Unpacking the AI Cybersecurity Nightmare that’s Shaking Dentistry

October 17, 2025

What the Heartland Dental Lawsuit Reveals About AI and HIPAA Compliance

When the Byte Sized podcast invited technology consultant and former dental practice manager Tammie Powers to discuss the Heartland Dental lawsuit, the goal was simple — help dental professionals understand what happens when technology advances faster than compliance. The conversation quickly became one of the most important wake-up calls the industry has seen in years.

This isn’t just another regulatory discussion. We’re looking at a federal wiretapping lawsuit with potential damages that could reach $95 million, and every practice using AI tools for dentists needs to understand how this could affect them.

The Heartland Disaster: How Good Intentions Created a Legal Nightmare

The issue was not the use of AI itself but how it was deployed. Heartland Dental used RingCentral’s AI-assisted phone systems to handle patient calls. According to the class action lawsuit, those calls were recorded without proper disclosure and used to train AI models for other practices.

That created what Powers described on Byte Sized as a “double violation.” Patients were not informed their calls were being recorded in states that require two-party consent. Those same recordings were then shared with AI systems outside the original practice network.

“Patients felt like that was a violation of their HIPAA privacy and their personal information,” Powers explained during the episode. The incident has now escalated into a federal wiretapping case with potential damages in the tens of millions.

For dental practice owners, this moment should spark one key question — how secure and transparent are your AI systems?

The technical process behind this violation is something most practice owners never consider. When AI companies build their phone agents, they often use real conversations as training data to improve responses. Adrian captured this perfectly during this podcast discussion when he said they “take that transcript from the call and they pull it into like an AI brain and they say, ‘I want you to look these hundreds or thousands of calls and I want you to use them as a training model to improve how you answer calls for other practices.'”

The Compliance Nightmare: Navigating State Law Variations

One of the most challenging aspects discussed involves the complex landscape of state recording consent laws. The United States operates under a confusing mix of one-party and two-party consent states, each with specific requirements.

“You can’t just have one rule for RingCentral for one state because they operate across the nation. And so that causes a problem especially when patients are not made aware and you live in a dual party state where you have to have consent from both parties,” Powers explained.

But here’s what’s really crucial, even in single-party consent states, patients have reasonable expectations of privacy when calling their healthcare provider. “Patients don’t expect the phone conversation that they believe to be private. They don’t expect that phone conversation to be shared to anybody else.” This expectation creates an ethical obligation that goes beyond minimum legal requirements.

For multi-location practices and DSOs operating across state lines, the recommendation is clear: implement the highest standard across all locations. “My recommendation would be to put the disclaimer on. Put the disclaimer on because just because you’re in a single party state, you’re going to lose patients because they’re going to feel like you violated their trust.”

The Four Pillars of AI Compliance Every Practice Needs

Powers outlined four steps for practices using AI technology to stay compliant and maintain patient trust:

Call Disclaimers: Your First Line of Defense – Every AI-assisted call must begin with clear disclosure, regardless of state requirements. This transparency manages patient expectations and provides legal protection.
Updated Privacy Practices: Documentation That Protects – Your practice’s privacy practices must explicitly address AI use. These updates must be prominently displayed and provided to patients, serving as legal documentation of your AI adoption and demonstrating transparency.
Business Associate Agreements: Passing the Liability Buck – Any AI vendor must sign comprehensive Business Associate Agreements specifically addressing their AI technology and data handling practices. “You need to make sure you have a business associate agreement for that software so that they sign it. You’re covered under HIPAA because you have had them sign that business associate agreement.”
Patient Signatures: Closing the Compliance Loop – Patients must receive updated privacy practices and provide written acknowledgment of your AI use, creating a paper trail that demonstrates informed consent.

The Questions Every Practice Must Ask AI Vendors

During this discussion, Adrian and Tammie dove deep into the due diligence process. The most important question for any AI vendor is whether they use patient conversations to train systems for other clients. Reputable vendors should clearly explain their data use policies and confirm that patient conversations remain isolated to your practice.

Encryption and security standards are also discussed on this podcast episode. While SOC 2 encryption isn’t required for HIPAA compliance, it represents a higher standard. “HIPAA doesn’t say you have to have SOC 2. This is like another level of encryption.” However, vendors must meet minimum HIPAA encryption requirements for data at rest and in transit.

When AI Helps Fix the Problem

Ironically, AI can also help solve the compliance challenges it creates. During this episode, Powers and host Adrian Lefler discussed how AI can automate parts of the consent process. For example, some systems can send digital privacy forms to patients after appointments and collect their signatures automatically.

“What we’re doing is using AI to protect practices from being sued over their AI,” Lefler said. That combination of automation and accountability is where the future of dental technology is heading.

The Takeaway for Dental Practice Owners

AI is here to stay in dentistry. It improves efficiency, reduces administrative work and enhances the patient experience. But without transparency, it can also expose practices to lawsuits, HIPAA violations and loss of trust.

The Heartland case makes one thing clear — the biggest mistake is not adopting new technology, it is failing to document and disclose how that technology works.

“The AI agents aren’t here to replace your practice team members. They’re here to take away some of those form fills.” The key is transparency about what tasks AI handles versus what remains in human control.

Questions?

For more specific guidance on AI compliance and Business Associate Agreements, reach out to the team at Adams Brown. We’re here to help you navigate these complex issues while embracing AI’s incredible potential.

Thanks to Adrian and the entire Byte Sized podcast team for the platform to discuss these important issues. Listen to the full episode and download the free HIPAA compliance templates that Adams Brown CPA and My Social Practice have created specifically for dental practices implementing AI technology.

Frequently Asked Questions

Do I need to disclose AI use even if my state only requires one-party consent for call recording?

Yes, you should always disclose AI use and call recording regardless of your state’s minimum legal requirements. Even in one-party consent states, patients have reasonable expectations of privacy when calling their healthcare provider.

What questions should I ask an AI vendor to ensure they won’t use our patient conversations inappropriately?

The most critical question is whether patient conversations from your practice are used to train AI systems that serve other clients. Ask for detailed explanations of how patient data is encrypted, stored, and protected. Verify that the vendor provides comprehensive Business Associate Agreements that specifically address AI technology.

How can I implement the compliance measures you discussed without overwhelming my team?

Start with the free HIPAA compliance templates we’ve created with My Social Practice. These templates handle the legal documentation, and AI dental receptionists can actually help automate the process of getting patients to sign updated privacy practices. Focus on transparency about what tasks AI handles versus what remains in human control.

What are the real financial risks of not addressing these compliance issues?

The Heartland lawsuit shows potential damages reaching $95 million. Failing to disclose AI use damages patient trust, which is far more valuable than any technology efficiency. HIPAA compliance requirements exist to protect both patients and practices.

How does this relate to the broader benefits of AI in dentistry?

These tools can generate thousands of dollars in additional monthly revenue and dramatically improve practice efficiency. The key is implementing AI in dental marketing and patient communication responsibly. AI agents aren’t here to replace your practice team members; they’re here to handle routine tasks while your team focuses on patient care.

Categories: Closely-held Business, Dental Practices, Optometry Practices, Uncategorized, Cybersecurity, Managed IT Services, Technology Consulting,

Tammie Powers:

How I help . . . I am a certified trainer for a major dental practice management software. I enjoy showing dental teams how to best utilize the program so they are as efficient as possible. When the team works smarter, not harder, everyone in the practice wins. I love showing teams how to be […]