Dental AI Blueprint printable guide
Can I Paste This Into AI?
A red, amber, green guide for dental staff before they use public AI tools.
Can I Paste This Into AI?
If it identifies a patient or describes their care, do not paste it into public AI.
This guide is not legal advice. It is a practical staff safety guide for public AI tools. When unsure, do not paste the information. Ask the practice owner or manager.
Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.
What is public AI?
Public AI includes:
- ChatGPT (free or paid personal account)
- Gemini (free or paid personal account)
- Claude (public web version)
- Canva AI
- Social media AI tools
- Word or email AI features not approved by the practice
- Browser AI assistants and writing tools
- Any tool not approved by the practice for patient data
It also leaves the country
Pasting patient information into a public AI tool does not just expose it on a screen — it likely sends it overseas.
Public AI tools such as ChatGPT, Gemini and Claude are processed on servers outside Australia. When a practice pastes identifiable patient information into one of these tools, that may constitute a cross-border disclosure of personal information under APP 8 of the Privacy Act. APP 8 requires an APP entity to take reasonable steps before disclosing personal information to an overseas recipient, and the Australian practice can generally remain accountable for what the overseas recipient does with that information.
This is a separate consideration on top of the "don't expose patient data" message — not a replacement for it.
Practice manager note: Whether a specific act of pasting is characterised as a disclosure (APP 8) or a use (APP 6) of personal information is a nuanced legal question. What is clear is that pasting identifiable patient information into a public AI tool is a possible cross-border disclosure and a review trigger for the practice, not a safe default. Ahpra's AI case studies note that generative AI tools such as ChatGPT may store data outside Australia, and that patient data entered into offshore AI tools could lead to unintentional privacy breaches. The OAIC recommends not entering personal or sensitive information into publicly available generative AI tools.
This guide is not legal advice. If a practice is unsure about its obligations, seek qualified privacy or legal advice.
Green: Usually OK
Use public AI for generic, non-patient, non-confidential tasks.
| Example | Why it is green |
|---|---|
| "Write a social post about brushing twice daily." | General education, no patient data. |
| "Create a checklist for preparing for a dental appointment." | Generic patient education. |
| "Rewrite this generic appointment reminder." | No patient details included. |
| "Summarise public Ahpra advertising guidance in plain English." | Public source material. |
| "Draft a job ad for a dental assistant." | No patient data. |
| "Create a staff meeting agenda." | Internal admin, no sensitive details. |
| "Suggest headings for an emergency dental page." | Generic website planning. |
Green prompt template
Write generic patient education copy for an Australian dental practice.
Do not include patient-specific advice, guarantees, testimonials or claims of painless or risk-free outcomes.
Amber: Check first
These may be OK only if de-identified, generic and approved by the practice.
| Example | Why it is amber |
|---|---|
| De-identified patient scenario | May still be identifiable if details are unique. |
| Generic recall SMS wording | Usually fine if no patient details are included. |
| Complaint response template | Risky if actual complaint details are pasted. |
| Treatment explanation wording | Fine if generic; risky if patient-specific. |
| Marketing copy for cosmetic treatments | Advertising rules need care. |
| Staff performance summary | May include personal information about staff. |
| Internal policy draft | Usually fine unless it includes incidents or patient examples. |
Amber rule
Before using AI, remove:
- Names
- Contact details
- Dates of birth
- Appointment dates
- Clinical specifics
- Unique details
- X-rays, photos, invoices and treatment plans
Ask the practice manager if unsure.
Red: Do not paste
Do not paste these into public AI.
| Data | Examples |
|---|---|
| Patient names | "Sarah Nguyen needs..." |
| Contact details | phone, email, address |
| Clinical notes | symptoms, diagnosis, treatment notes |
| Treatment plans | implant plan, crown quote, aligner proposal |
| X-rays and photos | images, scans, intraoral photos |
| Medical history | pregnancy, diabetes, medication, allergies |
| Appointment records | bookings, cancellations, attendance |
| Invoices and payments | itemised treatment and costs |
| Referrals | provider letters, specialist reports |
| Patient complaints | patient-identifiable complaint details |
| Patient lists | recall lists, unscheduled treatment lists |
| Review matching | using PMS to identify online reviewers |
| Email attachments | X-rays, treatment plans, forms, referrals |
Red examples
Do not paste:
Rewrite this treatment plan for John Smith. He needs two crowns and an implant...
Do not paste:
Summarise this patient email. She says she has swelling around her wisdom tooth and takes blood thinners...
Do not paste:
Make this complaint response nicer. The patient was unhappy after root canal treatment...
Do not paste:
Here is our overdue recall list. Write SMS messages for each person...
Do not paste:
Can you identify which of these Google reviewers are patients from our PMS?
Staff decision guide
1. Does it identify a patient?
Yes → do not paste.
No → continue.
2. Does it describe someone's health, treatment, appointment or payment?
Yes → do not paste unless approved and de-identified.
No → continue.
3. Is it a real patient story, review, complaint, email, treatment plan or image?
Yes → do not paste.
No → continue.
4. Is it generic education, admin or marketing wording with no patient data?
Yes → usually okay.
Unsure → ask first.
Safer alternatives
| Risky task | Safer approach |
|---|---|
| Rewrite patient treatment plan | Use approved generic wording blocks or controlled internal AI. |
| Summarise patient email | Summarise manually or use approved filtered workflow. |
| Draft complaint response | Use generic template, add details manually inside approved system. |
| Recall list messaging | Use approved PMS or recall tool with consented workflow. |
| Marketing using patient data | Check consent and purpose before use. |
| AI scribe | Use approved tool with consent and dentist review. |
Practice policy insert
Staff may use approved AI tools for generic, non-patient content only.
Staff must not enter patient-identifiable information, treatment plans, clinical notes, X-rays, photos,
invoices, appointment records, patient emails or patient lists into public AI tools.
Any AI tool that reads patient data, emails, calls, treatment plans or clinical records must be
reviewed and approved by the practice owner before use.
Sources: Ahpra AI guidance · Ahpra AI case studies · OAIC commercial AI privacy guidance · OAIC APP 8 cross-border disclosure