What is Mental Wealth Solutions, Inc.?

Mental Wealth Solutions, Inc. is the parent corporation behind five white-label patient navigation and behavioral health infrastructure platforms: HealthcareCheck, TransplantCheck, CoachesCheck, EAPCheck, and VeteranCheck. The company licenses HIPAA-compliant software to FQHCs, CCBHCs, transplant programs, EAPs, coaches, and veteran services.

Who founded Mental Wealth Solutions?

Matthew Sexton, LCSW, founded Mental Wealth Solutions, Inc. in 2024. He is a Licensed Clinical Social Worker and Certified Narcissistic Abuse Treatment Clinician. His private clinical practice is operated separately under Matthew Sexton PLLC d/b/a Mental Wealth Solutions.

Are the platforms HIPAA compliant?

Yes. All Mental Wealth Solutions platforms operate under executed Business Associate Agreements (BAAs) with their cloud providers (AWS, Vertex AI). Patient health information is encrypted at rest using pgcrypto on PostgreSQL and in transit via TLS. Weekly HIPAA gates verify the security posture.

How do tenants engage a vertical?

Each vertical has its own engagement path. HealthcareCheck offers a 48-hour white-label deploy with executed BAA. TransplantCheck onboards transplant programs through a custom integration. CoachesCheck is bespoke-quoted per engagement. EAPCheck deploys as B2B2C infrastructure. Contact the relevant vertical for engagement terms.

Where can I find clinical care from Matthew Sexton?

Clinical care is provided through Matthew Sexton PLLC d/b/a Mental Wealth Solutions, a separate clinical entity from Mental Wealth Solutions, Inc. The clinical practice is at https://matthewsextonlcswpllc.org. Telehealth is available in New York, Florida, Maine, and Delaware.

How do I contact Mental Wealth Solutions, Inc.?

Email info@mentalwealthsolutions.org or book a 30-minute call with the founder at https://calendly.com/matthewsextonlcsw-mentalwealthsolutions/30min. For platform-specific inquiries, contact the relevant vertical directly.

Which vendors operate under signed Business Associate Agreements?

Three vendors hold executed BAAs that cover every PHI-touching workflow on the platform: Google Cloud at the organization level scoped to Vertex AI inference, Amazon Web Services at the account level covering compute and storage, and Amazon RDS for PostgreSQL under the parent AWS account BAA with RDS-specific operational controls layered on top. PHI never leaves BAA-covered infrastructure. GitHub holds no BAA and is therefore treated as code-only infrastructure with a hard prohibition against any patient data, screenshot, fixture, or log line entering it. Anthropic, OpenAI, Bedrock multi-model, and Azure OpenAI are not in scope and are not invoked from production code paths that handle PHI; bring-your-own-LLM is on the roadmap and gated by partner BAA execution before any vendor-specific integration ships.

How is patient health information encrypted at rest?

Patient identifiers and clinical free-text fields are encrypted at the column level inside PostgreSQL using the pgcrypto extension — first name, last name, date of birth, MRN equivalents, contact information, free-text intake responses, free-text session notes, and crisis-flag context. Symmetric cipher keys live in AWS Secrets Manager with versioning, rotation, and access-logged retrieval. The application tier reads the current key on startup and on rotation event, and handles cryptographic versioning so a rotation does not break read paths. RDS automated backups inherit pgcrypto ciphertext and are additionally KMS-encrypted at rest in S3. EBS volumes attached to application-tier EC2 instances default to KMS encryption. A database breach without simultaneous compromise of the Secrets Manager key store yields ciphertext, not patient records.

How is crisis safety handled across all tenants?

Crisis routing is always-on across every PHI-touching surface. PHQ-9 item 9 thresholds and C-SSRS suicidal-ideation flags trigger Stanley-Brown safety planning embedded in the workflow with 24-72 hour clinical follow-up. Stanley & Brown 2018 demonstrated that safety planning plus structured follow-up reduced subsequent self-harm by roughly 45 percent versus usual care. 988 single-tap and after-hours warm-line lookup are present at every patient touchpoint. LCSW backstop coverage handles escalation paths for coaches, EAP utilization spikes, and transplant pre-listing crisis events. Tenants do not opt into crisis safety — they opt out only via documented program-specific exception with executive sign-off. The Joint Commission Sentinel Event Alert 56 framework anchors the escalation timing, and the VA-DoD 2019 Clinical Practice Guideline anchors the lethal-means counseling integrated into every safety plan.

Where do production logs containing potential PHI live?

Inside BAA-covered AWS only. CloudWatch Logs, S3 with KMS-managed encryption, and SSM Session Manager session data buckets all reside inside the AWS account that holds the executed BAA. Production logs are never copied to GitHub, never pasted into chat outside summary form, and never mirrored to a developer machine. Diagnostics that may contain PHI are reduced to non-PHI summaries before they leave BAA scope. The weekly HIPAA gate verifies that no production log line containing PHI has been mirrored outside BAA-covered AWS in the prior seven days — verified by string search against the GitHub repository, against Actions logs, against developer-machine local clones via opt-in agent attestation, and against any third-party SaaS endpoint integrated into the developer workflow.

