by Olivia Wann

Artificial intelligence (AI) is rapidly transforming the health care landscape. Dental professionals are increasingly using AI-powered tools to assist with administrative tasks, patient communications, clinical documentation, treatment planning, marketing, and operational efficiency. While these technologies offer significant benefits, they also introduce new privacy, security, compliance, and ethical risks that many dental practices have not yet fully addressed.

For example, the consumer version of ChatGPT is not HIPAA compliant. It’s impossible to obtain a Business Associate Agreement. The alternative is ChatGPT Health. With AI tools readily available, clearly it can be confusing which platform to use.

As AI adoption accelerates, every dental practice should implement a comprehensive Artificial Intelligence Use Policy designed to protect patient information, comply with HIPAA requirements, and promote sound cybersecurity practices.

The Growing Risk of AI in Dentistry

Many dental team members now have easy access to powerful AI tools through web browsers, mobile applications, and software integrations. A common misconception is that entering information into an AI platform is no different than conducting an internet search. In reality, many AI systems process, store, retain, or use submitted information in ways that may create significant compliance concerns.

Without proper safeguards, a workforce member could inadvertently copy and paste patient information from an electronic health record, email, treatment plan, radiograph report, or insurance documentation into an AI platform. If that platform is not specifically approved for HIPAA-compliant use, the practice may unknowingly disclose Protected Health Information (PHI) to a third party.

Such disclosures can trigger HIPAA violations, breach notification obligations, regulatory investigations, reputational damage, and loss of patient trust.

AI in Telehealth, Zoom Conferencing and Patient Communications

(AI) features are increasingly being integrated into videoconferencing and telehealth platforms. Examples include automated meeting summaries, transcription services, note generation, sentiment analysis, virtual assistants, and AI-powered documentation tools. While these technologies may improve efficiency, they also create significant privacy, security, compliance, and professional liability concerns when patient information is discussed during telehealth encounters.

Health care organizations should determine:

• Whether meeting recordings are retained.
• Whether transcripts are stored.
• How long information is retained.
• Whether data can be permanently deleted.
• Where data is stored geographically.
• Who has access to stored information.

Failure to understand retention practices may expose patient information to unnecessary risk.

Unauthorized Disclosure of Protected Health Information

One of the primary concerns is the potential disclosure of Protected Health Information (PHI) to an AI vendor. AI features may record, transcribe, summarize, analyze, or otherwise process conversations that contain patient identifiers, medical histories, diagnoses, treatment recommendations, insurance information, or other confidential health information.

If the AI provider receives, maintains, stores, or processes PHI on behalf of a covered entity, the provider may qualify as a Business Associate under HIPAA, requiring an appropriate Business Associate Agreement (BAA).

The Primary Objective: Protecting PHI and ePHI

The cornerstone of any AI policy should be the protection of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI).

The primary objective is straightforward:

To prevent the unauthorized storage, retention, disclosure, transmission, or use of PHI and ePHI through artificial intelligence platforms.

Dental practices must recognize that AI vendors may collect, store, log, analyze, or use submitted information unless contractual and technical safeguards specifically prohibit those activities. Even information that appears harmless may contain identifiers capable of linking data back to an individual patient.

An effective AI policy should prohibit workforce members from entering PHI into any AI platform unless the platform has been formally approved and appropriate safeguards are in place.

Why HIPAA Compliance Matters

HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule apply regardless of whether information is shared with a traditional software vendor or an AI platform.

Before a dental practice allows PHI to be entered into an AI system, it must determine:

• Whether the AI vendor creates, receives, maintains, or transmits PHI on behalf of the practice.
• Whether a Business Associate Agreement (BAA) is required.
• Whether the vendor provides adequate administrative, technical, and physical safeguards.
• Whether information submitted to the AI platform is retained or used for model training.
• Whether the vendor can demonstrate compliance with recognized security frameworks.

Simply because an AI tool is popular or widely available does not mean it is HIPAA compliant.

The Importance of Approved AI Tools

A well-designed AI policy should establish a formal approval process for AI technologies.

Rather than allowing employees to independently choose AI applications, practices should require a structured review process that includes:

• Vendor due diligence
• Privacy and security assessments
• Data flow analysis
• Cybersecurity reviews
• Legal review of contractual terms
• Evaluation of retention and training practices
• Business Associate Agreement execution when required

Under this approach, all AI tools are considered prohibited unless they have been specifically approved by the practice’s Privacy Officer, Security Officer, or Compliance Officer.

This “default prohibition” model significantly reduces the likelihood of unauthorized disclosures.

No-Retention and No-Training Requirements

One of the most important provisions of an AI policy is requiring vendors to provide assurances that patient information will not be retained or used to train AI models.

Dental practices should seek documented commitments that:

• PHI is not stored beyond the time necessary to generate an output.
• User prompts and outputs are not retained in vendor databases.
• Data is not used to improve, train, or fine-tune AI models.
• Information is not shared with affiliates or third parties.
• Technical controls exist to enforce these protections.

