WHY Vicis

Efficient Service
Vicis is able to provide compliance services more efficiently than others. For each client engagement, we leverage our expertise and resources leading to efficiencies that will save your organization time and money.
Industry Knowledge
It's important to have a legal adviser that knows your business and industry. We have experience advising a broad range of clients spanning industries from healthcare and medical service providers to SaaS, data hosting, and financial service providers.
Privacy Professionals
Our firm is singularly-focused on privacy and data security issues. We specialize in assisting businesses with privacy and data security regulatory compliance. We exist to provide exceptional services and are dedicated to doing just a few things well.
Attorney-Client Privilege
Our communications are protected by attorney-client privilege and this enables us to have "full and frank" discussions with our clients so that we are able to best represent them and their interests. For the most part, anything you disclose to us related to our engagement is protected and private.

HOW We can Help with HITRUST


  • Our HITRUST Readiness offering is designed for organizations who are considering HITRUST but aren't sure where to start.
  • We will review your current data security program and let you know what major areas you need to concentrate on, what areas are in good shape, and everything in between.
  • By working with Vicis on HITRUST Readiness, you will gain an authorized HITRUST Assessor’s insight into compliance gaps and be ready for HITRUST Certification.


  • We can advise and support your organization if it is planning or conducting a HITRUST Self-Assessments.
  • We can help you scope your assessment, find the right evidence to support your assessment control responses, and help you navigate the Self-Assessment process.
  • We will ensure that all required data and evidence has been entered correctly and that the assessment is complete prior to submission to HITRUST.

Validated Assessments

  • As an Authorized HITRUST Assessor we will help your organization navigate the HITRUST certification process.
  • You will perform the initial assessment, which we will review and validate. We will work with you to remedy any areas of your program that do not meet HITRUST requirements.
  • Once the Validated Assessment has been completed, it is submitted to HITRUST for approval. After review, HITRUST generates a report and issues a letter of certification.


What is HITRUST?

HITRUST is a non-profit organization that created and maintains the HITRUST Common Security Framework ("CSF"). The HITRUST CSF was originally designed to be a security framework for companies in the healthcare industry handling electronic protected health information, but now has been expanded to other data sensitive sectors. HITRUST provides a framework for organizations to comply with various regulations and standards based on the company's size, types of systems deployed, and applicable regulatory requirements.

The HITRUST CSF incorporates existing controls and requirements developed from laws such as HIPAA and HITECH, as well as security standards such as NIST, ISO, PCI, and federal and state privacy laws. Organizations assess their internal systems, policies and procedures against these controls.

What are some advantages of HITRUST?

By leveraging the HITRUST CSF and CSF Assurance program, your organization can satisfy all of your information risk management and compliance requirements—locally, nationally, or internationally.

Some of these internationally relevant authoritative sources include:

  • The European Union General Data Protection Regulation (GDPR)
  • Singapore’s Personal Data Protection Act
  • International Standards Organization (ISO) 27001
  • The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
  • The Organisation for Economic Co-operation and Development (OECD) Privacy Framework
  • Center for Internet Security (CIS) Controls v7.1
  • U.S. Health Insurance Portability and Accountability Act (HIPAA)
  • U.S. DOD Cybersecurity Maturity Model Certification (CMMC)

More recently, HITRUST has been designated as a U.S. accountability agent under the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rule (CBPR) System and Privacy Recognition for Processors (PRP) System by the International Trade Administration. Accountability agents serve as a third-party validation to ensure that the minimum privacy requirements are met, as well as ease the compliance burdens in the Asia Pacific region.

Who needs a HITRUST certification?

Many healthcare (and increasingly non-healthcare related) organizations are beginning to require that their vendors and partner organizations are HITRUST compliant. There are three ways of demonstrating HITRUST compliance: through certification, self, or validated assessments. Official certification by HITRUST is the best way of proving HITRUST compliance.

Being HITRUST Certified means that you have undergone a Validated Assessment performed an authorized HITRUST Assessor and have implemented the minimum requirements needed to become HITRUST certified. HITRUST Certification is evidence that your organization has a mature and robust security program in place.

How does my organization get HITRUST certified?

In order to get HITRUST certified, it is necessary to have a HITRUST Validated Assessment performed by an authorized HITRUST Assessor such as Vicis Law and then submit it to HITRUST for their approval and official certification.

How do I get started?

Our HITRUST Readiness offering is designed for organizations who are considering HITRUST but aren't sure where to start. We will review your current data security program and let you know what major areas you need to concentrate on, what areas are in good shape, and everything in between. A HITRUST Readiness engagement performed by an official HITRUST Assessor such as Vicis Law will provide you the assessor’s perspective of the gaps that need to be addressed and allow you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. A HITRUST Readiness engagement or facilitated Self-Assessment is the best way to ensure that your organization will have a successful HITRUST Validated Assessment.

What does a HITRUST assessment involve?
  • The key to a successful HITRUST assessment is properly determining its scope. The larger the scope of a HITRUST assessment, the more complex it is. Having an unnecessarily large scope can be costly in terms of time and money. Scope is ultimately determined by your organization but Vicis can help you figure out the right scope for your needs.
  • Once scope has been decided, the next step is to perform a HITRUST Self or Validated Assessment. This stage involves reviewing data security controls and providing the evidence necessary to satisfy them. If you are working on a Validated Assessment, you will work with an authorized HITRUST Assessor such as Vicis Law who will validate your assessment.
  • Providing evidence of how your organization satisfies each control is critical to any successful HITRUST Assessment. Extensive documentation will be required and, in many cases, your organization may have to develop new policies and procedures to satisfy the controls.
  • In certain cases, you may have controls that do not pass HITRUST’s requirements for certification. For those controls, you will need to develop a corrective action plan ("CAP") in order to gain certification. A HITRUST Assessor can help you identify what CAPs are needed and help formulate a plan of attack.
Self vs Validated Assessments

HITRUST offers two types of assessment reports: (1) Self-Assessments or (2) Validated Assessments.

  • Self-Assessment: A HITRUST Self-Assessment is performed using internal resources, although you can work with a HITRUST Assessor to help you along the way. Note that you cannot be certified by HITRUST via a Self-Assessment. Even so, this step is incredibly useful for organizations who are considering becoming HITRUST certified but who are not yet ready for a HITRUST Validated Assessment.
  • Validated Assessment: A HITRUST Validated Assessment is conducted in three main stages. First, your organization conducts an internal assessment and completes its review of each required control in scope. Second, a HITRUST Assessor will review your assessment and evidence. Once you and your HITRUST Assessor agree on the assessment results, it is submitted to HITRUST to perform their final QA checks. If they approve, HITRUST will then issue a HITRUST Validated Report with Certification.


We would love to hear from you and see how we can help.

Call us at


Come find us at
1160 Battery St #100
San Francisco, CA 94111
Email us at

[email protected]

Scroll to top