What You’ll Learn:
- The essential security and HIPAA compliance questions that protect your practice from lawsuits
- Marketing and value questions that reveal whether a vendor is worth your investment
- Technical questions about integrations, customization, and real-world performance
- Red flags that signal you should walk away immediately
- Free compliance templates to protect your practice when implementing AI
Stop. Before You Sign That AI Vendor Contract, Read This.
The AI sales pitch is compelling. A friendly rep shows you a demo where their AI receptionist handles calls flawlessly. They promise reduced overhead, fewer missed appointments, and a front desk team that can finally focus on patients instead of phones. You’re ready to sign.
Then six months later, you discover their system has been using your patient conversations to train AI models for competing practices. Or your state’s attorney general comes knocking because you never disclosed that calls were being recorded by AI. Or you realize the “seamless integration” requires your office manager to manually transfer data between systems for two hours every day.
These aren’t hypothetical scenarios. Heartland Dental faced a class action lawsuit over exactly these issues with their AI phone system. The Heartland situation exposed how AI vendors were recording patient calls without proper disclosure and using those transcripts to train systems serving other practices. Patients felt their privacy was violated, and lawyers began circling.
The AI vendor landscape in dentistry right now resembles the Wild West. Products are flooding the market faster than anyone can evaluate them. Some are legitimate game-changers. Others are security nightmares wrapped in slick marketing. Most dentists don’t know which questions to ask to tell the difference.
This checklist changes that. Print it out. Bring it to your next vendor meeting. Ask every single question. The vendors who get frustrated or evasive are telling you everything you need to know.
Part 1: Security and HIPAA Compliance Questions
These questions aren’t optional. They’re the difference between a tool that protects your practice and one that exposes you to six-figure lawsuits and federal investigations. Start here, and don’t move forward until you have satisfactory answers to every single one.
1. Will you sign a Business Associate Agreement (BAA)?
This is non-negotiable. Under HIPAA, any vendor that handles protected health information (PHI) on your behalf must sign a BAA. This agreement establishes their legal obligations to protect patient data and transfers appropriate liability to them if they screw up.
What you want to hear: “Yes, absolutely. Here’s our standard BAA, and we’re happy to review it with you or your attorney.”
Red flag: Any hesitation, claims that a BAA isn’t necessary for their type of service, or statements like “we don’t have access to patient data” when their product clearly interacts with patient information. Walk away.
2. Do you use patient conversations or data to train AI models for other clients?
This is the question that sank Heartland’s vendor. Many AI companies improve their systems by feeding real conversations into their training models. That means Patient A’s call to your practice might be teaching the AI how to respond to Patient B at a completely different practice across the country.
Even if individual identifiers are stripped, this practice raises serious HIPAA concerns and violates patient expectations of privacy.
What you want to hear: “No. Your patient data stays isolated to your practice. We do not use client conversations to train models for other customers.”
Red flag: Vague answers like “we anonymize everything” or “it’s industry standard practice.” Press for specifics. If they can’t clearly explain their data isolation practices, assume the worst.
3. Where is patient data stored, and who has access to it?
You need to understand the physical and logical security of your patient information. Is data stored on U.S. servers? Who within the vendor’s organization can access it? What about their subcontractors?
What you want to hear: Specific answers about data center locations, encryption standards, access controls, and a clear list of who can access what. Bonus points for mentioning role-based access controls and audit logging.
Red flag: “I’d have to check with our technical team” followed by never actually providing the information. Legitimate vendors know exactly where your data lives.
4. What encryption standards do you use for data at rest and in transit?
HIPAA requires that PHI be protected both when it’s sitting on servers (at rest) and when it’s being transmitted between systems (in transit). Industry standard is AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit.
What you want to hear: Specific encryption protocols and standards. If they mention SOC 2 compliance, that’s a higher standard than HIPAA requires and indicates serious commitment to security.
Red flag: Blank stares or generic assurances like “we take security very seriously.” That’s marketing speak, not technical competence.
5. Do you have SOC 2 certification?
SOC 2 (Service Organization Control 2) is a voluntary certification that demonstrates a company has implemented rigorous security controls. It’s not required by HIPAA, but it represents a significantly higher standard of data protection.
What you want to hear: “Yes, we’re SOC 2 Type II certified, and we can provide our certification report.” Type II is better than Type I because it covers a longer evaluation period.
Red flag: Not having SOC 2 isn’t automatically disqualifying, but combined with other weak answers, it suggests security isn’t a priority. Be especially cautious with newer companies that haven’t yet invested in certification.