Security & HIPAA Architecture — Mental Wealth Solutions

Bring your compliance team to the discovery call Read the methodology

Mental Wealth Solutions, Inc. operates three vendors under signed Business Associate Agreements: Google Cloud Vertex AI for model inference, Amazon Web Services at the account level for compute and storage, and Amazon RDS for PostgreSQL for the patient health record. Patient identifiers and clinical free-text fields are encrypted at the column level inside Postgres using pgcrypto. TLS 1.2 or higher governs every external transport hop. A forty-three-control HIPAA gate runs against production every Wednesday and gates every deploy — current baseline forty-three pass, zero warn, zero fail. GitHub holds no Business Associate Agreement and is therefore code-only infrastructure with a hard prohibition against any patient data, screenshot, fixture, log line, or commit message containing protected health information.

Where the pathway breaks — and how we close it

The dominant pattern in healthcare-software procurement is to wire a vendor up to the staging environment, get the integration working under synthetic data, then chase the Business Associate Agreement paperwork while the engineering team is already moving to the next ticket. Six weeks later the BAA is countersigned, the integration shipped to production, and nobody is sure when the cutover from synthetic to real PHI actually happened. That gap is where the breach reports are written.

45 CFR 164.308(b) HIPAA-mandated written contract before disclosure of PHI ^cite

Cost when unaddressed: An integration without a countersigned BAA is a HIPAA violation the moment the first patient row crosses the wire — regardless of how careful the implementation was after the fact.

Three vendors hold executed Business Associate Agreements that cover every PHI-touching workflow on the platform: Google Cloud at the organization level scoped to Vertex AI, Amazon Web Services at the account level covering every AWS service the platform invokes, and Amazon RDS for PostgreSQL under the parent AWS account BAA with RDS-specific operational controls layered on top. Vendors without a BAA never see patient data. The list is short on purpose.

3 executed BAAs cover 100% of PHI-touching workflows ^cite

Before 45 CFR 164.308(b) HIPAA-mandated written contract before disclosure ^cite

After 3 signed BAA chain — Vertex AI, AWS, RDS ^cite

Impact on vendors integrate before the baa paperwork lands Methodology →

Most healthcare platforms encrypt the database volume at rest, mark the box, and call the posture HIPAA-compliant. A volume-encrypted database is a single key compromise away from full plaintext exposure of every patient record. A stolen backup tape, a compromised read replica, an over-permissive IAM role on the snapshot bucket — any of those vectors yields plaintext patient data because the application reads the database in cleartext at the connection layer.

Volume only industry-norm encryption posture for HIPAA-compliant SaaS ^cite

Cost when unaddressed: Encryption at the database edge protects against physical-disk theft and not much else. Logical-access compromises produce plaintext records.

Patient identifiers and clinical free-text fields are encrypted at the column level inside PostgreSQL using the pgcrypto extension — first name, last name, date of birth, MRN equivalents, contact information, free-text intake responses, free-text session notes, and crisis-flag context. Symmetric cipher keys live in AWS Secrets Manager with versioning, rotation, and access-logged retrieval. A database breach without simultaneous compromise of the Secrets Manager key store yields ciphertext, not patient records.

Column-level ciphertext at the row, not just at the volume ^cite

Before Volume EBS-only at-rest encryption ^cite

After Column pgcrypto on every PHI field ^cite

Impact on database-edge encryption only Methodology →

Audit any healthcare platform's TLS posture and a recurring pattern shows up: public endpoints on TLS 1.2 with HSTS in effect, internal service-to-service traffic on plain HTTP because the team trusts the VPC boundary, certificate rotation handled manually with a calendar reminder that gets missed roughly once a year, and at least one legacy endpoint still accepting TLS 1.0 because a downstream integration has not been updated.

TLS 1.0+ accepted common posture inside HIPAA-compliant SaaS ^cite

Cost when unaddressed: An attacker with VPC-internal access on a platform that re-encrypts only at the edge sees clear traffic on every internal hop. The encryption boundary stops at the load balancer.

Every external hop terminates TLS 1.2 or higher at the application load balancer with modern cipher suites and HSTS in effect. Internal service-to-service traffic inside the VPC is re-encrypted at the application tier wherever the workflow touches PHI, so an attacker with VPC-internal access still encounters encrypted payloads on the wire. Certificate provisioning and rotation use AWS Certificate Manager with automatic renewal. Plain HTTP is not served on any patient-facing endpoint, and the gate rejects deploys that introduce one.

TLS 1.2+ every hop, internal and external, no exceptions

Before TLS 1.0+ industry-baseline accepted versions ^cite

After TLS 1.2+ ACM auto-renewal, HSTS, modern ciphers only ^cite

Impact on mixed-content endpoints and stale tls suites Methodology →

The HIPAA Security Rule requires periodic risk analysis. The industry default reading of periodic is annual — an external auditor walks through the controls once a year, generates a binder, files the binder, and the platform operates uninspected for the next eleven months. Drift between audit cycles is the rule, not the exception. A control that passes in March can quietly degrade by August, and the next risk analysis surfaces it after the breach has already happened.

Annual industry-norm HIPAA risk-analysis cadence ^cite

Cost when unaddressed: Eleven months of unverified posture is eleven months of opportunity for a control to fail silently. The gap between audits is where unencrypted backups, expired certificates, and forgotten log groups live.

