Skip to main content
Nona Clinical IT
Services

An itemized menu, not a black-box retainer.

Every engagement is structured as five phases. You approve each item individually — uninvited work is not performed. Hours and tooling costs are visible up front.

00

Kickoff & Onboarding

Included · ~1 week

Before any remediation begins, this short phase formalizes the engagement, gets the legal protections in place, and sets up the communication + access foundations that everything else runs on.

  • Signed Master Service Agreement and Business Associate Agreement.
  • Delegated admin access to M365, domain registrar, vendor portals.
  • Secure credential handoff via shared 1Password vault.
  • Initial documentation handoff (network diagram, equipment, vendor list).
  • Stakeholder intros — 30 minutes with key staff.
  • Dedicated communication channel established (Teams or alias).
  • RustDesk + NinjaOne agent deployed to every endpoint.
  • Weekly async standup + monthly review cadence agreed.
  • On-call SLA: <2 hrs after-hours, <4 hrs business hours.
01

Discovery & Audit

Flat fee · credited toward Phase 2 · 7 business days

A focused on-site visit, written assessment, and prioritized remediation roadmap. The visit fits in a half-day; the report is delivered within seven business days. Walkthrough with Claxton, Kim, or whoever holds the IT decision at your site.

Deliverables

  • Network and endpoint inventory with photographs and configurations.
  • HIPAA Security Rule gap analysis (164.308, 164.310, 164.312).
  • Microsoft 365 tenant posture review.
  • Vendor BAA inventory and renewal status.
  • Itemized Phase 2 remediation roadmap with per-finding hour estimates.
  • 30-minute findings walkthrough with the IT decision-maker(s).

The discovery fee is credited in full against Phase 2 if you proceed with any remediation work within 60 days.

02

Foundation Remediation

Itemized · per-item approval · scope defined by audit

Phase 2 is the work the audit identified. Each finding gets its own line: the issue, why it must be corrected, hour range, and any hardware or licensing cost. You approve item by item.

Typical scope areas

M365 licensing & posture

Migrate off reseller, upgrade to Business Premium, enforce MFA + Conditional Access, configure DLP.

Endpoint baseline

BitLocker, Defender for Business, Intune compliance policies, Update Rings, third-party app patching via NinjaOne.

Backup

OneDrive Known Folder Move + Backblaze/NinjaOne Backup for full-disk laptop coverage. M365 mailbox backup via Spanning or AvePoint.

Network

Managed firewall, Wi-Fi 6 AP refresh, VLAN segmentation (research vs guest vs IoT), backup-internet failover.

Compliance

Security Officer designation, Risk Assessment, written policies, signed BAAs, Incident Response Plan, annual training.

Identity & access

1Password Business deployment, terminated-employee account cleanup, shared-mailbox audit, privileged access management.

Hardware

Hardware is billed transparently — supplier invoices are available on request. Standard handling charge applies; specifics are spelled out in your engagement agreement.

03

AI Assistant

3A: Foundation Pack · 3B: per-workflow add-ons

An internal assistant covering the tedious tasks that consume staff hours. Runs on Azure OpenAI inside your Microsoft tenant — same BAA as your email. No third-party AI vendor with separate compliance terms is introduced.

Phase 3A — Foundation Pack (fixed-fee bundle)

Bundled high-ROI workflows delivered in ~4 weeks under a single fixed fee, scoped during onboarding:

  • Azure OpenAI Service deployment inside your M365 tenant.
  • Microsoft 365 Copilot enablement and configuration.
  • Daily operations report (delivered to a Teams channel each morning).
  • End-of-day email summary per inbox.
  • Event-driven sponsor portal alerts.
  • Operations dashboard (web, similar to the CRIO recruitment POC).

Phase 3B — Per-Workflow Add-ons

Once the Foundation Pack is in production, additional workflows are added one at a time as need emerges. Each quoted as a fixed-fee build, scoped after a 30-minute conversation. Examples:

  • Subject visit reminder texts (Telnyx/Twilio + opt-in language + human approval).
  • Team activity summary (weekly per-staff, drawn from CRIO + calendar).
  • Monthly sponsor invoicing prep (extract billable visits from CRIO).
  • CRIO query backlog triage (categorize + draft responses).
  • Custom workflow X — scoped after a 30-min discovery call.

Workflows intentionally excluded (v1)

Real-time protocol deviation drafts, regulatory binder auto-cross-checks, and real-time team activity dashboards carry high clinical or audit stakes. They are excluded from the initial menu until the foundation has proved out and the audit trail has been exercised. Revisit in v2.

Risk posture

  • AI is assistive, never authoritative. Every output that touches sponsor or subject communication has a named human-approval step before it leaves the system.
  • Audit trail by design. Every AI-generated output is logged with the input, the model version, the reviewer, and the disposition.
  • Sponsor disclosure inventory. Each active sponsor's policy on AI use is documented in Phase 1; workflows respect each sponsor's requirements.
04

Website + Hosting

Monthly all-in · build + hosting bundled

A refreshed public site on your existing domain, designed for sponsor credibility and subject recruitment conversion. The monthly fee covers both the initial build and ongoing hosting + maintenance — no separate build invoice.

Included

  • 5–7 page site (Home, About, Studies, For Sponsors, For Patients, Contact, Privacy).
  • Mobile-first responsive design.
  • Lead capture forms routed to admin inbox.
  • Google Analytics 4 + Microsoft Clarity for traffic and behavior.
  • On-page SEO baseline + Search Console submission.
  • Managed hosting (Vercel or comparable), auto-renewing SSL, DNS management.
  • Up to two minor content updates per month (10 min each).
  • Quarterly content review.
  • Monthly uptime + traffic report.

Not included (billed at Phase 5 rates)

  • New full pages or major redesigns after initial build.
  • Photo/video shoots, copywriting beyond minor updates, branding work.
  • Custom integrations beyond the initial CRIO recruitment funnel hookup.
05

Managed Services

Month-to-month · 30 days' notice

Once remediation is complete, ongoing operations are covered by a monthly retainer. Two tiers; pick the one that matches your usage. Hours over the quota bill at the standard rate.

Tier 1
Steady-state coverage.

For sites where things mostly run themselves — periodic patching, occasional support, monthly compliance maintenance.

Tier 2
Active partnership.

For sites where IT touches the work daily — more user support, more changes, more compliance work, more after-hours coverage.

Included in either tier

  • M365 tenant administration (licenses, user lifecycle, MFA, Conditional Access).
  • Endpoint patching oversight and EDR alert triage.
  • Backup verification and quarterly restore test.
  • Monthly check-in call + monthly written report.
  • Quarterly compliance review (BAAs, training, policy refresh).
  • After-hours emergency escalation (response within 2 hours, 24/7).
  • Documentation kept current as the site changes.
  • NinjaOne PSA/RMM, 1Password client vault, monitoring infrastructure — all bundled.

Hours beyond your tier quota

  • Standard hours — Mon–Fri, 8am–6pm ET. Billed in 0.5-hour increments. Follow-up questions during an active conversation count as one event, not new ones.
  • After-hours — evenings, weekends, federal holidays. Premium rate, 1-hour minimum per incident.
  • Critical emergency — declared outage, suspected security incident, PHI breach, sponsor SLA failure. 30-minute response SLA, 24/7/365.

Specific hourly rates are quoted in your engagement agreement, scoped to your environment and team size.

Ready to see your specific scope?

The Phase 1 discovery delivers a written, itemized roadmap with hour estimates per finding. Flat fee, credited toward whatever work you approve next.

Schedule discovery