Back to all insights
HIPAAArtificial IntelligenceBusiness AssociatesHealthcareCompliance

AI in Dentistry and Oral Surgery: The HIPAA Questions to Ask First

Edward Stratton · · 11 min read

A New Set of Tools, an Old Set of Rules

Walk into a modern dental or oral surgery practice and you will find artificial intelligence quietly at work in places you might not expect. AI reads bitewing X-rays and flags caries a tired eye might skip. It traces the inferior alveolar nerve on a cone-beam CT scan before an implant goes in. It listens to a sedation case and drafts the clinical note. It answers the phone after hours and books the recall appointment. For practices that have always run lean, this is genuinely useful technology, and it is arriving fast.

But the rules that govern patient data did not change just because the tools got smarter. The HIPAA Security Rule still applies to every system that creates, receives, maintains, or transmits electronic protected health information (ePHI), and that absolutely includes AI software. The question for a practice owner is not “Is AI good or bad?” It is more specific and more useful: which AI tools have been built for healthcare, which have not, and what has to be in writing before a single patient’s data touches the model.

This guide walks through where AI is actually delivering value in dentistry and oral surgery, the honest pros and cons, the data sovereignty questions that separate a safe deployment from a reportable breach, and the single most common and most dangerous mistake — pasting patient information into a consumer-grade large language model that never promised to keep it private.

“AI does not get a pass on HIPAA because it is new. If a tool handles patient data on your behalf, it is a business associate, and that relationship has to be governed before the data flows — not after.”

Where AI Is Genuinely Helping Dental and Oral Surgery Practices

The clearest, lowest-risk wins are in diagnostic imaging, where the AI analyzes images the practice already owns and the vendors are purpose-built for clinical use.

Imaging and diagnostic support

A handful of FDA-cleared imaging platforms have become common in general and specialty dentistry. Pearl and Overjet both market FDA-cleared dental imaging AI that highlights findings on radiographs (Pearl, Overjet), and imaging-and-clinical AI is increasingly built into practice-management platforms such as Dentrix (Dentrix). The value here is real: a consistent second read on every image, surfaced at the chair, that helps standardize diagnosis across providers and supports the case presentation to the patient.

Oral surgery and implant planning

In oral and maxillofacial surgery, AI is moving into the planning and documentation workflow. On cone-beam CT, AI assists with segmentation, nerve-canal tracing, sinus proximity, and implant positioning based on bone density — exactly the anatomy a surgeon needs to respect (Planmeca). Beyond imaging, practices are piloting voice-to-notes documentation that turns dictation into operative notes, along with AI phone agents that answer common questions, route urgent calls, and perform post-operative check-ins (Dental Surgical Network). These tools promise to claw back the administrative time that buries clinical staff — and, because the voice tools capture spoken patient information, they are exactly the kind of system that needs a business associate agreement and a no-training commitment before it ever runs on a real case.

Operations and the front desk

Away from the clinical floor, AI is drafting recall messages, summarizing insurance policies, triaging the inbox, and helping staff write clearer patient communications. This is where a practice is most likely to reach for a general-purpose chatbot — and, as we will see, where the data sovereignty risk is highest.

The Honest Pros and Cons

No responsible technology partner should sell AI as pure upside. Here is the balanced view a practice owner deserves.

The genuine advantages:

  • A consistent second read. Diagnostic AI does not get tired, distracted, or rushed at 4:45 on a Friday. As a support to clinical judgment, it can catch what fatigue misses.
  • Reclaimed time. Ambient scribing and automated front-desk work can return hours to a small team that has none to spare — often the difference between a clinician charting at home and one going home.
  • Better case presentation. Annotated images and plain-language summaries help patients understand and accept needed treatment.
  • Accessibility for small practices. Many of these tools are subscription-priced and cloud-delivered, putting capabilities once reserved for large groups within reach of a solo practice.