A scripted check runs against production every Wednesday and verifies forty-three discrete security controls — BAA inventory, encryption at rest, encryption in transit, access logging, key rotation events, audit trail integrity, retention windows, crisis-routing endpoints, and more. The current baseline is forty-three pass, zero warn, zero fail. A failed gate halts all production deploys until the affected control is remediated and the gate runs clean.

43 / 0 / 0 pass / warn / fail — current baseline, every Wednesday ^cite

Before Annual industry HIPAA risk-analysis cadence ^cite

After Weekly Wednesday HIPAA gate, 43 controls, scripted ^cite

Impact on annual hipaa risk analysis as the only verification Methodology →

Patient-engagement platforms commonly position crisis routing as a configurable feature: tenants opt in, the integration is scoped against the tenant's existing crisis line, and the implementation timeline runs weeks. The default state for a new tenant is no crisis routing. Patients who present with suicidal ideation during the configuration window get the same generic contact-us flow as any other support request — a multi-tap path to a clinician with no offline fallback.

Opt-in industry default for tenant crisis-routing configuration ^cite

Cost when unaddressed: A patient in active crisis on a platform without 988 routing is a patient on hold. The cost of that delay is well-documented in the suicide-prevention literature.

Every patient-facing surface includes one-tap routing to the 988 Suicide and Crisis Lifeline. Safety plans are accessible offline so a phone with no signal still surfaces the plan. Geolocation-aware warm line lookup is available where the device permits. The C-SSRS column scoring fires a CRISIS_FLAG that escalates to the responsible clinician inside the platform with timestamped audit trail. Stanley & Brown 2018 demonstrated that safety planning plus structured follow-up reduced subsequent self-harm by roughly 45 percent versus usual care. Tenants do not opt into crisis safety — they opt out only via documented program-specific exception with executive sign-off.

~45% reduction in subsequent self-harm vs usual care ^cite

Before Opt-in tenant configures crisis routing during onboarding ^cite

After Default-on 988 + Stanley-Brown on every PHI-touching surface ^cite

Impact on crisis routing as a configurable feature flag Methodology →

The dominant pattern across healthcare-software vendors is to centralize logs in a SaaS observability platform without a Business Associate Agreement, mirror error reports into a ticketing system also without a BAA, attach screenshots to support threads inside Slack workspaces also without a BAA, and rely on contributor discipline to redact PHI before it leaves BAA-covered infrastructure. Discipline is not a control. The breach reports are full of vendors who relied on it.

Multiple non-BAA surfaces industry-norm log mirroring across SaaS tooling ^cite

Cost when unaddressed: Every non-BAA surface a production log line crosses is a HIPAA Omnibus Rule violation. Discipline-based redaction fails routinely.

CloudWatch Logs, S3 with KMS-managed encryption, and SSM Session Manager session data buckets all reside inside the AWS account that holds the executed BAA. Production logs are never copied to GitHub, never pasted into chat outside summary form, and never mirrored to a developer machine. GitHub holds no Business Associate Agreement and is therefore code-only infrastructure with a hard prohibition against any patient data, screenshot, fixture, log line, or commit message that contains protected health information. The rule applies to every contributor and every AI agent that touches the codebase, and it applies forever.

1 surface production log destination — BAA-covered AWS only ^cite

Before 5+ non-BAA surfaces commonly receive prod log mirrors ^cite

After 1 BAA-covered AWS account is the only log destination ^cite

Impact on production logs leak into developer tooling Methodology →

Methodology

How we measure

The forty-three-control HIPAA gate is decomposed into seven control families that each carry a discrete pass criterion. BAA inventory verifies that countersigned PDFs are reachable from the operations record for every PHI-touching vendor. Encryption at rest verifies pgcrypto column-level on every patient identifier and clinical free-text field via direct query against the Postgres catalog. Encryption in transit verifies TLS 1.2 or higher at every public endpoint, modern cipher suites only, HSTS headers in effect, ACM certificates within their renewal window, and no plain HTTP listener active. Audit trail integrity verifies that every patient-record read, every clinical-field write, and every CRISIS_FLAG escalation in the last seven days is present, unaltered, and timestamped with actor identity and request hash. Key rotation verifies that every secret in AWS Secrets Manager is within its rotation window and that the previous-version cipher key is retained for the rolling re-key window. Crisis routing verifies that the 988 endpoint returns a healthy response and that the offline safety plan is reachable on a phone with no signal. PHI boundary verification runs string search against the GitHub repository, against Actions logs, against developer-machine local clones via opt-in agent attestation, and against any third-party SaaS endpoint integrated into the developer workflow — confirming that no production log line containing PHI has crossed a non-BAA surface in the prior seven days. Each Wednesday the gate generates a posture snapshot committed to the operations record with the forty-three-control pass / warn / fail summary, the date and time the gate ran, the actor who ran it, and a link to the underlying evidence for each control.

