HITRUST Adds AI Options to Validated Assessments

Artificial intelligence (AI) is now embedded across healthcare and regulated industries, supporting analytics, automation, decision support, and customer-facing tools. As adoption increases, organizations are facing a growing expectation from customers, partners, and regulators.

Can you Demonstrate Assurance Over how AI is Secured and Governed?

To address this need, HITRUST has introduced AI-focused options that can be incorporated into HITRUST validated assessments. These options allow organizations to evaluate and communicate AI security and risk management practices within the familiar e1, i1, and r2 frameworks.

This article explains what’s available today, how the AI options apply to each assessment type, and how to determine whether they’re relevant for your organization.

Why HITRUST Introduced AI Options

AI technologies introduce new considerations beyond traditional information security, including:

• Model integrity and reliability
• Data usage and training concerns
• Transparency and oversight
• Evolving regulatory expectations

HITRUST’s approach allows organizations to address these considerations within existing assessment structures, rather than creating a completely separate assurance model. This enables organizations to scale their AI assurance efforts in a way that aligns with their current HITRUST program.

AI Options Available Through HITRUST

HITRUST currently supports two distinct AI-related paths, each serving a different purpose.

1. AI Security Assessment and Certification (ai1 / ai2)

For organizations that deploy or provide AI-enabled systems, HITRUST offers an AI Security Assessment that can be added to a validated assessment.

This option is implemented by selecting the “Security for AI Systems” compliance factor within MyCSF and can be applied to:

• e1 or i1 assessments, resulting in an ai1 designation.
• r2 assessments, resulting in an ai2 designation.

Key characteristics:

• The AI Security Assessment is not a standalone assessment; it is an add-on to an existing validated assessment.
• It introduces a limited set of AI-specific security requirements (up to 44, depending on scope and tailoring).
• Certification outcomes depend on meeting both the underlying e1/i1/r2 requirements and the AI security scoring thresholds.
• Participation is optional, but strongly recommended when AI capabilities are in scope.

If AI functionality is part of the in-scope systems or platforms for your HITRUST assessment, such as AI-driven analytics, automation, or embedded decision logic, this option allows you to demonstrate independent, validated assurance over AI security controls.

2. AI Risk Management Assessment and Insights (non-certified)

HITRUST also offers an AI Risk Management option focused on governance and lifecycle risk rather than certification.

This path aligns with recognized guidance, including:

• NIST AI Risk Management Framework (AI RMF)
• ISO/IEC 23894:2023 for AI risk management

Rather than producing a certification, this option generates AI risk management insights and reporting, which can be used to:

• Communicate AI governance maturity
• Support internal risk management programs
• Provide transparency to customers and stakeholders

Organizations that want to demonstrate AI risk awareness and governance maturity, but are not yet seeking AI-specific certification, often use this option as a practical starting point.

How AI Applies to e1, i1, and r2 Assessments

One of the most common questions we hear is whether AI requirements automatically apply to all HITRUST assessments. The answer is no, AI options are optional, and applied based on relevance and scope.

Consider these factors when determining how the AI options apply to your assessment:

• If AI is not present in the in-scope environment, AI options may not be necessary.
• If AI is present and customer assurance is a priority, the AI Security add-on may be appropriate.
• If AI is present and the organization wants risk-focused transparency, the AI Risk Management option may be a better fit.
• Some organizations pursue both, using risk insights to inform governance while leveraging AI Security certification for external assurance.

Planning for AI in Your HITRUST Assessment

Whether you’re preparing for an e1, i1, or r2, adding AI considerations early in the scoping process is critical. Decisions about AI applicability impact:

• Assessment scope
• Evidence expectations
• Testing procedures
• Client and stakeholder communications

Working with an experienced HITRUST advisor can help ensure that AI is addressed appropriately and efficiently, without expanding scope unnecessarily.

How CompliancePoint Supports AI-ready HITRUST Assessments

CompliancePoint works with organizations at every stage of HITRUST maturity to:

• Identify whether AI is in scope
• Evaluate which AI options align with business and regulatory needs
• Integrate AI requirements into validated assessments
• Support clear, defensible client communication around AI assurance

If you’re preparing for an upcoming HITRUST assessment and are unsure how AI applies to your environment, we can help you determine the right path forward. To learn more about our HITRUST services, reach out to us at connect@compliancepoint.com.