Healthcare-Adjacent
PHI-aware managed IT for Pacific Northwest practices and services that carry HIPAA obligations without a health-system budget.
Mental health practices. Medical billing firms. Care coordination services. You’re not a hospital, but you handle protected health information, and the obligations don’t scale down just because the IT budget does. Access logging that matches actual audit requirements. Encryption at rest and in transit for every system that touches patient data. BAAs that have to mean something when a vendor asks you to sign one. And an MSP market that mostly treats you like any other small business until the audit letter arrives.
Tell us what’s breaking →The EHR vendor questionnaire that asked for compliance documentation nobody could produce, two days before the renewal. The therapist’s personal laptop with session notes on it, discovered during offboarding. The audit prep that turned into a scramble because access logs existed for some systems, sort of, in formats nobody had ever read. The billing system outage on a Friday afternoon with patient statements due Monday and the vendor’s support queue closed for the weekend. The BAA a vendor sent over that promised things your actual infrastructure couldn’t back up.
If any of that sounds familiar, we’ve worked through it before.
The Craftwork Group is a young entity. The people doing the work aren’t. Our team brings more than a hundred years of combined IT experience, doing this work since 1999, including regulated-data environments where the audit trail matters as much as the uptime.
We’ve worked with mental health practices, medical billing firms, and care coordination services across the Pacific Northwest. The common needs repeat: EHR vendor compliance documentation, BAA-compatible file storage, and after-hours incident coverage when a system touches patient scheduling or billing. Our work doesn’t require your staff to become IT-literate. Just reliable.
One thing we want on the table early: we don’t claim certifications we haven’t earned. That’s not how we operate, and it’s not what you need. What you need is an environment built to hold up under scrutiny: documented, logged, encrypted, and explainable to an auditor in plain language. That’s what we deliver.
What working with us actually looks like. Helpdesk opens at 6:30 AM and runs until 5:00 PM, with on-call coverage after hours. Standard SLA is one-hour response; in practice, most calls get answered live as they come in. We treat phone calls as priority because if you’re calling, it’s urgent. The only thing that bumps a live call is a monitoring alert flagging a system down or under attack. We’re often the ones who tell you something broke before you noticed. Often we have it fixed before you’d have called.
A note on the rest of the field. We’ve spent the last few months calling MSPs posing as a buyer to see how the market actually operates. Over seventy-five percent never picked up the phone. None returned the sales inquiry. If you’ve shopped for IT support before, that probably tracks. We don’t work that way.
Encryption at rest and in transit for every system that touches patient data. Access logging configured to actual audit requirements rather than vendor defaults, with trails an auditor can follow and your office manager can explain. Retention that matches your obligations, documented so the next compliance questionnaire is an afternoon, not a crisis.
Before any of the compliance depth matters, the standard MSP work has to be solid. Workstation and server monitoring. Microsoft 365 management. Enterprise-grade firewalls, switching, and Wi-Fi. Backup and disaster recovery with documented recovery drills, not the kind nobody runs until something breaks.
File storage and secure transfer workflows that can honestly sit under a BAA. Vendor evaluations that produce written documentation of your posture, so when an EHR or billing platform asks how their data is handled, the answer exists on paper. We read the agreements your vendors send and tell you what your infrastructure can and cannot back up.
When a system that touches patient scheduling or billing goes down, the clock matters. After-hours incident coverage, recovery procedures written for the systems you actually run, and audit preparation that starts from logs that already exist instead of logs that need inventing. The goal is an environment that holds up under scrutiny on a random Tuesday, not just audit week.
In a PHI environment, where the model runs matters more than what it can do. The honest wins stay administrative and stay on infrastructure you control: indexing policies and procedures so staff can find the current version, credential and training-record tracking that doesn’t depend on a spreadsheet, and document classification for the paperwork that isn’t patient data.
What we won’t do: pipe patient data into a public AI tool and call it innovation. If AI touches anything near PHI, it runs on infrastructure you own, under controls you can show an auditor, or it doesn’t run.
Your model choice. Your API keys to OpenAI, Anthropic, or whoever you pick. Your data on infrastructure you own. We configure, deploy, and operate; you keep the keys and the option to take it all elsewhere.
No phone tree. No demo deck. A real conversation about what’s breaking in your practice, what the next audit or vendor questionnaire will ask, and whether there’s a path where we’d actually be useful. If we’re not the right fit, we’ll tell you and point you somewhere honest.
If we are a fit, the next step is an operations audit. A half-day on-site, a written assessment of what we’d do and what it would cost, no obligation past that point.
Book the 30-minute call →The Craftwork Group provides IT infrastructure and documentation systems; HIPAA compliance strategy and legal obligations remain with your compliance officer and counsel.