What counts

Three vendors under executed BAA — Google Cloud Vertex AI, Amazon Web Services account-level, Amazon RDS for PostgreSQL
pgcrypto column-level encryption on every patient identifier and clinical free-text field
TLS 1.2 or higher at every external hop, re-encrypted at the application tier on PHI paths
Forty-three-control HIPAA gate every Wednesday with current baseline 43 / 0 / 0 pass / warn / fail
988 single-tap routing and Stanley-Brown safety planning embedded on every patient surface

What doesn't count

SOC 2 Type II as a HIPAA substitute — SOC 2 covers operational discipline, not the HIPAA Security Rule
Volume-only at-rest encryption as a sufficient PHI control
Annual HIPAA risk analysis as the only verification cadence between audits
Crisis routing configured per-tenant during onboarding instead of defaulted on
Production log mirroring to non-BAA observability or ticketing surfaces

Sources: google-cloud-2024-vertex-ai-baa , aws-2024-hipaa-eligible-services , hhs-45-cfr-164-312-technical-safeguards , nist-2017-sp-800-66-hipaa-implementation , hhs-2013-hipaa-omnibus-rule , hhs-2024-hipaa-security-rule-nprm , onc-2024-hti-1-final-rule , fda-2022-software-medical-device-guidance , stanley-2018-safety-planning-ed-cohort , brown-2005-safety-plan-cohort , stanley-brown-2012-safety-planning , posner-2011-cssrs-validation , tjc-2016-sea-56-suicide , luxton-2013-caring-contacts-meta , va-dod-2019-suicide-prevention-cpg

How we compare

Sourced from primary citations — not vendor marketing claims.

	Us Mental Wealth Solutions	vs SOC 2 only vendor	vs Generic HIPAA-claim SaaS	vs EHR-bolted-on patient portal
BAA inventory ^cite	3 executed — Vertex AI, AWS account-level, RDS Postgres	1 executed at the cloud-provider tier; subprocessors uninventoried	Marketing claim only; countersigned PDFs not surfaced	Legacy EHR vendor BAA inherited; LLM-layer BAA unknown
At-rest encryption ^cite	pgcrypto column-level on every PHI field	Volume-only EBS encryption	TDE at the database edge	Vendor-default encryption at the storage layer
In-transit encryption ^cite	TLS 1.2+ external + re-encrypted internally on PHI paths	TLS 1.2 at the public edge only	TLS 1.0 / 1.1 still accepted on legacy endpoints	TLS 1.2 at edge; internal service-mesh in plaintext
HIPAA verification cadence ^cite	43-control gate every Wednesday, 43 / 0 / 0 baseline	Annual third-party HIPAA risk analysis	SOC 2 Type II audit framed as HIPAA equivalent	Internal review at undefined cadence
Crisis routing default ^cite	988 + Stanley-Brown default-on, every patient surface	Configurable per-tenant; default off during onboarding	Generic contact-us flow with no 988 integration	Paged on-call escalation only
Production log destination ^cite	BAA-covered AWS only; GitHub no-PHI hard line	Mirrored to non-BAA observability SaaS	Screenshots attached to non-BAA support tooling	Developer-machine local clones permitted
Posture snapshot frequency ^cite	Weekly Wednesday snapshot in operations record	Annual binder generated by external auditor	Posture undocumented between audits	Snapshot triggered only on customer request