6. Does your system provide call disclaimers that disclose AI use and recording?
Depending on your state, you may be legally required to disclose that calls are being recorded. But beyond legal requirements, patients have reasonable expectations of privacy when calling their healthcare provider. Disclosing AI involvement and recording builds trust and protects your practice.
What you want to hear: “Yes, we include configurable disclaimers at the start of each call that inform patients the call may be recorded and may involve AI assistance.”
Red flag: “That’s not really necessary” or “most of our clients don’t use disclaimers.” Even in single-party consent states, failing to disclose can damage patient trust and expose you to lawsuits.
7. What happens to our data if we cancel the service?
You need to understand the data lifecycle. Can you export your data? How long do they retain it after cancellation? Is it truly deleted, or just archived?
What you want to hear: Clear data retention policies, the ability to export your data before cancellation, and confirmation that data is permanently deleted within a specified timeframe after service ends.
Red flag: “We retain data indefinitely for service improvement” or inability to explain their data deletion process.
8. How do you handle data breaches, and what’s your notification process?
Breaches happen even to the best companies. What matters is how they respond. You need to know their incident response procedures and how quickly they’ll notify you if your patient data is compromised.
What you want to hear: A documented incident response plan, specific notification timeframes (ideally within 24-72 hours), and a clear process for supporting affected practices through the breach response.
Red flag: “We’ve never had a breach” isn’t reassuring; it might just mean they haven’t detected one yet. You want to see that they’ve planned for the worst.
9. Do you carry cyber liability insurance, and what are the coverage limits?
If a vendor causes a breach that affects your patients, their insurance coverage matters. Without adequate coverage, you could be left holding the bag for damages that exceed their ability to pay.
What you want to hear: Confirmation of cyber liability coverage with limits appropriate to the number of practices they serve. Ask for a certificate of insurance if you want verification.
Red flag: No cyber liability insurance or unwillingness to disclose coverage details.
Part 2: Marketing and Value Questions
Security is essential, but you also need to know whether this tool will actually deliver value for your practice. These questions help you cut through the sales pitch and understand what you’re really buying.
10. Can you show me ROI data from practices similar to mine?
Promises are cheap. You want evidence. Ask for specific metrics from practices with similar patient volume, specialty, and geographic area.
What you want to hear: Concrete numbers: “Our average dental practice sees X% reduction in missed calls, Y additional appointments per month, and breaks even within Z days.” Even better if they can connect you with reference practices.
Red flag: Vague claims like “our clients love us” without supporting data, or results only from practices that are dramatically different from yours.
11. Can I speak with current clients in my specialty?
Written testimonials can be cherry-picked or even fabricated. Speaking with actual users gives you unfiltered insight into what the experience is really like.
What you want to hear: “Absolutely. Here are three practices you can contact directly.” Bonus points if they offer practices in your geographic area or specialty.
Red flag: Reluctance to provide references, only offering testimonials rather than live conversations, or references that turn out to be company employees or affiliated practices.
12. What’s the realistic timeline before I see results?
Beware of vendors promising instant transformation. Legitimate AI implementations take time to configure, train, and optimize for your specific practice.
What you want to hear: An honest assessment that includes onboarding time, a learning curve for your team, and realistic expectations for when you’ll see measurable improvement. Most AI receptionists show ROI within 30-60 days, but that’s after proper setup.
Red flag: “You’ll see results immediately” or pressure to sign quickly because “spots are limited.” Manufactured urgency is a classic sales manipulation tactic.
13. What happens if it doesn’t work for us? What’s your cancellation policy?
The AI market is evolving rapidly. You need flexibility to change course if a solution doesn’t deliver or if better options emerge.
What you want to hear: Month-to-month contracts or short commitment periods. Clear cancellation procedures with reasonable notice requirements (30 days is standard). No punitive early termination fees.
Red flag: Multi-year contracts, especially with auto-renewal clauses buried in fine print. Vague cancellation procedures or significant penalties for early termination. If they need to lock you in to keep your business, that tells you something.
14. What’s the total cost, including all fees, integrations, and add-ons?
The advertised price is rarely the whole story. Implementation fees, per-call charges, integration costs, and “premium features” can dramatically inflate your actual spend.
What you want to hear: A complete breakdown of all costs, including what’s included in the base price and what costs extra. Ask specifically about per-minute charges, overage fees, and costs for features you’ll actually need.
Red flag: “We can discuss pricing after the demo” or inability to provide a clear total cost estimate. Hidden fees are a hallmark of vendors who know their real prices aren’t competitive.
15. Am I buying something I actually need, or something you want to sell?
This one’s direct, and that’s the point. Legitimate vendors will help you assess whether their solution fits your actual problems. Predatory ones will sell you whatever they can.
