Skip to content
shadowiq
Regulation · HITRUST CSF + AI

Healthcare AI with PHI redaction inline — and signed proof.

HITRUST is the healthcare control language. ShadowIQ extends it to generative AI with inline PHI redaction, signed evidence, and controls that pass HITRUST r2 validation.

Get a HITRUST readiness planPlatform overview
What this is

Summary

HITRUST CSF with AI combines the HITRUST Common Security Framework with AI-specific controls for healthcare environments, including inline PHI (Protected Health Information) redaction at the AI gateway, cryptographic evidence aligned to HIPAA, 42 CFR Part 2, and NIST 800-53.

How it fits · explainer

The crosswalk: article → control → signed evidence.

HITRUST · ARTICLEREQUIREMENTSHADOWIQ CONTROLSIGNED EVIDENCE01.yTeleworkingZero-trust AI gatewaySigned access records09.aaAudit loggingEvidence ledgerSigned append-only log11.aReporting info security eventsOCSF incident exportSigned incident recordsAI-1AI inventoryRegistry + discoverySigned AI BOMAI-3AI risk assessmentEval engine + DPIASigned eval + DPIACROSSWALK · 5 SHOWN · FULL MAP IN /DOCS/COMPLIANCE · SIGNED ED25519
Where it hurts

You've heard this one before.

  • PHI leaking into AI assistants that were never in HITRUST scope.
  • r2 validation missing AI-specific evidence.
  • HIPAA BAA scope ambiguity for LLM providers.
  • Business Associate audit requests with no ready artifacts.
What we do about it

Three moves.

  1. 1
    Inline PHI redaction.

    18 HIPAA identifiers + custom schemas detected with context. Redact, tokenize, or deny before the model sees them.

  2. 2
    HITRUST control mapping.

    AI-specific evidence mapped to HITRUST v11 controls. Accept / compensating / inherit statuses with signed artifacts.

  3. 3
    BAA-ready.

    Signed records of subprocessor data flows, provider BAAs, and model-residency policies. Your BA audit package prefills itself.

Outcomes

Numbers, not adjectives.

0
PHI egress events · 2.1M monthly calls
r2
validation-ready
18
HIPAA identifiers detected
Full crosswalk

HITRUST article → ShadowIQ control → signed evidence.

Article
Requirement
ShadowIQ control
Signed evidence
01.y
Teleworking
Zero-trust AI gateway
Signed access records
09.aa
Audit logging
Evidence ledger
Signed append-only log
11.a
Reporting info security events
OCSF incident export
Signed incident records
AI-1
AI inventory
Registry + discovery
Signed AI BOM
AI-3
AI risk assessment
Eval engine + DPIA
Signed eval + DPIA
Frequently asked

Asked, answered, sourced.

Most major providers do under specific plans: OpenAI Enterprise, Anthropic Enterprise, Azure OpenAI, AWS Bedrock, Google Vertex AI (enterprise tier). ShadowIQ signs a BAA in Growth+ plans and enforces BAA-scope routing at the gateway.

Named-entity recognition tuned on healthcare data plus regex for structured identifiers (MRN, account numbers). Customer-schema detectors add organization-specific identifiers.

ShadowIQ operates under SOC 2 Type II + ISO 27001; HITRUST r2 validation is in progress for Q3 2026. We produce BA-ready attestations in the interim.

Related

Keep going.

Industry
Healthcare
Use case
PHI leakage prevention
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing