Dental AI Blueprint printable guide
AI Scribe Consent Checklist
A practical checklist before a dental practice turns on AI-supported scribing.
AI Scribe Consent Checklist
An AI scribe is not just a note-taking feature. It is a patient-data workflow.
This checklist is not legal advice and is provided for general educational purposes only. It does not certify that an AI scribe is compliant. It is designed to identify consent, storage, privacy, security and workflow review items before a practice uses AI scribing.
Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.
Quick decision: eleven questions before you switch on
Do not switch on an AI scribe until the practice can answer these questions:
- What patient data does it collect?
- Where is audio processed and stored?
- Where is the transcript processed and stored?
- Is generative AI used?
- Is patient data used to train models?
- Can patients opt out?
- Is informed consent obtained before use?
- Is consent recorded?
- Does the dentist review the note before it enters the patient record?
- Can the practice delete audio and transcripts?
- Is any processing or storage overseas, and has the practice assessed that separately from recording consent?
Checklist
1. Intended use
| Question | Answer |
|---|---|
| What is the scribe used for? | |
| Does it record audio? | |
| Does it transcribe in real time? | |
| Does it generate clinical note drafts? | |
| Does it suggest diagnosis or treatment? | |
| Does it write back to the PMS? | |
| Does it create patient-facing summaries? |
2. Patient data involved
| Data type | Included? |
|---|---|
| Patient name | |
| Voice or audio | |
| Symptoms | |
| Medical history | |
| Dental history | |
| Medications | |
| Treatment options | |
| Financial or payment discussion | |
| Consent discussion | |
| Images or X-rays |
3. Consent process
| Question | Answer |
|---|---|
| Is the patient told before the scribe is used? | |
| Is the explanation in plain English? | |
| Is the patient told what the tool does? | |
| Is the patient told what data may be processed? | |
| Is opt-out available? | |
| Is care unaffected if the patient opts out? | |
| Is consent recorded in the patient record? | |
| Is consent refreshed when needed? | |
| Is there a process for minors or guardians? |
Sample consent scripts
Use as a starting point only. Review before use.
Recording consent is not the same as addressing overseas disclosure. The scripts below obtain a patient's consent to being scribed. That is a separate matter from any APP 8 consideration that may arise if the tool processes data overseas. If the practice intends to rely on patient consent as any part of its overseas-disclosure approach, that requires specific, informed consent beyond "is that okay today?" — see the APP 8 section below. Seek independent legal advice on the mechanics.
Full version:
We use an AI-supported scribing tool to help prepare clinical notes from the consultation.
It may process personal information discussed during your appointment.
The dentist reviews the note before it is finalised.
You can choose not to use the scribe today. Your care will not be affected.
Are you comfortable with us using the AI-supported scribe for this appointment?
Shorter chairside version:
We use an AI-supported scribe to help draft notes. It may process information from this
consultation, and I review the note before saving it. You can opt out and your care will
not be affected. Is that okay today?
Patient refusal script:
No problem. We will not use the AI-supported scribe for this appointment.
I will take notes manually.
Consent record template
AI scribe discussed with patient.
Patient informed that AI-supported scribe may process consultation information
and that dentist reviews note before finalisation.
Patient consented / declined.
Date:
Clinician:
Tool:
Vendor review
Data handling
| Question | Answer |
|---|---|
| Where is audio processed? | |
| Where is audio stored? | |
| How long is audio retained? | |
| Where is transcript processed? | |
| Where is transcript stored? | |
| Are prompts or generated notes logged? | |
| Can the practice delete audio, transcripts and logs? | |
| Is data encrypted in transit and at rest? |
Model and training
| Question | Answer |
|---|---|
| Is generative AI used? | |
| Which model provider is used? | |
| Is patient data used to train or improve models? | |
| Can training use be disabled? | |
| Are de-identification or tokenisation controls used? | |
| Are model outputs reviewed by the dentist? |
Access and support
| Question | Answer |
|---|---|
| Who can access audio and transcripts? | |
| Can vendor support staff access data? | |
| Are support staff offshore? | |
| Are subprocessors listed? | |
| Are audit logs available? | |
| Is role-based access supported? | |
| Is MFA required? |
Contract and policy
| Question | Answer |
|---|---|
| Is there a data processing agreement? | |
| Is there a subprocessor list? | |
| Is there an Australian data residency option? | |
| Does the vendor explain overseas disclosure or processing? | |
| Does the vendor provide retention and deletion terms? | |
| Does the vendor provide breach notification terms? |
The note still has to be right (APP 10 — data quality)
An AI scribe can mishear, paraphrase loosely, or hallucinate — inventing a symptom, the wrong tooth, an allergy the patient never mentioned, or a medication that was not discussed. In a clinical record that is not a typo; it is a record-integrity and patient-safety problem.