The real costs and risks:

  • AI is an aid, not an authority. A licensed clinician remains responsible for every diagnosis and treatment decision. AI can be confidently wrong; over-reliance is a clinical risk, not just a technical one.
  • Privacy and data sovereignty exposure. Every AI tool that touches patient data is a place that data can leak, be retained, or be reused. This is the core HIPAA issue, covered in detail below.
  • New attack surface. Each cloud integration, API key, and vendor account is one more door into your environment that has to be secured, monitored, and inventoried.
  • Bias and validation gaps. A model trained on populations unlike your patients can perform unevenly. Clinical AI should be FDA-cleared for its stated use and validated in your own workflow, not trusted blindly.

The pattern is consistent: the upside is real, and so is the responsibility. The deciding factor is almost always how the tool is governed, not whether AI is involved.

Data Sovereignty: Knowing Where Your Patients’ Data Goes

“Data sovereignty” sounds abstract, but for a practice it reduces to three concrete questions: Where does our patient data physically go? Who can see it? And can the vendor use it to train their model? With AI, that third question is the one most people forget to ask — and the one that matters most.

When you type into a tool, the text often leaves your office, travels to a vendor’s servers, and is processed there. What happens next depends entirely on the product tier. A purpose-built healthcare AI vendor will isolate your data, restrict access, decline to train its models on your inputs, and put all of that in a contract. A consumer product frequently does the opposite by default: it may retain your inputs, allow human review, and use what you submit to improve its models — exactly the behaviors that are incompatible with handling ePHI.

This is the same distinction that has always existed in email, and the analogy is worth making explicit because every practice already understands it.

The Gmail and Outlook analogy every practice already understands

You would never run your clinical email through a free, personal consumer account. A consumer free webmail account is not designed or contracted for PHI, and the provider will not sign a Business Associate Agreement for it. The enterprise, paid tiers — the healthcare-eligible versions of Google Workspace and Microsoft 365 — are offered under a BAA, with the privacy and security commitments healthcare requires. Same brand, completely different contractual reality.

Large language models work exactly the same way. The free, consumer version of a popular AI chatbot is the equivalent of the personal webmail account: convenient, capable, and entirely inappropriate for patient data. The enterprise, HIPAA-eligible offerings from the major cloud providers — services delivered through Microsoft Azure OpenAI, Google Cloud Vertex AI, and AWS — will sign a BAA and can be configured so your data is not used for training. The model may be similar; the governance is night and day.

“If a large language model does not explicitly promise — in a signed agreement — that it will not train on your data and will protect your patients’ information, then pasting PHI into it is the digital equivalent of mailing your charts to a stranger and hoping for the best.”

The Hard Rule: No BAA, No PHI — and That Includes AI

Here is where the regulation is genuinely unambiguous. Under HIPAA, any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a business associate, and you must have a Business Associate Agreement in place before they handle that data. A cloud-based AI service that processes patient information is a cloud service provider and therefore a business associate — the same analysis HHS already applied to cloud computing broadly.

HHS could not be clearer on the consequence of skipping the BAA. In its official Guidance on HIPAA & Cloud Computing, the department states:

“[I]f a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules.”

That guidance points to the governing regulations at 45 C.F.R. §§ 164.308(b)(1) and 164.502(e), and it goes further: a cloud provider is a business associate even if it only stores encrypted data and cannot view it, and even a “no-view” arrangement still requires a BAA (HHS — Guidance on HIPAA & Cloud Computing). HHS’s broader business-associate guidance applies the identical standard to any vendor handling PHI on your behalf (HHS — Business Associates).

Translate that to the exam room: feeding a patient’s name, history, or images into a consumer-grade AI tool that has not signed a BAA — and that does not commit to keeping your data private and untrained-upon — is, by HHS’s own words, a violation. The newness of the technology changes nothing about the rule.

What about enforcement — has anyone been penalized for this?

Practice owners reasonably ask whether a regulator has penalized anyone specifically for using an AI tool without a BAA. The more useful way to think about it is this: HIPAA enforcement does not hinge on whether a case gets labeled an “AI” case. What OCR enforces are the underlying violations — and an AI tool used without a BAA is simply a new flavor of an old, well-enforced problem.