Frequently asked questions

Which vendors operate under signed Business Associate Agreements?: Three vendors hold executed BAAs that cover every PHI-touching workflow on the platform: Google Cloud at the organization level scoped to Vertex AI inference, Amazon Web Services at the account level covering compute and storage, and Amazon RDS for PostgreSQL under the parent AWS account BAA with RDS-specific operational controls layered on top. PHI never leaves BAA-covered infrastructure. GitHub holds no BAA and is therefore treated as code-only infrastructure with a hard prohibition against any patient data, screenshot, fixture, or log line entering it. Anthropic, OpenAI, Bedrock multi-model, and Azure OpenAI are not in scope and are not invoked from production code paths that handle PHI; bring-your-own-LLM is on the roadmap and gated by partner BAA execution before any vendor-specific integration ships.
Cited: google-cloud-2024-vertex-ai-baa , aws-2024-hipaa-eligible-services , hhs-45-cfr-164-312-technical-safeguards
How is patient health information encrypted at rest?: Patient identifiers and clinical free-text fields are encrypted at the column level inside PostgreSQL using the pgcrypto extension — first name, last name, date of birth, MRN equivalents, contact information, free-text intake responses, free-text session notes, and crisis-flag context. Symmetric cipher keys live in AWS Secrets Manager with versioning, rotation, and access-logged retrieval. The application tier reads the current key on startup and on rotation event, and handles cryptographic versioning so a rotation does not break read paths. RDS automated backups inherit pgcrypto ciphertext and are additionally KMS-encrypted at rest in S3. EBS volumes attached to application-tier EC2 instances default to KMS encryption. A database breach without simultaneous compromise of the Secrets Manager key store yields ciphertext, not patient records.
Cited: hhs-45-cfr-164-312-technical-safeguards , nist-2017-sp-800-66-hipaa-implementation
How is patient health information encrypted in transit?: Every external transport hop terminates TLS 1.2 or higher at the application load balancer with modern cipher suites only and HSTS headers in effect. Internal service-to-service traffic inside the VPC is re-encrypted at the application tier wherever the workflow touches PHI, so an attacker with VPC-internal access still encounters encrypted payloads on the wire. Certificate provisioning and rotation use AWS Certificate Manager with automatic renewal. Plain HTTP is not served on any patient-facing endpoint, and the weekly Wednesday HIPAA gate rejects deploys that introduce one. Inference traffic to Vertex AI is encrypted in transit under the executed Google Cloud BAA, and audit-trail entries are written to CloudWatch Logs with KMS-encrypted log groups.
Cited: hhs-45-cfr-164-312-technical-safeguards , google-cloud-2024-vertex-ai-baa
What is the weekly HIPAA gate and what does it verify?: A scripted check runs against production every Wednesday and verifies forty-three discrete security controls grouped into seven families: BAA inventory, encryption at rest, encryption in transit, access logging and audit-trail integrity, key rotation events, retention windows, and crisis-routing endpoints. The current baseline is forty-three pass, zero warn, zero fail. A failed gate halts all production deploys until the affected control is remediated and the gate runs clean. Each run generates a posture snapshot committed to the operations record with the date and time, the actor, and a link to the underlying evidence for each of the forty-three controls. The gate is the single source of truth for the platform's HIPAA posture in any given week — not a marketing document.
Cited: hhs-45-cfr-164-312-technical-safeguards , hhs-2024-hipaa-security-rule-nprm
How is crisis safety handled across all tenants?: Crisis routing is always-on across every PHI-touching surface. PHQ-9 item 9 thresholds and C-SSRS suicidal-ideation flags trigger Stanley-Brown safety planning embedded in the workflow with 24-72 hour clinical follow-up. Stanley & Brown 2018 demonstrated that safety planning plus structured follow-up reduced subsequent self-harm by roughly 45 percent versus usual care. 988 single-tap and after-hours warm-line lookup are present at every patient touchpoint. LCSW backstop coverage handles escalation paths for coaches, EAP utilization spikes, and transplant pre-listing crisis events. Tenants do not opt into crisis safety — they opt out only via documented program-specific exception with executive sign-off. The Joint Commission Sentinel Event Alert 56 framework anchors the escalation timing, and the VA-DoD 2019 Clinical Practice Guideline anchors the lethal-means counseling integrated into every safety plan.
Cited: stanley-2018-safety-planning-ed-cohort , brown-2005-safety-plan-cohort , posner-2011-cssrs-validation , tjc-2016-sea-56-suicide , va-dod-2019-suicide-prevention-cpg
Where do production logs containing potential PHI live?: Inside BAA-covered AWS only. CloudWatch Logs, S3 with KMS-managed encryption, and SSM Session Manager session data buckets all reside inside the AWS account that holds the executed BAA. Production logs are never copied to GitHub, never pasted into chat outside summary form, and never mirrored to a developer machine. Diagnostics that may contain PHI are reduced to non-PHI summaries before they leave BAA scope. The weekly HIPAA gate verifies that no production log line containing PHI has been mirrored outside BAA-covered AWS in the prior seven days — verified by string search against the GitHub repository, against Actions logs, against developer-machine local clones via opt-in agent attestation, and against any third-party SaaS endpoint integrated into the developer workflow.
Cited: aws-2024-hipaa-eligible-services , hhs-2013-hipaa-omnibus-rule

BAA before vendor, gate before ship, patient before product. The mantra is the engineering posture, not a marketing slogan.

— Matthew Sexton, LCSW

Every healthcare platform I have ever evaluated as a clinician has had the same architectural failure pattern. The Business Associate Agreement is chased after the integration ships. The encryption posture is documented in marketing copy and not in the code. The audit trail breaks the moment a real audit arrives. Crisis routing is a configurable feature flag that defaults to off. The HIPAA risk analysis is an annual binder generated by an external auditor and filed without anyone reading it. The engineering posture is bolted on after the sales cycle, and patients carry the cost.

The rule on this platform is the inverse. Every vendor passes a Business Associate Agreement check before any clinical workflow integrates it — not after, not in parallel, not subject to a procurement-team timeline that the engineering team can quietly slip. Every patient identifier and clinical free-text field is encrypted at the column level inside Postgres using pgcrypto, not at the database edge — because a stolen backup or a compromised read replica still yields ciphertext under that posture, not patient names. Every external transport hop terminates TLS 1.2 or higher with modern cipher suites and HSTS in effect, and internal service-to-service traffic is re-encrypted on PHI paths so VPC-internal access yields ciphertext on the wire. A forty-three-control HIPAA gate runs against production every Wednesday and gates every deploy. GitHub holds no Business Associate Agreement, so GitHub is treated as code-only infrastructure with a hard prohibition against any patient data, screenshot, fixture, log line, or commit message that contains protected health information.

The mantra is short on purpose: BAA before vendor, gate before ship, patient before product. It is not a marketing slogan. It is the engineering posture that governs every architectural decision, every vendor evaluation, and every deploy. If a tenant scope, a vendor inventory, or a deploy posture cannot live inside that posture, the work does not ship. I am the founder, the clinical lead, and the engineer who runs the weekly gate. The same person who wrote this page also reviews the audit trail. The credential and the public-facing record live at matthewsextonlcswpllc.org.

Matthew Sexton, LCSW Founder · Mental Wealth Solutions Inc.

