AI Help for Dentists › Guides › HIPAA & dental AI

HIPAA and dental AI: what has to be true before a tool touches patient data

The one-line answer: an AI tool can enter your practice the day three things are true — a Business Associate Agreement is signed, any FDA-clearance claim has been checked against FDA records rather than a sales deck, and the vendor has answered your data-retention, model-training, and breach-notification questions in writing — and not a day sooner.
Read this first: this guide is educational only, not legal advice. HIPAA enforcement turns on facts and documentation specific to your practice, so loop in your compliance or IT lead early and put final questions to a healthcare attorney.

The short version:

What counts as PHI once AI enters the practice?

More than most owners expect. Protected health information is any individually identifiable health data your practice creates or handles, and dental AI tools live on exactly that: the bitewings a radiograph tool analyzes, the pocket depths a voice charting product records, the clinical note an AI scribe drafts, the recording of a patient calling about a toothache, the recall list a marketing platform works through, and the schedule an analytics dashboard reads.

The practical consequence: when you evaluate anything on our comparison page — from an X-ray reader like Denti.AI to a phone assistant like Arini — you are not evaluating "software" in the generic sense. You are choosing a business associate that will hold your patients' health information, and HIPAA treats it that way regardless of how the vendor describes itself.

Why is a signed BAA non-negotiable?

Because HIPAA's Privacy and Security Rules do not let a covered entity hand PHI to a service provider on trust. A vendor that creates, receives, maintains, or transmits PHI for you is a business associate, and the Business Associate Agreement is the document that binds it to safeguard the data, report breaches to you, restrict further disclosure, and return or destroy PHI when the relationship ends.

Two failure patterns show up in the field. First, the phrase "HIPAA-compliant" on a marketing site with no BAA behind it; the phrase carries no weight, the signature does. Second, the pilot that starts with live patient data "just to test" while the paperwork is "in process." If a breach happens during that window, the missing agreement is your problem. The order of operations is fixed: BAA signed, then configuration, then patient data.

This applies evenly across categories — a PMS platform like Adit or CareStack, comms tools like Weave and RevenueWell, and analytics like Dental Intelligence all sit in the same business-associate seat.

FDA clearance vs marketing claims: how do you tell them apart?

Radiograph AI is a regulated space, and the words vendors use are not interchangeable. "FDA-cleared" means the FDA reviewed a specific product for a specific intended use. "AI-powered," "clinically validated," "built on millions of X-rays" — none of those are regulatory statuses. Among the tools reviewed on this site, FDA clearance applies to Denti.AI's Detect and Auto-Chart products and to Pearl Second Opinion; you can read how the radiograph category works in our X-ray analysis guide.

Your due diligence is short but real: ask the vendor for the specific product name and clearance reference, then confirm it in FDA records yourself. Note what the clearance covers, because a company can hold clearance for one product while selling several others that have none. And remember clearance is a floor, not a verdict on clinical usefulness — the dentist still owns every diagnosis.

Video explainer coming soon.
A short walkthrough of the pre-purchase compliance sequence for dental AI: signing the BAA, verifying an FDA-clearance claim against FDA records, and the four data-handling questions to get in writing from any vendor before patient data moves.

What should you ask a vendor before signing?

Get the answers in writing, attached to the contract or the BAA. A vendor comfortable with these questions is telling you something; so is one that dodges them.

QuestionWhy it mattersA good answer looks like
How long do you retain our data, and where?Retention beyond need widens breach exposure; location affects which safeguards applyA stated retention period, a stated storage region, and deletion timelines at termination
Does our patients' data train your models?Training use changes the risk profile and may involve de-identification claims worth scrutinizingA yes/no in writing, the de-identification standard used if yes, and an opt-out if offered
What is your breach notification commitment?HITECH puts notification duties on you; you need the vendor's clock to be faster than your legal oneA defined notice window in the BAA, a named contact, and a description of incident response
Who inside your company can see PHI?Minimum-necessary access is a HIPAA principle, not a courtesyRole-based access, audit logging, and workforce training the vendor can describe specifically
What happens to our data when we leave?Practices switch tools; your patients' records should not linger on a former vendor's serversReturn or destruction terms in the BAA, with a certificate of destruction on request

What does HITECH add on top of HIPAA?

