HIPAA Cybersecurity | AI Tools & Shadow IT | IT Support for Dental Offices Salt Lake City
Introduction
Your front desk coordinator is drafting a patient recall email and asks ChatGPT to make it sound friendlier. Your dental assistant uses an AI tool to summarize a patient's treatment history before the hygienist walks in. Your office manager pastes a billing dispute into an AI chatbot to help compose a response. None of them mentioned it to you. This is happening in dental practices across Salt Lake City right now — often with genuine good intentions and zero awareness of the HIPAA implications. AI tools are useful. They're also a new and largely unmanaged risk.
The Numbers Are Harder to Ignore Than the Habit
A joint study by CybSafe and the National Cybersecurity Alliance found that 38% of employees share confidential data with AI tools without approval from their employer. A separate BlackFog study found that 49% of employees use AI tools that have not been approved or reviewed by their organization.
For a dental practice, confidential data includes patient names, dates of birth, treatment notes, appointment histories, and billing records — all of which are protected health information (PHI) under HIPAA. When that data is pasted into a consumer AI tool, it may be stored, used for model training, or exposed in a future breach. Your business associate agreement with your software vendors does not cover what your team types into ChatGPT on a Tuesday afternoon.
AI Hallucinations: A Different Kind of Risk
Even when no patient data is involved, AI tools create risk through the content they generate. AI models are prone to hallucinations — confidently stated information that is factually incorrect. In a dental practice context, this could mean:
- A patient communication that references an incorrect fee or insurance policy.
- A clinical summary that mischaracterizes a treatment protocol.
- A billing response that cites a regulation that does not exist.
The AI does not flag these errors. It presents them with the same confident tone it uses for accurate information. If your team is copying AI output directly into patient records or communications without review, errors will eventually make it to patients — or to a payer audit.
What Shadow IT Means for HIPAA Compliance
When employees use software that IT has not reviewed or approved, it is called shadow IT. In a dental practice, shadow IT most commonly appears as consumer AI tools, personal cloud storage used for work files, or messaging apps used to discuss patient matters.
HIPAA requires covered entities to conduct risk analyses and implement safeguards for all systems that store or process ePHI. A tool your team is using without your knowledge cannot be included in your risk analysis. That gap is a compliance problem — and a liability.
A Practical Framework: AI Drafts, Humans Approve
The goal is not to ban AI tools — it's to use them safely. Here is a framework that works for most dental practices:
Define What Can and Cannot Be Fed Into AI
Create a short, clear policy: no patient names, dates of birth, chart numbers, treatment notes, or billing information in any AI tool that has not been reviewed and approved. This single rule eliminates the most significant HIPAA risk. Non-PHI tasks — drafting general marketing copy, summarizing internal meeting notes without patient references, generating template language — can use AI freely.
AI Drafts, Your Team Approves
Any content generated by AI that will be sent to a patient, entered into Dentrix, or shared with a payer should be reviewed and approved by a qualified team member before it goes out. Treat AI output the way you would treat a draft from a new employee: useful starting point, not finished product.
Approve the Tools Your Team Is Actually Using
Ask your team what AI tools they're currently using. The answer may surprise you. Then work with your IT provider to evaluate which tools are appropriate, what data can be used with them, and whether any require a business associate agreement. Some AI platforms do offer HIPAA-compliant configurations — but that requires intentional setup, not a free consumer account.
Frequently Asked Questions
Q: Does HIPAA apply to AI tools used in a dental practice?
Yes. If a tool processes, stores, or transmits ePHI, it falls under HIPAA's requirements. This includes AI tools. A covered dental practice must ensure any such tool has a signed business associate agreement (BAA) in place and meets HIPAA's technical safeguard requirements. Consumer AI tools like the free version of ChatGPT do not have BAAs.
Q: What if an AI tool promises it doesn't store patient data?
Promises in terms of service are not the same as a signed BAA. Under HIPAA, you are responsible for ensuring your business associates have appropriate safeguards in place — and that responsibility cannot be delegated by trusting a checkbox in a privacy policy. Work with your IT provider to evaluate tools properly.
Q: Is it okay to use AI to write patient newsletters or recall emails if we don't include PHI?
Generally yes — using AI to draft general communication templates without patient-specific data is low risk. The risk increases when team members start including names, appointment details, or treatment information to make the output more specific. Clear guidance on what counts as PHI is the most important control.
Get Ahead of the Risk Before It Becomes a Breach
We work with Salt Lake City dental practices to keep systems running and patient data secure. If you want to create an AI use policy for your practice, evaluate the tools your team is using, or understand your HIPAA obligations around emerging technology, let's talk.