Citations

Google Cloud (2024). HIPAA Compliance on Google Cloud — Business Associate Agreement and Covered Services. Google Cloud. Source
- Google Cloud offers Business Associate Agreement (BAA) coverage for Vertex AI services including Gemini API (text-bison, gemini-pro, gemini-1.5-pro, gemini-1.5-flash) — establishing HIPAA-compliant LLM infrastructure for covered entities and business associates.
- BAA-covered Vertex AI services include: Gemini API for text generation, Embeddings API, Vector Search, Vertex AI Pipelines, Vertex AI Workbench, AutoML, Model Registry, Model Monitoring, and Endpoints — comprehensive ML/AI infrastructure for HIPAA-regulated workflows.
- Established the BAA-covered LLM cloud infrastructure baseline that enables HIPAA-compliant deployment of large-language-model clinical applications without requiring on-premise model hosting — key infrastructure enabling cloud-native HIPAA AI architecture.
“Google Cloud Vertex AI BAA coverage includes the full Gemini API family plus Embeddings, Vector Search, AutoML, and Model Endpoints — establishing the BAA-covered LLM cloud infrastructure baseline for HIPAA-compliant clinical AI deployment.”
Amazon Web Services (2024). HIPAA Eligible Services Reference. Amazon Web Services. Source
- AWS HIPAA Eligible Services Reference documents the comprehensive list of AWS services covered under the AWS BAA — currently 175+ services including EC2, RDS, S3, KMS, Lambda, Bedrock, SageMaker, CloudWatch Logs, Systems Manager, and Aurora.
- Critical HIPAA-architecture services for healthcare workloads: RDS (encrypted PostgreSQL/MySQL with pgcrypto), S3 with SSE-KMS encryption, Bedrock for LLM inference (BAA-covered foundation models), Systems Manager Session Manager (CloudTrail-logged session-data S3 archival), and CloudWatch Logs for audit trail.
- Established the AWS BAA-covered services baseline enabling HIPAA-compliant cloud-native architecture for healthcare workloads — key infrastructure enabling HIPAA-compliant deployment without requiring on-premise hosting or self-hosted security infrastructure.
“AWS HIPAA Eligible Services covers 175+ services under BAA including RDS, S3, Bedrock, SageMaker, and Systems Manager Session Manager — establishing the AWS BAA-covered services baseline for HIPAA-compliant cloud-native healthcare architecture.”
U.S. Department of Health & Human Services & Office for Civil Rights (2013). HIPAA Security Rule — Technical Safeguards (45 CFR § 164.312). Code of Federal Regulations, Title 45 — Public Welfare. Source
- Mandates access control, audit controls, integrity controls, person-or-entity authentication, and transmission security as technical safeguards for ePHI.
- Encryption and decryption are addressable specifications under access control and transmission security — required unless an alternative measure is documented as equally protective.
- Audit controls require hardware, software, and procedural mechanisms to record and examine activity in systems containing or using ePHI.
“A covered entity or business associate must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.”
National Institute of Standards and Technology (2024). NIST Special Publication 800-66 Revision 2 — Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. National Institute of Standards and Technology. Source
- NIST SP 800-66 Rev. 2 (February 2024) provides authoritative implementation guidance for HIPAA Security Rule technical, administrative, and physical safeguards — referenced by HHS OCR as definitive HIPAA Security Rule implementation reference.
- Establishes detailed technical-safeguards implementation guidance: access control, audit controls, integrity controls, person/entity authentication, transmission security, and encryption — with cross-references to NIST Cybersecurity Framework and NIST SP 800-53 security controls.
- Anchored the federally-recognized HIPAA Security Rule implementation framework — covered entities and business associates following NIST SP 800-66 implementation guidance establish a defensible technical-safeguards posture.
“NIST SP 800-66 Rev. 2 provides authoritative HIPAA Security Rule implementation guidance — referenced by HHS OCR as definitive technical-safeguards implementation reference, anchoring federally-recognized HIPAA security architecture.”
U.S. Department of Health and Human Services (2013). Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules — Omnibus Rule. HHS Office for Civil Rights. Source
- HHS HIPAA Omnibus Rule (effective March 2013) implementing HITECH Act provisions — established business-associate direct liability for HIPAA violations, expanded breach notification requirements, and updated marketing/fundraising restrictions.
- Established that business associates (including health-IT vendors and cloud-service providers handling ePHI) are directly liable for HIPAA Security Rule and Breach Notification Rule violations — extending HIPAA enforcement to the entire ePHI handling chain rather than only covered entities.
- Anchored the modern HIPAA enforcement framework: covered entities and business associates each carry direct compliance obligations, with Business Associate Agreements (BAAs) as the contractual instrument establishing the compliance chain.
“The 2013 HIPAA Omnibus Rule established business-associate direct liability for HIPAA violations — extending enforcement to the entire ePHI handling chain with Business Associate Agreements as the contractual compliance instrument.”
U.S. Department of Health and Human Services (2024). HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information — Notice of Proposed Rulemaking. HHS Office for Civil Rights. Source
- HHS OCR Notice of Proposed Rulemaking (December 2024) updating HIPAA Security Rule to strengthen ePHI cybersecurity — first significant Security Rule update since 2013 Omnibus Rule.
