Skip to main content
Nona Clinical IT
Security & compliance

We sign BAAs. Then we work.

The posture below is what we apply to every clinical engagement — not just the ones with auditors knocking. If a sponsor monitor or OCR investigator asks, this is the document we hand them.

Article I

BAA is the gate

No work that creates, receives, maintains, or transmits PHI begins before a Business Associate Agreement is signed between Optimal Research Sites (or your organization) and Nona Clinical IT, LLC.

Our standard BAA template covers HIPAA-required content (uses and disclosures, safeguards, reporting, subcontractors, return/destruction, amendment, indemnification). Mutually negotiated when needed. Standard template available on request before the engagement starts.

We also ensure your existing vendors have BAAs where required. As part of Phase 1 we inventory which of your current vendors handle PHI and which have signed BAAs. Missing ones become Phase 2 items.

Article II

PHI handling

Direct PHI handling is minimized by design. Where it can't be — for example when configuring DLP policies or troubleshooting an inbox — it happens through your tenant, under your audit log, with documented human action and a clear retention window.

  • No PHI is exported outside your environment for our convenience.
  • No PHI is processed through consumer AI tools (ChatGPT Plus, Claude.ai personal, Gemini consumer) under any circumstances.
  • Workstation screen-sharing for support is done via RustDesk (self-hosted on our infrastructure) or NinjaOne, both with explicit user consent at session start.
  • Credentials are stored in 1Password Business shared vaults, never in chat history, email, sticky notes, or our notes.
Article III

AI posture

We use AI to reduce tedious work — daily reports, email summaries, sponsor portal alerts, dashboard generation. We are explicit about how it does and doesn't get used.

Microsoft-tenant only

Azure OpenAI Service runs inside your Microsoft tenant. The same BAA that covers your email covers the AI workload. PHI never transits OpenAI's public API.

Assistive, never authoritative

Every AI output that touches study procedures, subject communications, or sponsor reports has a named human-approval step. Nothing auto-sends to a sponsor or subject.

Full output logging

Every AI-generated artifact is logged with input data, model version, reviewer, timestamp, and final disposition. Sponsor monitors and OCR can subpoena this log.

Sponsor-by-sponsor disclosure

We document each sponsor's AI-use policy in Phase 1 and design workflows to honor each requirement — including total suppression for sponsors that prohibit AI.

Sponsor disclosure requirements vary. As part of Phase 1, we inventory each active sponsor's policy on AI use in trial-related communications. Workflows are designed to respect each sponsor's requirement, including suppressing AI involvement entirely for sponsors that prohibit it.

Article IV

Audit trail

Every meaningful action leaves a record. The intended audiences are your sponsor monitors, your IRB, your QA function, and the OCR investigator you hope you never meet.

  • Admin actions in your M365 tenant are logged via Microsoft Purview audit logs (retention extended in Phase 2 to 1+ year).
  • NinjaOne PSA/RMM keeps a per-ticket record of every support session, including remote-access timestamps and actions taken.
  • AI workflows log the input data, the model version, the timestamp, the human reviewer, and the final disposition for every output.
  • Policy and configuration changes are version-controlled — every change is traceable to a named approver and a date.
Article V

Incident response

Suspected breaches, data-loss events, ransomware, lost devices, unauthorized access — all trigger a documented response with a 30-minute initial-response SLA, 24/7/365.

  1. 1Detect or receive notice. Triage severity (clinical-critical vs. business-continuity vs. minor).
  2. 2Contain. Isolate affected accounts/devices. Preserve evidence. Stop the bleeding.
  3. 3Document. Open the incident record. Start the timeline. Capture facts as they emerge.
  4. 4Notify per plan. Site leadership, your Privacy Officer, sponsors per their SLAs, OCR within 60 days if breach criteria met.
  5. 5Eradicate and recover. Remove the access vector. Restore from clean backups. Validate.
  6. 6Post-incident review. Written root cause, lessons, control changes. Shared with stakeholders within 14 days.

Written Incident Response Plans tailored to your site's specifics are a Phase 2 deliverable. Annual tabletop exercise included in Phase 5.

Documents on request

BAA template, sample SOC-style summary, Incident Response Plan template, Risk Assessment methodology — available before you sign anything. Email us or schedule a call.

Request documents