These safeguards are essential because many consumer AI products are designed to learn from user interactions unless configured otherwise.

De-Identification and the Minimum Necessary Standard

Even when using AI for legitimate operational purposes, dental practices should apply HIPAA’s de-identification standards whenever possible.

Before information is entered into an AI platform, workforce members should remove identifiers such as:

• Names
• Dates of birth
• Addresses
• Telephone numbers
• Email addresses
• Medical record numbers
• Insurance identifiers
• Photographs
• Other identifying characteristics

In addition, the HIPAA “minimum necessary” standard should always apply. Only the minimum amount of information required to accomplish the intended purpose should be used.

De-identification serves as a critical risk reduction strategy when utilizing AI tools for educational content, administrative functions, policy drafting, marketing development, and workflow improvement.

Workforce Education Is Essential

Technology policies are only effective if employees understand them.

Every dental practice should provide training that explains:

• What constitutes an AI platform
• Which AI tools are approved
• Which tools are prohibited
• How to identify PHI
• Proper de-identification techniques
• Incident reporting requirements
• The consequences of policy violations

Many AI-related incidents occur not because of malicious intent, but because employees are unaware that a seemingly simple prompt may contain protected information.

Regular training can significantly reduce these risks.

Human Judgment Cannot Be Replaced

AI systems can assist with drafting content, summarizing information, generating educational materials, and improving efficiency. However, AI should never replace professional judgment.

Dental providers remain responsible for all clinical decisions, patient communications, documentation, diagnoses, treatment recommendations, and records.

Any AI-generated output should be independently reviewed and verified before it is relied upon in patient care.

A strong AI policy reinforces that AI is a tool—not a substitute for professional expertise.

Incident Response and Ongoing Monitoring

Dental practices should also establish procedures for responding to AI-related incidents.

If PHI is inadvertently disclosed through an AI platform, the practice should:

1. Immediately report the incident.
2. Conduct a prompt investigation.
3. Assess whether a HIPAA breach has occurred.
4. Document findings.
5. Implement corrective action.
6. Complete breach notifications if required.

In addition, practices should maintain audit logs, monitor approved AI tool usage, and periodically reassess vendor compliance and emerging risks.

Building Patient Trust in the Age of AI

Perhaps the most important reason to adopt an AI policy is preserving patient trust.

Patients expect dental practices to safeguard their personal health information with the same diligence applied to clinical care. As artificial intelligence becomes more prevalent throughout health care, patients will increasingly ask how their information is being protected.

A comprehensive AI policy demonstrates that the practice has thoughtfully evaluated the benefits and risks of AI technologies and has implemented safeguards to protect patient privacy, maintain regulatory compliance, and support ethical use of emerging technologies.

Conclusion

Artificial intelligence presents exciting opportunities for dental practices, but it also creates new compliance and cybersecurity challenges. An AI Use Policy provides a structured framework for managing those risks by preventing unauthorized storage, retention, disclosure, or use of PHI and ePHI; establishing vendor review requirements; defining workforce responsibilities; requiring HIPAA-compliant safeguards; and promoting sound cybersecurity practices.

As AI continues to evolve, dental practices that proactively establish governance policies today will be better positioned to protect patient information, maintain regulatory compliance, and responsibly leverage the benefits of artificial intelligence in the future.

By Olivia Wann

In every dental practice, infection prevention depends on more than running instruments through a sterilizer. Proper handling after sterilization is equally important. Once instruments have been sterilized and sealed in approved sterilization pouches, they should remain packaged until the exact moment they are needed for patient treatment. Opening pouches ahead of time defeats an important layer of protection and increases the risk of contamination.

Sterilization pouches are designed to serve two purposes. First, they allow sterilizing agents such as steam or dry heat to penetrate during the sterilization cycle. Second, once the cycle is complete, they act as a protective barrier that helps keep the contents sterile during storage and transport. If the pouch is opened prematurely, that barrier is lost.

Dental treatment rooms contain aerosols, splatter, dust, and frequent hand contact with surfaces. Once a pouch is opened, instruments are exposed to the operatory environment. Even in a clean room, microorganisms can settle onto exposed surfaces. Opening sterile instruments before the patient is seated creates unnecessary exposure time and can compromise the integrity of the instruments before care even begins.

Waiting until the patient is seated and treatment is about to begin provides several important benefits. It helps preserve sterility for as long as possible. It demonstrates visible infection control practices to the patient, showing that their instruments were sealed and protected until use. It also reduces waste. If a patient cancels, reschedules, or the treatment plan changes, unopened sterile pouches can remain properly stored rather than requiring reprocessing due to unnecessary opening.

