OSHA Review toll free phone number 800-555-6248
Blog
California dental office with HIPAA security shield, AI data protection, and dental X-ray computer — AI compliance for dentists

Using AI in the Dental Office? Don’t Forget HIPAA and California Privacy Rules

Artificial intelligence (AI) is becoming more common in dental practices — from drafting emails and summarizing notes to helping with scheduling, marketing, and clinical documentation. While these tools can improve efficiency, California dentists should remember that using AI does not eliminate their obligations to protect patients’ protected health information (PHI) under state and federal law.

Before adopting any AI tool, every dental practice should understand what the federal Health Insurance Portability and Accountability Act (HIPAA) requires, where California law goes further, and what steps to take before entering patient information into any platform.

Questions to Ask Before Adopting Any AI Tool

Not all AI tools are created equal, and the risks vary widely depending on how a tool handles patient data. Before adopting any AI platform, dental practices should ask:

  • Will staff enter PHI into this system?
  • Will the AI vendor retain or use patient data to train its product?
  • Who has access to the information, and how long is it stored?
  • Does the vendor offer a Business Associate Agreement (BAA) and appropriate security protections?
  • Has the practice established clear internal rules for when AI may and may not be used by staff?

These questions are not optional considerations — they go to the heart of whether a dental practice can lawfully use a given AI tool with patient data.

HIPAA and AI: The Business Associate Agreement Requirement

Using a general consumer AI tool — such as ChatGPT — to draft patient communications, summarize chart notes, or process treatment information can create serious privacy risks if the AI vendor is not an approved Business Associate (BA) under HIPAA.

If an AI system will receive, store, or transmit PHI on behalf of your practice, the vendor may qualify as a Business Associate, and a written Business Associate Agreement (BAA) is legally required before use. Claiming a product is “HIPAA compliant” is not the same as having a BAA in place — the BAA is the legal protection.

If a vendor refuses to sign a BAA, the dental practice cannot lawfully use that tool with patient data, regardless of how the tool markets itself.

Common AI tools that typically require a BAA include:

  • AI-assisted radiograph or diagnostic imaging platforms
  • AI-powered patient communication tools or chatbots
  • Ambient transcription or AI scribing tools used chairside
  • Scheduling or billing platforms with AI features that access patient records

California Privacy Laws Add Additional Obligations

HIPAA is not the only concern for California dental practices. California law applies HIPAA-equivalent rules to all dental providers, regardless of whether they transmit PHI electronically — a broader standard than the federal covered entity definition. The California Consumer Privacy Act (CCPA/CPRA) may impose additional protections on patient data processed by AI systems.

That means practices should be cautious about uploading radiographs, clinical notes, patient photos, insurance details, appointment information, or other identifiable data into AI platforms without first reviewing how the tool stores, uses, and protects that information.

Security Risk Analysis: A Step Practices Often Overlook

HIPAA’s Security Rule requires dental practices to conduct a security risk analysis covering every system that creates, receives, maintains, or transmits electronic PHI — and that includes AI tools. When a practice adds a new AI platform, it must add that tool to its security risk analysis, identify potential vulnerabilities, and document the risk management steps taken.

The ONC Security Risk Assessment (SRA) Tool is available free from US Department of Health and Human Service (HHS) and is specifically designed for small and medium healthcare providers. It walks through the analysis step by step and is a practical starting point for any practice that has not completed a recent review.

The Safest Approach: Treat AI Like Any Other Third-Party Vendor

The safest approach is to treat AI tools like any other third-party Business Associate service that may touch patients’ PHI. In practice, that means:

  • Vet vendors carefully. Use health care-grade AI platforms that offer a BAA and a secure, private data environment.
  • Avoid consumer AI products. Do not enter PHI into consumer AI tools — such as ChatGPT, Google Gemini, or similar platforms — unless the platform has been specifically approved for compliant use with a signed BAA.
  • Train employees. Staff must understand which AI tools are approved, what patient data may and may not be entered, and how to report a potential PHI incident.
  • Update your security risk analysis whenever a new AI tool is adopted.

New Federal Rules on AI May Be Coming

Federal regulators are actively examining the use of AI in healthcare, but there is not currently a HIPAA rule that is specifically directed at AI use. HHS has sought public input on AI adoption in clinical care, which may shape AI-enabled health IT products and interoperability, but this does not necessarily fall under HIPAA. More applicable to dentists, HHS has proposed updates to the HIPAA Security Rule that would strengthen cybersecurity requirements for PHI. Those proposed HIPAA changes are not AI-specific, but they could still affect dental practices that use AI tools to create, receive, maintain, or transmit PHI. Practices that build sound habits now — vetting vendors, securing BAAs, training staff, and conducting security risk analyses — will be better positioned when new rules take effect.

For our OSHA Review subscribers… a HIPAA risk analysis checklist is available from OSHA Review’s website.

This article is intended for general informational purposes only and does not constitute legal advice. Dentists with questions about a specific AI product or privacy concern should consult qualified legal counsel before implementation.

 

About OSHA Review, Inc.

Since 1992, OSHA Review, Inc. has supported dental professionals with regulatory compliance resources, infection control guidance, continuing education, sterilizer monitoring, surface disinfectant products, and dosimetry monitoring services. For more information, visit oshareview.com or call 800-555-6248.

Morgan Lawson is the Chief Operations Officer and Managing Editor at OSHA Review, Inc., where he has led dental compliance education and operations since 1999. With over 25 years of experience in OSHA regulations, infection control standards, and dental practice compliance, Morgan oversees the development of content, training programs, and compliance resources trusted by dental practices nationwide.

Related Posts

Back To Top
Search