and designated HIPAA officer.
Returning users sign in with a one-time 6-digit code by email — no password to steal or reuse.
We collect only what's needed to generate your report. Payment processing is segregated so health responses are never sent to the payment processor.
Access to patient information is restricted by role — only authorized clinicians and administrators can view records and longitudinal registries.
You can request a copy of your record or its deletion; deletion is handled securely with a 30-day recoverable hold before permanent removal.
We do not sell your personal health information. See our Privacy Policy.
All PHI access, admin actions, and authentication events are written to tamper-evident audit logs in CloudWatch with 1-year retention.
We conduct a HIPAA Security Risk Analysis to identify and address risks to protected health information.
A HIPAA Security and Privacy Officer is designated to oversee our compliance program.
Workforce members complete HIPAA training and acknowledge a sanction policy for violations.
We maintain a documented incident-response and breach-notification plan, including the 60-day HHS notification timeline for breaches affecting 500 or more individuals.
Safeguards aligned to the HIPAA Security Rule. Business Associate Agreements are executed with all infrastructure and data-processing vendors. Clinicians and healthcare organizations must execute a BAA with M3 before using the platform with patient data.
California residents have the right to know what personal information we collect, access it, correct it, delete it, and limit its use. We treat health assessment data as sensitive personal information under CPRA. We do not sell personal information, and we do not share it for cross-context behavioral advertising.
For California rights requests: support@m3mentalhealth.org
Consistent with California's Confidentiality of Medical Information Act — including AB 2089's specific protections for mental-health digital services — we safeguard your mental-health information and do not disclose it without your written authorization, except as required by law or to provide the service you requested.
M3 is a mental-health digital service under AB 2089 and limits data use accordingly.
Aligned with Washington's My Health My Data Act (effective July 2024): we collect consumer health data only with your affirmative opt-in consent, do not sell it without valid written authorization, and honor your rights to access, withdraw consent, and request deletion within 45 days.
Full policy: Washington Consumer Health Data Privacy Policy
M3 is built for independent practices, small clinics, and solo practitioners — behavioral health, primary care, and integrated care settings — who need a validated, HIPAA-ready mental-health screening tool without the IT overhead of a hospital EHR deployment. It is not a hospital information system and does not replace EHR workflow within large health systems, though results can be exported in HL7 FHIR R4 format for import into any FHIR-capable system.
Results can be exported as a standards-based HL7 FHIR R4 Bundle for use by clinicians and health systems.
The M3 Checklist is a registered LOINC® panel (71891-6) — every item and all four domain scores carry an individual LOINC code, with each domain crosswalked to ICD-10-CM and SNOMED CT. See the full M3 LOINC code mapping.
Data elements are structured to align with the U.S. Core Data for Interoperability.
You can export your own record (FHIR and JSON), so your information travels with you.
The following are planned enhancements we are actively pursuing — they are not yet in place:
Independent audit of our security controls over time.
Healthcare-specific security certification.
Standards-based sign-in and embedding within EHR systems.
If you believe you've found a security issue, please contact our security team at security@m3mentalhealth.org. We take all reports seriously.