  • The underlying violation is what gets penalized. Using a vendor or cloud service to handle ePHI without the required BAA, and failing to perform a proper risk analysis, are long-standing enforcement risks under HIPAA. OCR resolution agreements have repeatedly centered on risk-analysis failures, with settlements ranging from tens of thousands to several million dollars (Ogletree Deakins — HIPAA enforcement and risk-analysis failures). Whether the vendor is an EHR, a billing service, or an AI model changes the technology, not the rule.
  • Private litigation over AI and patient data is a separate, growing pressure. Class-action suits have targeted health systems over AI and ambient tools alleged to capture patient communications without proper consent — distinct from OCR penalties, but a clear signal that courts and plaintiffs scrutinize how healthcare handles AI and data (Holland & Knight — generative-AI class actions).

The point is durable regardless of which specific case makes headlines next: the BAA requirement is on the books, OCR enforces its components vigorously, and the legal exposure for mishandling patient data through any vendor — AI included — is real.

A Practical Path to Using AI Safely

Adopting AI in a dental or oral surgery practice does not require fear or paralysis. It requires the same disciplined approach that strengthens any part of your security posture. A workable sequence for a small practice:

  1. Inventory every AI tool already in use. Include the front desk and individual staff members — shadow use of consumer chatbots is common and rarely reported up the chain.
  2. Classify each by whether it touches PHI. Drafting a generic policy explanation is different from summarizing a specific patient’s chart. The PHI-touching tools demand the full treatment.
  3. Require a signed BAA for any tool that handles PHI — and read it for the AI-specific clauses: no training on your data, defined data-retention and deletion limits, and subcontractor flow-down so the vendor’s own vendors are bound too.
  4. Default to enterprise, HIPAA-eligible tiers. Choose the healthcare offering from a major cloud provider over a consumer app, and disable training/data-retention features wherever the controls exist.
  5. Set a written AI-use policy and train your team. Tell staff plainly which tools are approved, what may never be pasted into a general chatbot, and where to ask when unsure. As we cover in security awareness that actually works, the workforce is your strongest layer — but only if it knows the rule.
  6. Fold AI into your risk analysis. Each AI system is a place ePHI lives and moves; it belongs in your asset inventory and your risk assessment, not in a blind spot. Our guide to asset inventories and network maps explains how to keep that picture current.

For the deeper mechanics of vendor governance — what a BAA does and does not do, and why oversight does not end at the signature — see our companion pieces on business associates, BAAs, and who is responsible and the broader HIPAA Security Rule resource hub.

The Byzantine Takeaway

AI is becoming a permanent fixture in dentistry and oral surgery, and used well it can sharpen diagnosis, return time to overworked teams, and bring real capability to small practices. None of that requires gambling with patient data. The deciding factor is governance: a clinical or operational AI tool that touches PHI is a business associate, and HHS is explicit that using such a service without a BAA is a violation. Treat consumer-grade large language models the way you already treat a free personal email account — fine for things that are not patient data, off-limits for things that are — and insist on the enterprise, HIPAA-eligible tier with a signed BAA that forbids training on your data whenever PHI is involved. The underlying rule is well established and enforced, and the legal exposure around mishandled patient data is real, regardless of how any single AI tool is branded. Inventory what you are using, contract for what touches PHI, train your people, and put AI into your risk analysis. Do that, and you can adopt these tools with confidence rather than exposure — strengthening your security posture instead of quietly undermining it.

Cybersecurity is a team effort, and choosing AI responsibly is part of that effort. The practical next step is simple: know which tools touch PHI, know which vendors will sign a BAA, and train your team accordingly.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 1, 2026·4 min read

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

Device code phishing hijacks Microsoft 365 mailboxes without stealing a password — and standard MFA doesn't stop it. What it means for healthcare practices.
June 1, 2026·11 min read

Vendor Risk Management for Small Healthcare Practices

Your patient data flows through dozens of outside companies. A practical way for a small practice to manage third-party and vendor risk on a real budget.
May 31, 2026·9 min read

Beyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy

The 3-2-1 rule was the gold standard for decades. Modern ransomware exposed its weakness. Here is why healthcare practices need to move to 3-2-1-1-0 — and how to know your backups will actually work when everything goes wrong.