Last Updated: March 10, 2026
Before adopting any AI for dental documentation, every dentist should ask: Does this tool require explicit patient consent before recording, and is that consent documented in a verifiable workflow? Recent lawsuits against dental support organizations allege ambient AI scribes recorded patient conversations without proper consent — violating both state wiretapping laws and HIPAA regulations. A privacy-first AI dental scribe requires four non-negotiable elements: (1) informed patient consent before any audio capture begins, (2) documented and auditable consent records per patient, (3) clear and specific data retention and deletion policies, and (4) a signed HIPAA Business Associate Agreement with the vendor.
Lawsuits against major healthcare organizations—including a prominent dental support organization—allege that ambient AI scribes recorded patient conversations without proper consent. The claims are serious: violations of wiretapping laws, breach of privacy, and a fundamental betrayal of patient trust.
If you’re considering AI documentation tools for your practice, these cases aren’t just news. They’re a warning sign about what happens when technology moves faster than thoughtful implementation.
By Brad Hutchison, CEO & Founder, OraCore AI
The Rush to Automate—and What Gets Lost
The appeal of ambient AI scribes is obvious. Instead of typing notes after every appointment, the AI listens, transcribes, and generates documentation automatically. For dentists spending two or more hours per day on charting, that’s transformative.
But here’s where some implementations went wrong: they treated consent as an afterthought.
In the cases now making headlines, patients allege they weren’t adequately informed that AI was recording their appointments. Some claim they weren’t informed at all. The result? Legal exposure, damaged trust, and a chilling effect on AI adoption across the industry.
The tragedy is that none of this was necessary. Privacy-first AI isn’t just possible—it’s the only responsible path forward.
What “Privacy-First” Actually Means
Let’s be specific. A privacy-first approach to ambient AI documentation isn’t just about checking compliance boxes. It’s a design philosophy that puts patient rights at the center of every decision.
Informed consent is non-negotiable. Before any recording begins, patients must understand what’s happening, why, and how their data will be used. This isn’t a form buried in intake paperwork—it’s an actual conversation, documented and verifiable.
The human remains in control. AI should draft notes, not finalize them. Every piece of documentation generated by AI should be reviewed and approved by the clinician before it becomes part of the patient record. This isn’t just good practice; it’s a safeguard against errors and a clear chain of accountability.
Data handling must be deterministic, not opaque. Patients deserve to know exactly where their information goes, how long it’s retained, and who can access it. “Trust us” isn’t an answer. Transparent, auditable systems are.
Recording is visible, not hidden. If AI is listening, patients should know—in the moment, not after the fact. Visual indicators, clear verbal confirmations, and easy opt-out mechanisms aren’t obstacles to adoption. They’re foundations for trust, and I’m seeing first hand that patients are generally excited about this.
The Compliance Reality
Beyond the ethical imperatives, there’s the regulatory landscape to consider.
HIPAA establishes baseline requirements for protected health information, but it doesn’t explicitly address ambient recording. That gap doesn’t mean freedom—it means risk. States have varying wiretapping and consent laws, and healthcare facilities can face liability under both federal and state frameworks.
The organizations now facing lawsuits likely had some form of consent process in place. The allegations suggest those processes were insufficient—either in design, implementation, or documentation.
For dental practices, the lesson is clear: compliance isn’t about minimum requirements. It’s about building workflows that prioritize transparency at every step.
Questions to Ask Any AI Vendor
If you’re evaluating AI documentation tools, here’s what to demand—not request, demand—from any vendor:
How is consent obtained and documented? Look for specific workflows, not vague assurances. Can you see exactly how consent is captured, stored, and associated with each recording?
What happens to the audio after processing? Is it retained? For how long? Where? Who has access? If the vendor can’t answer these questions precisely, walk away.
How does the AI handle sensitive disclosures? Patients sometimes share information they don’t want documented—concerns about a spouse, financial worries, casual comments. How does the system ensure those moments don’t end up in clinical notes?
What’s the human review workflow? If AI generates notes that go directly into the record without clinician approval, that’s not a documentation tool. It’s an autonomous agent making healthcare decisions, and that should concern everyone.
How are patients informed in the moment? In many states, paper or digital consent forms are necessary but insufficient. What visual or verbal cues ensure patients know recording is active throughout the appointment? AI is a benefit to our patients as much as it is to providers. Have an open honest conversation and you will quickly learn how fun it is to talk about this.