- Proposed updates: mandatory multifactor authentication, encryption of ePHI at rest and in transit, vulnerability scanning, penetration testing, network segmentation, contingency planning with documented recovery time/recovery point objectives, and written policies/procedures for AI-enabled health technology.
- Established the regulatory direction for HIPAA cybersecurity standards through 2026-2027 — covered entities and business associates must prepare for substantially expanded technical-safeguards requirements.
“HHS OCR's December 2024 NPRM proposes the first significant HIPAA Security Rule update since 2013 — including mandatory MFA, encryption at rest/transit, vulnerability scanning, network segmentation, and written policies for AI-enabled health technology.”
Office of the National Coordinator for Health Information Technology (2024). Health Data, Technology, and Interoperability — Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule. HHS ONC. Source
- ONC HTI-1 Final Rule (January 2024) establishes the first federal regulatory framework for AI/algorithm transparency in certified health IT — including 'Decision Support Interventions' (DSI) certification criteria for predictive AI/machine-learning models embedded in EHRs.
- DSI certification requires source attribute disclosure for predictive models, intervention risk management practices, and feedback mechanism for end users — establishing the baseline transparency requirements for AI-enabled clinical decision support.
- Anchored the regulatory baseline for AI in certified health IT — vendors offering AI/ML-enabled clinical decision support to ONC-certified EHRs must satisfy DSI transparency and risk-management requirements as of January 1, 2025 effective date.
“ONC HTI-1 Final Rule establishes the first federal regulatory framework for AI/algorithm transparency in certified health IT — DSI certification requires source attribute disclosure, intervention risk management, and end-user feedback mechanisms for predictive AI/ML models.”
U.S. Food and Drug Administration (2022). Clinical Decision Support Software — Guidance for Industry and Food and Drug Administration Staff. U.S. Food and Drug Administration. Source
- FDA Clinical Decision Support Software guidance (September 2022) clarifies which CDS software functions qualify as medical devices subject to FDA regulation under the 21st Century Cures Act.
- FDA-regulated CDS includes software that: provides diagnostic/treatment recommendations not based on transparent rationale clinicians can independently review, processes medical images/signals/patterns, or provides time-critical decisions where clinicians cannot independently review rationale — requiring premarket FDA review.
- Anchored the FDA medical-device regulatory boundary for clinical AI software — AI/ML systems providing autonomous diagnostic/treatment recommendations cross into FDA-regulated medical-device territory, while non-autonomous reference/educational tools remain non-device.
“FDA's CDS Software guidance clarifies the medical-device regulatory boundary for clinical AI — autonomous diagnostic/treatment recommendation systems cross into FDA-regulated medical-device territory, while non-autonomous reference tools remain non-device.”
Centers for Medicare and Medicaid Services (2025). CCBHC Quality Measure Set and Reporting Requirements. U.S. Department of Health and Human Services / CMS. Source
- CMS-defined quality measure set required for CCBHC participation in the Medicaid Section 223 demonstration and state-option Medicaid CCBHC programs.
- Required measures include depression remission at 12 months, follow-up after hospitalization for mental illness (FUH), screening for clinical depression and follow-up plan, and adherence to antipsychotic medications for schizophrenia.
- Quality-measure performance directly drives CCBHC prospective payment system rate cells and continued certification eligibility.
“CMS quality-measure performance directly drives CCBHC payment rate cells and certification eligibility, making measurement-based care reporting infrastructure a financial as well as clinical requirement.”
Barbara Stanley, Gregory K. Brown, Lisa A. Brenner, Hanga C. Galfalvy, Glenn W. Currier, Kerry L. Knox, et al. (2018). Comparison of the Safety Planning Intervention with follow-up vs usual care of suicidal patients treated in the emergency department. JAMA Psychiatry. doi:10.1001/jamapsychiatry.2018.1776
- Cohort comparison study of 1,640 suicidal patients across 9 emergency departments comparing the Safety Planning Intervention plus structured follow-up phone outreach with usual care.
- Intervention arm showed a 45% reduction in suicidal behaviors over 6 months compared with the usual-care comparison group.
- Engagement in outpatient mental-health treatment was approximately twice as high in the intervention arm relative to usual care.
“The Safety Planning Intervention combined with structured telephone follow-up was associated with a substantial reduction in suicidal behavior and increased outpatient treatment engagement among emergency-department patients.”
Gregory K. Brown, Thomas Ten Have, Gregg R. Henriques, Sharon X. Xie, Judd E. Hollander, & Aaron T. Beck (2005). Cognitive therapy for the prevention of suicide attempts: a randomized controlled trial. JAMA. doi:10.1001/jama.294.5.563
- Randomized controlled trial of 120 adults presenting to an urban emergency department after a suicide attempt, comparing 10-session cognitive therapy plus enhanced usual care versus enhanced usual care alone.
- Cognitive therapy reduced repeat suicide attempts by 50% over an 18-month follow-up window (24% reintervention vs 41% usual care, hazard ratio 0.51).
- Anchored the evidence base for brief structured suicide-prevention interventions including the Stanley-Brown Safety Planning Intervention now embedded in CCBHC and ED protocols.
