Skip to main content
Nona Clinical IT
HIPAA-grade · Orlando, FL · Open for new clients

Compliance-grade IT for clinical research.

For sites that hold sponsor data, see patients, run trials, and answer to auditors. Microsoft 365 done right. HIPAA controls put in writing. AI that actually reduces tedious work — without the regulatory exposure most consumer tools introduce.

Schedule a discovery callSee what's included
Why this exists

Most MSPs don't speak sponsor audit.

Generic IT vendors handle email and printers. Clinical research sites need vendors who understand IRB protocols, sponsor monitoring visits, FDA inspection readiness, CRIO and Veeva and Florence and Complion, EDC integrations, and the difference between a HIPAA Risk Assessment and a vendor questionnaire.

Nona Clinical IT is built for that gap. The same security controls, policy frameworks, and AI tooling — applied with the specific knowledge of what a sponsor's monitor asks for and what an OCR auditor flags.

We sign BAAs by default. We don't use consumer AI on PHI. The audit trail is built into the workflow, not bolted on later.

What we deliver

Three things, done in the order that compounds the most.

1
Pillar 1

Foundation

The HIPAA, Microsoft 365, endpoint, and network work that turns a self-managed environment into something a sponsor monitor can pass over without comment.

  • Direct-tenant M365 migration off reseller licensing
  • Universal MFA, Conditional Access, DLP for PHI
  • BitLocker, Defender for Business, Intune managed
  • Signed BAAs with every PHI-touching vendor
  • Written Risk Assessment + incident response plan
2
Pillar 2

AI for routine work

An internal assistant covering the tedious tasks that consume staff hours — built on Azure OpenAI inside your existing M365 tenant. Same BAA as your email.

  • Daily operations report (Teams, 6 AM)
  • End-of-day email summary per inbox
  • Sponsor portal alerts the moment they land
  • Operations dashboard pulling CRIO + M365
  • Per-workflow add-ons as ROI proves out
3
Pillar 3

Ongoing managed services

Monthly retainer with a real ticketing portal, response SLAs, and a single point of contact who knows your environment. Not an offshore tier-1 queue.

  • Tier 1 — $450/mo, 5 hours included
  • Tier 2 — $850/mo, 10 hours included
  • After-hours emergencies covered 24/7
  • Quarterly compliance review baked in
  • NinjaOne PSA, monitoring, tooling all bundled
Compliance posture

HIPAA isn't a feature. It's the floor.

Every engagement begins with a signed BAA. Every system that touches PHI runs on a vendor with a BAA. Every AI workflow has a documented human-approval step. Every output is logged for the audit you haven't had yet but will eventually face.

BAA is the gate

No work that touches PHI begins before the BAA is signed — by anyone, including us. Standard mutual-indemnification template available on request.

No consumer AI on PHI

Phase 3 AI workflows run on Azure OpenAI inside your Microsoft tenant. ChatGPT Plus and consumer Gemini are out of scope for any patient data.

Audit trail by design

Every AI output is logged with the input data, model version, reviewer, and disposition. Sponsor monitors and OCR auditors are explicit audiences.

Risk Assessment annually

Required under HIPAA Security Rule 164.308. We run it on your behalf, every 12 months and after material changes. Sponsors see the document.

How we work

Five phases. Itemized. No mystery line items.

Each phase has a defined deliverable, an explicit hour range, and transparent tooling costs. You approve work item-by-item; nothing is done uninvited.

00

Kickoff & Onboarding

Included · ~1 week
MSA + BAA signed. Admin access provisioned to M365, registrar, vendor portals. Credentials moved to a shared 1Password vault. NinjaOne agent rolled out. RustDesk deployed so support is remote from day one.
01

Discovery & Audit

$750 flat · credited toward Phase 2
On-site assessment, HIPAA gap analysis, M365 posture review, vendor BAA inventory, and a written itemized roadmap with hour estimates per finding. Delivered in 7 business days.
02

Foundation Remediation

Itemized · $100/hr
Work the audit identified. Each finding presented with the issue, why it must be corrected, hour range, and any hardware or licensing cost. You approve each item individually — uninvited work is not performed.
03

AI Assistant

Phase 3A $4–5K · Phase 3B $800–1.8K each
Phase 3A Foundation Pack bundles the highest-ROI workflows (daily report, email summary, sponsor portal alerts, ops dashboard) into a single fixed fee. Phase 3B is per-workflow add-ons as need emerges.
04

Website + Hosting

$65 / month · all-in
Public site refresh on the existing domain. Includes initial build, managed hosting, SSL, DNS, two minor content updates per month, quarterly review. Designed for sponsor credibility and subject recruitment conversion.
05

Managed Services

Tier 1 $450/mo · Tier 2 $850/mo
Monthly retainer with included hours, business-hours support, monthly check-in, quarterly compliance review, after-hours emergency escalation. NinjaOne, 1Password vault, monitoring infrastructure all bundled — no per-endpoint license fees on top.
Full services breakdown

A real conversation costs less than the wrong vendor.

If you're running a research site, a clinical practice, or any healthcare operation that has been quietly avoiding the IT-and-compliance conversation — this is a 30-minute call that gives you a clear-eyed picture of where you stand and what an actual remediation path looks like.

No sales script. No 60-page deck. You'll get a written report; you'll know whether we're a fit.

Discovery & audit
$750
Flat fee, credited toward remediation.
  • On-site visit + written assessment
  • HIPAA Security Rule gap analysis
  • M365 tenant posture review
  • Itemized remediation roadmap
  • 30-min findings walkthrough
Book the call