Dental AI guide

Start Here: Where Patient Data Is Protected — and Where It Escapes

The one idea behind every dental AI risk — your practice system is what protects patient information, and the moment data leaves it, that protection is gone.

Before any specific tool or rule, there is one idea that explains every dental AI privacy risk: your practice system is what protects patient information, and the moment data is taken out of it, that protection does not travel with it. Understand this, and the rest of the guides make sense.

No patient data required. Use these guides for practice workflow education, not patient-specific advice.

You have a dental system for a reason. The biggest AI risk is not the AI — it is taking patient information out of that system.

This guide is the foundation for everything else in the library. It is general educational material for dental practice owners and staff, not legal or clinical advice.

Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.

The one idea

Your practice-management system (PMS) is not just where the data lives. It is what protects it. It enforces who can see what, records every access in an audit trail, applies retention rules, secures the data, and keeps it inside a boundary you control.

The moment patient information is taken out of that system — copied into an email, pasted into ChatGPT, saved to the desktop as a PDF, opened in Word or Canva, synced to a personal cloud drive, dropped into a chat widget, or handed to a marketing tool — none of that protection comes with it. The information is now a loose copy, sitting outside the boundary that was built to keep it safe.

That is the core risk. Almost every specific danger in the other guides — overseas processing, the spread of treatment plans, a staff member pasting a name into public AI, an after-hours chatbot storing symptoms — is a consequence of patient information leaving the protected system in the first place.

Why it gets worse: extraction starts a cycle

Extraction is not a single event. It is the start of a cycle, because a loose copy tends to make more copies:

  • It gets re-worked, then fed back to AI. Pulled out, edited in Word to "make it better", pasted into an AI tool to polish, pasted back in. Each round trip is another copy.
  • An AI quietly reads the whole folder. An "AI assistant" or desktop tool that "reviews your Documents folder" reads every extracted file sitting in Downloads or on the Desktop — including ones you forgot were there.
  • A backup sweeps it up. That loose file gets caught in an automatic cloud backup — copied again, kept for years, and often stored overseas.

So one extraction becomes many copies, in many places you no longer control, persisting long after the original task is done. That is the engine behind every other risk in this library.

Also in the full guide

  • Where it bites: two privacy laws, and the overseas problem
  • The simple rule
  • What good looks like
  • Where data escapes — and which guide covers it
  • The honest summary

Optional — get a customised version

Request the version adapted for your practice

The guide above is free to read and download. If you would like a version tailored to your practice workflow, leave your details below. Use practice-level details only. Do not include patient names, treatment details, clinical notes, X-rays, invoices or identifiable emails.