“A brief 10-session cognitive intervention focused on suicide-attempt cognitions cut the rate of repeat suicide attempts in half across an 18-month follow-up window, establishing the evidence base for the structured safety-planning paradigm.”
Barbara Stanley & Gregory K. Brown (2012). Safety planning intervention: a brief intervention to mitigate suicide risk. Cognitive and Behavioral Practice. doi:10.1016/j.cbpra.2011.01.001
- Original description of the Safety Planning Intervention (SPI), a brief structured collaborative protocol for individuals at risk of suicide developed for emergency, primary care, and behavioral health settings.
- SPI components include warning sign identification, internal coping strategies, social contacts and settings that distract, family/friend contacts, professional contacts, and means restriction counseling.
- Established the standardized evidence-based safety planning protocol now adopted as the de facto national standard across CCBHCs, EDs, VA systems, and Joint Commission-accredited programs.
“The Safety Planning Intervention provides a brief, structured, collaborative protocol that has become the national evidence-based standard for suicide-risk mitigation across emergency, primary care, and behavioral health settings.”
Kelly Posner, Gregory K. Brown, Barbara Stanley, David A. Brent, Kseniya V. Yershova, Maria A. Oquendo, et al. (2011). The Columbia–Suicide Severity Rating Scale: initial validity and internal consistency findings from three multisite studies with adolescents and adults. American Journal of Psychiatry. doi:10.1176/appi.ajp.2011.10111704
- Validation of the Columbia-Suicide Severity Rating Scale (C-SSRS) across three multisite studies including adolescents and adults presenting in clinical and research settings.
- C-SSRS demonstrated strong predictive validity for future suicidal behavior and supported real-time suicide-risk stratification in emergency, inpatient, and outpatient contexts.
- Established the standardized suicide-risk assessment instrument now embedded in CCBHC suicide-care pathways and Joint Commission expectations.
“The Columbia-Suicide Severity Rating Scale provides a reliable, structured framework for stratifying suicide risk that has become the de facto standard for behavioral health and emergency department screening.”
The Joint Commission (2016). Sentinel Event Alert 56: Detecting and treating suicide ideation in all settings. The Joint Commission. Source
- Joint Commission alert identifying suicide as a leading sentinel event and articulating expectations for systematic screening, risk stratification, and safe transitions of care.
- Established expectation that accredited organizations screen for suicide ideation across all care settings using validated instruments such as the C-SSRS or PHQ-9 item 9 follow-up.
- Codified the closed-loop accountability standard linking screening to risk-stratified intervention and documented follow-up after discharge from emergency or inpatient settings.
“Joint Commission Sentinel Event Alert 56 codified the expectation that accredited healthcare organizations systematically screen for suicide ideation across all care settings using validated instruments and structured follow-up.”
David D. Luxton, Jennifer D. June, & Katherine Anne Comtois (2013). Can postdischarge follow-up contacts prevent suicide and suicidal behavior? A review of the evidence. Crisis. doi:10.1027/0227-5910/a000158
- Systematic review of postdischarge contact interventions including caring letters, postcards, telephone calls, and brief in-person follow-up among patients at elevated suicide risk.
- Caring-contacts protocols showed consistent signal of reduced suicidal behavior and reattempt across multiple trials and populations spanning four decades.
- Established the evidence base for structured post-discharge contact protocols now embedded in CCBHC, ED, and VA suicide-care pathways.
“Postdischarge follow-up contact interventions show consistent evidence of reducing suicidal behavior across decades of trials, establishing the evidence base for structured caring-contacts protocols in modern suicide-care pathways.”
U.S. Department of Veterans Affairs & U.S. Department of Defense (2019). VA/DoD Clinical Practice Guideline for the Assessment and Management of Patients at Risk for Suicide (Version 2.0). U.S. Department of Veterans Affairs / Department of Defense. Source
- Joint VA/DoD evidence-based clinical practice guideline establishing the federal standard for suicide-risk assessment, stratification, and management across veteran and active-duty populations.
- Recommends structured risk stratification using validated instruments (C-SSRS, PHQ-9), safety planning intervention, lethal-means counseling, and post-discharge contact protocols.
- Provides the evidence-graded foundation for CCBHC, FQHC, and ED suicide-care pathways serving veteran and dual-eligible populations.
“The VA/DoD clinical practice guideline establishes the federal evidence-based standard for structured suicide-risk assessment, safety planning, lethal-means counseling, and post-discharge contact in veteran and active-duty populations.”

Ready to close the gap?

Bring your compliance team to the discovery call Read the methodology

Where the pathway breaks — and how we close it

Vendors integrate before the BAA paperwork lands

BAA before vendor — three signatures, no exceptions

Database-edge encryption only

pgcrypto column-level encryption on every patient identifier

Mixed-content endpoints and stale TLS suites

TLS 1.2 or higher on every external hop, re-encrypted internally on PHI paths

Annual HIPAA risk analysis as the only verification

Forty-three-control HIPAA gate, every Wednesday, scripted

Crisis routing as a configurable feature flag

988 baseline, every patient surface, offline-reachable safety plan

Production logs leak into developer tooling

Logs inside BAA-covered AWS only — GitHub no-PHI hard line