What you want to hear: Questions about your specific challenges, honest assessment of whether their product is the right fit, and willingness to say “this might not be right for you” if your needs don’t align with their solution.
Red flag: Every practice apparently needs their full suite of services. No discovery questions about your current situation. Dismissiveness when you raise concerns or ask pointed questions.
Part 3: Technical and Integration Questions
The best AI in the world is useless if it doesn’t work with your existing systems or requires your team to become IT specialists. These questions ensure you understand the practical realities of implementation.
16. Does this integrate directly with my practice management system?
Integration is the difference between AI that actually saves time and AI that creates new work. If the system can’t read your schedule or book appointments directly into your PMS, your team will be stuck doing manual data entry.
What you want to hear: “Yes, we integrate directly with [your specific PMS]. The AI can check availability and book appointments without staff intervention.” Ask for a demo of the actual integration, not just promises.
Red flag: “We integrate with most major systems” without being able to confirm your specific software. Or integrations that turn out to be one-way (they can read data but can’t write back to your system).
17. What happens when the AI can’t handle a situation?
No AI handles 100% of scenarios perfectly. What matters is how it fails. Does it gracefully transfer to a human? Does it notify your team of issues? Or does it leave patients frustrated?
What you want to hear: Clear escalation protocols. The AI should recognize its limitations, transfer calls appropriately, and alert your team to situations requiring human attention. Ask to see how this works in practice.
Red flag: Claims that the AI “handles everything” or dismissiveness about edge cases. Every system has limitations; vendors who won’t acknowledge them are hiding something.
18. Can I customize how the AI speaks and responds for my practice?
Your practice has its own personality, procedures, and patient expectations. A one-size-fits-all AI receptionist may not represent you well.
What you want to hear: Customizable scripts, configurable responses, and the ability to train the AI on your specific procedures, insurance policies, and office protocols. Ask about customizing voice, tone, and specific terminology.
Red flag: Rigid scripts with no customization options, or customization that requires expensive “professional services” add-ons.
19. What’s the onboarding process and how long does it take?
Implementation can be simple or nightmarish depending on the vendor. You need to understand the time commitment from your team and how much support you’ll receive.
What you want to hear: A structured onboarding process with clear milestones, dedicated support during implementation, and realistic time estimates. Most practices should expect 2-4 weeks from signing to full deployment.
Red flag: “Just flip a switch and you’re live” (oversimplification) or vague timelines that keep extending. Both extremes suggest problems.
20. What kind of ongoing support do you provide?
The relationship doesn’t end after implementation. You’ll have questions, issues, and needs that arise over time.
What you want to hear: Dedicated support channels, reasonable response time commitments, and access to real humans (not just chatbots) when you have problems. Ask about support hours and whether you’ll have a dedicated account manager.
Red flag: Support only via email with 48-72 hour response times, or support that requires additional fees beyond your subscription.
21. How do you handle multiple languages?
If your patient population includes non-English speakers, you need an AI that can communicate effectively with them.
What you want to hear: Native support for the languages your patients speak, with natural fluency rather than awkward translations. Ask for a demo in the specific languages you need.
Red flag: Claims of multilingual support that turn out to be “Spanglish” or obviously machine-translated responses. Early AI implementations often struggle with this, so verify before you commit.
Part 4: Transparency and Disclosure Questions
Beyond technical compliance, you need to ensure your AI implementation maintains patient trust and aligns with ethical practices.
22. Does the system clearly identify itself as AI to patients?
Patients have a right to know when they’re interacting with AI rather than a human. Transparency builds trust; deception erodes it.
What you want to hear: “Yes, the AI introduces itself appropriately and patients are aware they’re speaking with an automated system.”
Red flag: Systems designed to deceive patients into thinking they’re speaking with humans. This might seem like a feature, but it’s an ethical landmine.
23. What do I need to update in my privacy practices to reflect AI use?
Your Notice of Privacy Practices likely needs updating to reflect AI implementation. A good vendor should be able to guide you through this process.
What you want to hear: Clear guidance on privacy practice updates, templates or language you can use, and awareness of the compliance requirements around AI disclosure.
Red flag: “You don’t need to change anything” or unfamiliarity with privacy practice requirements. They may not be lawyers, but they should understand the compliance landscape for their own products.
24. Can you provide documentation of your compliance practices?
Trust but verify. Ask for written documentation of their security practices, compliance certifications, and privacy policies.
What you want to hear: “Here’s our security whitepaper, our SOC 2 report, our HIPAA compliance documentation, and our privacy policy.” Legitimate vendors have this ready to share.