The HITECH Act is the reason a vendor's security failure lands on your desk. It established the breach notification framework — affected patients must be notified, larger breaches are reported to the Department of Health and Human Services and sometimes the media — and it created tiered civil penalties that scale with culpability. It also extended direct liability to business associates, which is useful leverage: a vendor that resists a BAA is resisting obligations the law already assigns it.

For a practice owner the takeaway is documentation. A current security risk analysis that names your AI vendors, signed BAAs on file, and a written response plan are what separate a bad week from a bad year if an incident occurs.

How do you train staff so the tools stay compliant in daily use?

Most AI-related privacy incidents are workflow incidents. A hygienist reading AI radiograph annotations aloud in an open bay, a front desk pasting patient details into a consumer chatbot the practice never approved, a scribe note auto-filed without provider review — none of these require a hacker. Training should therefore be tool-specific: who may use each system, what data may enter it, who reviews AI output before it reaches the chart, and where the approved-tool list lives. Add AI systems to your existing HIPAA training calendar and log attendance; shadow AI — staff using unapproved tools because the approved ones are clumsy — is best prevented by picking tools the team actually likes, which is half the argument for the pilot-first approach in our getting-started guide.

Where do state dental boards come in?

HIPAA is federal, but your license is state. Boards regulate recordkeeping standards that AI-drafted notes must still meet, delegation rules that decide what auxiliaries may do with AI assistance, and advertising rules that constrain how you describe AI to patients ("AI-verified diagnosis" is the kind of phrase to run past counsel before it reaches your website). Several states also impose all-party consent for call recording, which matters for phone AI and call-recording features. Some states layer their own patient-privacy statutes on top of HIPAA. A short call with your board or your attorney before deploying a new category of tool is cheap insurance.

Common questions

Do I need a BAA for every AI tool in my dental practice?

For every tool that creates, receives, maintains, or transmits PHI on your behalf, yes. That covers radiograph AI, an AI scribe, a phone assistant that records patient calls, recall automation, analytics platforms, and any practice management system. A vendor that handles your PHI without a signed Business Associate Agreement leaves your practice exposed, and "HIPAA-compliant" on a website is not a substitute for the signed document.

Which dental AI tools can be called FDA-cleared?

Among the tools reviewed on this site, only Denti.AI (Detect and Auto-Chart) and Pearl Second Opinion carry FDA clearance for their radiograph products. Clearance is specific: it names a product and a use, not a company. Ask any vendor for the clearance reference and check it against FDA records instead of relying on a brochure.

Can an AI vendor train its models on my patients' data?

Only within the limits of HIPAA and your agreements, which is why you ask before signing. Get written answers on whether your data trains vendor models, whether de-identification is applied and to what standard, how long data is retained, and how deletion is handled at contract end. If a vendor cannot answer these in writing, that silence is your answer.

Does HIPAA prevent me from using an AI phone assistant?

No. Call recordings and scheduling details are PHI, so the vendor must sign a BAA and apply appropriate safeguards, and some states add their own call-recording consent rules. Practices run tools like Arini and Weave under HIPAA; the point is to paper the relationship before the first patient call, not to avoid the tools.

Is this page legal advice?

No. It is educational background to make your conversations with vendors, your compliance or IT lead, and your attorney faster and sharper. Decisions about HIPAA, HITECH, state rules, and your risk posture belong with qualified counsel and your own compliance process.

JM
Reviewed by James Mills, founder of The Agentic AI Index — an independent directory of AI tools and local consultants. Affiliate disclosure: some links on this page can earn us a commission, at no extra cost to you. We refer local pros; we do not recommend or endorse providers.

Sources: HIPAA Privacy, Security, and Breach Notification Rules and HITECH Act materials published by the U.S. Department of Health and Human Services (hhs.gov); FDA device clearance records (fda.gov). Tool facts and prices referenced here follow our verified table: Denti.AI is vendor-published (denti.ai/pricing); other tools are semi-published or third-party reported and quoted per practice, checked 2026-07-12. This guide is educational only and is not legal advice. Last reviewed: 2026-07-12.

Want help doing this properly?

Enter your zip code to find a local AI consultant who sets up dental AI tools with the BAA, access controls, and staff training handled from day one.

Find a local AI pro →
Find a local pro

Get these tools set up for you

Enter your zip and we'll show local AI consultants who configure phone answering, recall automation, radiograph AI, and practice-management migrations for dental offices. Free to use, and we don't take a cut of what you pay them.