The Path Forward
None of this means dental practices should avoid AI documentation. The benefits—reduced administrative burden, improved work-life balance, better capture of clinical details—are real and significant.
But those benefits only matter if they’re built on a foundation patients can trust.
The practices that thrive with AI will be the ones that treat privacy as a feature, not a constraint. They’ll be transparent with patients, rigorous with vendors, and committed to keeping humans at the center of clinical documentation.
The practices that cut corners? They’re the next headlines waiting to happen.
Our Approach
At OraCore, we built our AI scribe with these principles from day one. Patient consent is explicit and documented. Audio processing follows strict retention policies. Every AI-generated note requires clinician review before becoming part of the record. And we’re transparent about exactly how data flows through our system.
We believe ambient AI can transform dental documentation—but only if it’s done right. That means building technology that earns trust, not just captures efficiency.
Ready to see privacy-first AI documentation in action? Schedule a demo and we’ll walk you through exactly how we handle consent, data, and the human-AI workflow.
Frequently Asked Questions
Yes — categorically. Any ambient audio recording of a patient in a healthcare setting requires explicit informed consent under HIPAA, and in many states, under separate wiretapping or eavesdropping statutes. “Ambient” doesn’t mean invisible — patients must be told that AI is listening, what it captures, how long recordings are retained, and how they can opt out. Failure to obtain and document consent before recording creates both HIPAA liability and potential civil exposure under state wiretapping laws.
Under HIPAA, any AI tool that captures, processes, or stores Protected Health Information (PHI) — including audio recordings of patient appointments — must: (1) operate under a signed Business Associate Agreement (BAA) with the dental practice; (2) use encryption for data in transit and at rest; (3) maintain audit trails showing who accessed PHI and when; (4) implement data minimization — retaining only what’s necessary; (5) have documented breach notification procedures. Meeting these requirements is the minimum threshold for a HIPAA-compliant dental AI scribe.
Yes. Lawsuits filed in 2025 and 2026 against dental support organizations allege that ambient AI scribes were deployed in patient operatories without proper patient notification or consent documentation. Plaintiffs cite violations of state wiretapping statutes (which are stricter than HIPAA in several states) and HIPAA’s PHI handling requirements. These cases are active and their outcomes will likely shape dental AI consent standards going forward. Practices should not wait for final rulings to implement consent workflows.
Best practice is a layered consent approach: (1) add AI scribe disclosure to the new patient paperwork that all patients sign; (2) verbally inform patients at the start of each appointment that AI documentation assistance is in use; (3) offer a clear opt-out option that staff can implement immediately; (4) retain signed consent records in the patient chart. Some practices use a brief verbal consent script at room entry — “I use an AI assistant to help with documentation today, is that okay?” — with a yes/no response logged in the chart.
Five non-negotiable questions: (1) Will you sign a HIPAA Business Associate Agreement? (If no, stop the conversation.) (2) Where is patient audio stored, for how long, and who can access it? (3) Is audio processed on-device or sent to external servers? (4) What encryption standards apply during transmission and storage? (5) What is your data breach notification procedure and timeline? Any vendor that can’t answer all five specifically and in writing is not an appropriate choice for handling patient PHI.
It depends on state law and consent documentation. Under HIPAA, it is legal with proper consent and a BAA. But over a dozen states (including California, Illinois, and Florida) have wiretapping or eavesdropping statutes requiring all-party consent — meaning both the clinician AND the patient must affirmatively consent to recording. A BAA alone doesn’t satisfy state wiretapping law. Dental practices in all-party consent states must obtain documented patient consent before any ambient recording begins, every appointment.
HIPAA does not specify a retention period for audio recordings specifically, but PHI retention best practice and state dental record requirements (which vary from 5–10 years for adult records, often longer for minors) provide the framework. However, most AI scribe vendors argue that audio recordings are transient — used only to generate the note, then deleted — rather than part of the permanent clinical record. Ask your vendor explicitly: what is deleted and when? Get the answer in writing and confirm it aligns with your state’s dental record retention requirements.
Two-party (or all-party) consent states require everyone being recorded to consent — not just one party. Key all-party consent states for dental practices: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. In these states, using ambient AI without explicit patient consent per appointment may violate state wiretapping law regardless of HIPAA compliance. Practices in one-party consent states still face HIPAA requirements — but state laws add an additional legal layer in all-party states.