Red flag: Verbal assurances without written documentation. “We’re working on that” suggests they haven’t prioritized compliance.
Part 5: Future-Proofing Questions
The AI landscape is evolving rapidly. The tool you buy today will need to grow and adapt.
25. What’s on your product roadmap?
AI vendors that aren’t continuously improving will quickly become obsolete. You want a partner invested in ongoing development.
What you want to hear: Specific upcoming features, a clear development timeline, and responsiveness to customer feature requests. The best vendors are building comprehensive platforms, not just point solutions.
Red flag: Vague promises about future features or a product that hasn’t meaningfully evolved in the past year.
26. How long has your company been in business, and what’s your financial stability?
The dental AI space is littered with startups. Some will succeed; many will fail. You don’t want to invest in a tool that disappears in six months.
What you want to hear: An established track record, evidence of financial stability (funding announcements, profitable operations, or backing from established companies), and a clear business model.
Red flag: Brand new companies with no track record, heavy reliance on venture capital with no path to profitability, or evasiveness about their financial situation.
27. Is this built specifically for dental, or is it a generic solution?
Dental practices have unique workflows, terminology, and patient expectations. Generic AI solutions often require extensive customization and may never quite fit.
What you want to hear: “We built this specifically for dental practices. We understand the difference between a prophylaxis and a periodontal maintenance appointment, and we’ve trained our AI accordingly.”
Red flag: Generic healthcare or small business solutions being marketed to dental. They may work, but they’ll require more configuration and may miss dental-specific nuances.
Red Flags at a Glance
If you encounter any of these during your vendor evaluation, proceed with extreme caution or walk away:
| Category | Red Flag |
| Security | Won’t sign a BAA |
| Security | Vague about data handling or training practices |
| Security | Can’t explain where patient data is stored |
| Sales Tactics | Manufactured urgency or pressure tactics |
| Sales Tactics | Guaranteed results or rankings |
| Contracts | Long contracts with no flexibility or hidden fees |
| Credibility | No references or won’t connect you with current clients |
| Technical | Can’t clearly explain how their technology works |
| Integration | Can’t confirm integration with your specific PMS |
Protect Your Practice Before You Sign
The AI revolution in dentistry is real, and practices that adopt the right tools will gain significant competitive advantages. But “right tools” is the operative phrase. The wrong AI implementation can expose your practice to federal lawsuits, damage patient trust, and create more problems than it solves.
Use this checklist. Ask every question. Document the answers. And remember that vendors who get defensive or evasive when asked about security and compliance are telling you everything you need to know about how they’ll handle problems down the road.
The vendors who welcome these questions, who have clear answers ready, who can provide documentation and references, those are the partners worth considering. They understand that your due diligence protects both of you.
Before implementing any AI solution, make sure your compliance documentation is current. My Social Practice has partnered with Adams Brown CPAs to provide free HIPAA compliance templates, including an updated Privacy Practices Disclosure and Business Associate Agreement. These templates are specifically designed for dental practices implementing AI technology. Download them at this link.
Frequently Asked Questions
What's the most important question to ask an AI vendor?
If you can only ask one question, ask: “Will you sign a Business Associate Agreement, and do you use patient conversations to train AI models for other clients?” This two-part question covers the most critical compliance and privacy concerns. A vendor who won’t sign a BAA or who uses your patient data to improve services for competitors should be immediately disqualified, regardless of how impressive their demo looks.
How do I know if an AI vendor is HIPAA compliant?
There’s no official “HIPAA certified” designation, so you need to verify compliance through documentation and due diligence. Key indicators include: willingness to sign a BAA, clear documentation of security practices, encryption standards that meet or exceed HIPAA requirements (AES-256 for data at rest, TLS 1.2+ for data in transit), SOC 2 certification (a higher standard than HIPAA requires), and specific answers about data storage, access controls, and breach notification procedures. If a vendor can’t provide clear answers to these questions, assume they haven’t prioritized compliance.
Should I update my privacy practices before implementing AI?
Yes, absolutely. Your Notice of Privacy Practices should explicitly address AI use, including how AI assists with patient communication and what data is collected and stored. You’ll also need to get patients to sign updated privacy practice acknowledgments. My Social Practice offers free templates for both Privacy Practices Disclosures and Business Associate Agreements that are specifically designed for dental practices implementing AI technology. Updating these documents before launch protects your practice and demonstrates transparency to patients.
About the Author: Megan Nielsen is an SEO strategist and the Grand Overlord of copywriting at My Social Practice. My Social Practice is a dental marketing company that offers a full suite of dental marketing services to thousands of dental practices throughout the United States and Canada.