Another important consideration is workflow discipline. Team members who routinely open pouches early may unintentionally touch instrument trays, countertops, gloves, or other surfaces after exposing the instruments. This creates opportunities for cross-contamination. Opening pouches chairside at the appropriate time encourages aseptic transfer techniques and better procedural consistency.

Best practice is to inspect the pouch before opening, verify the chemical indicator has changed appropriately, check package integrity, and then open the pouch carefully without touching the instrument tips or working ends. Instruments should be presented directly onto a clean tray setup or transferred using proper technique immediately before treatment begins.

Patients notice details. Seeing instruments opened from sealed pouches while seated in the operatory builds confidence in the office’s commitment to safety and professionalism. It communicates that infection control is taken seriously.

Sterilization is not complete when the cycle ends—it is complete only when sterile instruments are protected until point of use. Keeping instruments packaged until the patient is seated is a simple but essential step in maintaining high standards of dental infection prevention.

by Caitlin Denison, BS, RDH, CHPC

When many of us think of eye protection, we think of safety glasses worn by nail-gun-wielding construction workers, or the goggles worn by chemical-mixing scientists. What our imagination often fails to offer up are images of a hygienist whose prophy angle is spraying polish about, or the dentist using a high-speed drill to excavate-and possibly fling- decay, or even the dental assistant peering into the mouth of a patient whose salivary glands threaten to spray without notice (see the recent TikTok phenomenon of ‘gleeking’.)

by Olivia Wann and Caitlin Denison

Recently, a dental practice received a serious OSHA citation for contaminated laundry being handled unnecessarily or with what the inspector described as “excessive agitation.” This was surprising, as in 26 years of consulting we have not previously encountered this type of violation.

by Olivia Wann

Thirty-four percent of dentist owners plan to retire within six years according to Dental Post’s 2025 Dental Salary Survey Report. If you are interested in selling a practice or buying a practice, there are important legal considerations. Selecting a lawyer who understands the many facets of dentistry to prepare or review a buy-sell agreement is to the dentist’s advantage.  Here’s my top ten reasons why:

by Olivia Wann, JD

Specialty dentists such as oral surgeons, periodontists, orthodontists, and endodontists depend heavily on relationships with general dentists who refer patients for treatment. Hosting a continuing education (CE) event is one of the most effective ways to strengthen those relationships while providing genuine value to the referring community. A well-planned CE program positions the specialist as a trusted resource, encourages collaboration, and keeps colleagues informed about evolving clinical techniques.

by Olivia Wann

OSHA is here!  Help!  Are you practicing in Tennessee and have experienced a recent unannounced OSHA inspection?  You are not alone.

Week to week, dental practices are reaching out to us explaining that a Tennessee OSHA inspector stopped in for a random audit.  Quite a number of practices experienced citations, although such citations only amounted to a few hundred dollars.  What is this all about?

by Olivia Wann, JD

Imagine the frustration of patients living in Memphis who were treated by a local dentist whose records were left behind in a storage unit. 

According to the individual who purchased the contents of an abandoned storage unit, he found thousands of dental records to include x-rays, intake forms, billing records and billing information that included patients’ social security numbers. He was quoted as saying, “This wasn’t one or two files, this was thousands of thousands of files.” 

by Olivia Wann, JD

As we close out 2025 and say hello to 2026, it’s a great time to look back at the past 12 months and take a “compliance inventory.” Assess how well your practice achieved the goals of infection control, and OSHA and HIPAA compliance.

by Caitlin Denison, BS, RDH

Let’s say you’re getting ready to do a quadrant of scaling and root planning (SRP). You have a sensitive patient with deep pockets, so you’ve decided that local anesthetic is the best way to manage the patient’s pain and keep them comfortable during the procedure. You plan to administer the MSA and ASA blocks.

In situations like this, where we are giving injections at multiple sites, there are a few practices to keep in mind for patient and clinician safety, as well as regulatory compliance.

1. Always prepare your injection in a clean area free from contamination. Disinfect the rubber septum on the anesthetic carpule before puncturing it.
2. Never use a needle for more than one patient. While a single needle may be used to inject multiple sites on the same patient, this same needle may not be used on another patient. Remember, needles are single-use items and cannot be sterilized and reused.
3. Always sterilize your re-usable injection syringe between patients. Unlike needles, most dental aspirating syringes can be sterilized and reused.
4. Always recap the needle if it must be set down between injections to prevent injuries. Ensure that recapping is never done using two hands or any other technique that could direct the needle towards any part of the body. Use either a single-handed scoop technique for recapping, or a mechanical device designed to hold the needle cap.
5. Always place used needles in a puncture resistant sharps container that is labeled as biohazard. This container should be located as close as feasible to the area where the injection is given.
6. Never pass uncapped needles to another user.
7. Ensure that the Practice’s exposure control plan contains an explanation of why recapping is required as well as the procedure that is followed for safe recapping (single-hand technique or recapping device). OSHA may request this policy in the event of an inspection.