Under APP 10 (data quality), a practice must take reasonable steps to ensure the personal information it holds is accurate, up to date and complete. So reviewing the scribe's output is not an optional nicety — it is part of how the practice meets that obligation.
- The dentist reviews and corrects every note before it enters the record. The clinician — not the AI — is responsible for what the record says.
- Watch for confident-but-wrong detail. Hallucinated allergies, medications, dosages, tooth numbers and history are the dangerous errors, because they read as authentic.
- Keep the authoritative note; the raw audio is separate. Once reviewed and saved, the note becomes the patient record and must be retained for the required period. The raw audio and transcript are a separate copy — confirm with the vendor what can be deleted, and when.
Overseas processing and APP 8 consideration
This section identifies a possible privacy-review trigger. It does not determine whether the practice is compliant or non-compliant, and it is not legal advice. The applicable framework is nuanced — seek independent legal advice on the practice's specific situation.
Many AI scribes use generative AI infrastructure that processes and stores data overseas — commonly in the United States. When patient information is sent to, or made accessible by, an overseas recipient, APP 8 of the Australian Privacy Principles may apply.
APP 8 is not a ban on overseas services. Under the Australian privacy framework, before disclosing personal information to an overseas recipient, an APP entity is generally required to take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs. The Australian entity may also remain accountable for what the overseas recipient does with that information. Whether a given AI scribe arrangement constitutes a "disclosure" to an overseas recipient (rather than a "use") is a fact-specific question — but where a practice sends private health conversations to a US-based model provider, this consideration is a strong review trigger.
This consideration is separate from recording consent. A patient agreeing to be scribed — "is that okay today?" — addresses recording and clinical note-taking. It does not, by itself, address any APP 8 obligation the practice may have regarding overseas processing. If the practice intends to rely on patient consent as any part of its approach to cross-border disclosure, that consent must be specific and informed about overseas disclosure, and the mechanics of any such consent pathway should be reviewed with a legal adviser.
Ahpra's AI case study guidance notes that generative AI tools such as ChatGPT may store data outside Australia, and that personal information entered into an AI tool that stores data offshore could lead to unintentional breaches of Australian privacy laws. OAIC guidance similarly states that entities must take reasonable steps before cross-border disclosure and may remain accountable for the overseas recipient's handling of the information.
APP 8 vendor assessment questions
Ask these questions specifically about overseas processing — they go beyond general data handling:
| Question | Answer |
|---|---|
| Where is the AI model processing performed? Which country? | |
| Are any sub-processors based overseas? | |
| Does the vendor use a US-based model provider (e.g. OpenAI, Google, AWS)? | |
| Is patient audio or transcript ever sent to an overseas system? | |
| Is there an Australian data residency option that covers all processing stages? | |
| Does the vendor's data processing agreement address overseas disclosure obligations? | |
| Does the vendor explain how Australian privacy obligations are satisfied for cross-border transfers? | |
| Is patient data used to train or improve the model — including by any overseas sub-processor? | |
| What is the deletion process, including deletion from overseas sub-processors? |
If the practice cannot answer these questions, the scribe should not be used with patient data until it can.
Workflow review
| Workflow step | Required control |
|---|---|
| Before consultation | Patient told and consent requested |
| During consultation | Scribe only active if consent recorded |
| After consultation | Dentist reviews draft |
| Note finalisation | Note saved only after clinician approval |
| Patient opt-out | Manual note workflow available |
| Error correction | Clinician can correct and audit changes |
| Deletion | Practice understands what can be deleted |
Red flags
High-review signals to watch for:
- Tool records audio without explicit patient explanation
- Patient cannot opt out
- Data used to train models by default
- Storage or processing location unclear
- Vendor cannot explain retention
- No deletion process
- No audit logs
- Tool writes notes without dentist review
- Tool suggests diagnosis or treatment
- Tool sends patient-facing summaries automatically
- Staff do not know when the scribe is on
- Processing is overseas and the practice has not assessed what that may mean for APP 8
- Vendor cannot confirm where overseas sub-processors are located or what data they receive
- Practice assumes chairside recording consent covers all privacy obligations including cross-border disclosure
Minimum practice policy
AI scribing may only be used with approved tools.
Patients must be informed before use.
Patients may opt out without affecting care.
Consent or refusal must be recorded.
The dentist must review and approve the note before it enters the patient record.
Audio, transcript, prompt and generated-note handling must be reviewed before use.
Public AI tools must not be used to create patient-identifiable clinical notes.
Owner sign-off template
Practice:
Tool:
Approved for use: yes / no / pilot only
Approved users:
Consent script approved: yes / no
Vendor review completed: yes / no
Staff trained: yes / no
Review date:
Owner / principal dentist:
Sources: Ahpra AI guidance · Ahpra AI case studies · OAIC commercial AI privacy guidance · OAIC APP 8 cross-border disclosure guidance