The Heartland Dental lawsuit centers around their partnership with Ring Central, a company that provided AI-powered phone assistance across Heartland’s nationwide network of dental offices. The problem wasn’t necessarily the AI technology itself, but rather how the conversations were being handled behind the scenes.

According to Powers, “What they weren’t doing though was they weren’t disclosing that it was AI and those conversations were being used to help market to other clients instead of keeping them private.” The lawsuit alleges that Ring Central was recording patient calls without proper disclosure and then using those transcripts to train AI agents that served other practices across their client base.

This creates a double violation: first, the failure to properly disclose call recording in states requiring two-party consent, and second, the use of patient health information to improve services for completely unrelated healthcare providers. Powers emphasized the gravity of this breach of trust: “Patients felt like that was a violation of their HIPAA privacy and their personal information.”

The technical process behind this violation involves something most practice owners never consider. When AI companies build their phone agents, they often use real conversations as training data to improve the system’s responses. As Adrian explained during the podcast, “They take that transcript from the call and they pull it into like an AI brain and they say, ‘I want you to look at this call or these hundreds or thousands or hundreds of thousands of calls and I want you to use them as a training model to improve how you answer calls for other practices.'”

This practice, while technically sophisticated, creates a scenario where Patient A’s conversation with their trusted dental office becomes part of the knowledge base that helps an AI agent respond to Patient B at a completely different practice hundreds of miles away. Even though the patients never directly interact, their health information is being shared across practice boundaries without consent.

One of the most challenging aspects of the Heartland situation involves the complex landscape of state recording consent laws. The United States operates under a confusing mix of one-party and two-party consent states, each with its own specific requirements and exceptions.

In one-party consent states, only one person on the call needs to know about the recording. However, this doesn’t mean the patient doesn’t need to know, it simply means the practice can legally record without explicit patient consent. Two-party consent states require both parties to be aware of and agree to the recording, typically through an automated disclosure message.

Powers highlighted the practical challenge this creates for large organizations like Heartland: “You can’t just have one rule for Ring Central for one state because they operate across the nation. And so that causes a problem especially when patients are not made aware and you live in a dual party state where you have to have consent from both parties.”

The real issue extends beyond legal compliance to patient trust and expectations. Even in single-party consent states, patients have reasonable expectations of privacy when calling their healthcare provider. “Patients don’t expect the phone conversation that they believe to be private. They don’t expect that phone conversation to be shared to anybody else,” Powers explained. This expectation of privacy creates an ethical obligation that goes beyond the minimum legal requirements.

For multi-location practices and DSOs operating across state lines, this creates a compliance nightmare. The safest approach, according to Powers, is to implement the highest standard across all locations: “My recommendation would be put the disclaimer on. Put the disclaimer on because just because you’re in a single party state, you’re going to lose patients because they’re going to feel like you violated their trust.”

Based on the Heartland situation and evolving regulatory landscape, Powers outlined the essential non-negotiables for any dental practice implementing AI phone systems or similar technologies.

Your practice’s privacy practices must explicitly address AI use. This means updating your written policies to clearly state that you use AI assistance for phone calls, patient communication, and other specified activities. These updates must be prominently displayed on your website and provided to patients.

The privacy practices serve multiple purposes: they provide legal documentation of your AI use, help educate patients about your technology adoption, and demonstrate your commitment to transparency.

Any AI vendor you work with must sign a comprehensive Business Associate Agreement (BAA) that specifically addresses their AI technology and data handling practices. This agreement ensures that liability for data breaches or misuse can be properly assigned to the technology vendor rather than falling entirely on your practice.

Powers stressed the importance of these agreements: “You need to make sure you have a business associate agreement from for that software so that they sign it. You’re covered under HIPAA because you have had them sign that business associate agreement.”

Beyond compliance documentation, practices must perform technical due diligence on any AI vendor they’re considering. This process involves asking the right questions and having the technical expertise to evaluate the answers.

The most critical question for any AI vendor is whether they use patient conversations to train their systems for other clients. Reputable vendors should be able to clearly explain their data use policies and confirm that patient conversations remain isolated to your practice. If a vendor cannot provide this assurance or seems evasive about their training methods, that’s a red flag requiring further investigation.

The second essential area involves data encryption and security practices. While SOC 2 encryption isn’t required for HIPAA compliance, it represents a higher standard that provides additional protection for patient data.

Powers explained the basic requirements: “HIPAA doesn’t say you have to have SOC 2. This is like another level of encryption.” However, vendors must meet minimum HIPAA encryption requirements for data at rest and in transit.

In a delightfully ironic twist, the conversation revealed how AI technology might actually help solve the compliance problems it creates. Adrian described how Annie AI, My Social Practice’s dental AI receptionist, could automate the process of getting patients to sign updated privacy practices.

The concept involves having the AI agent automatically send patients links to sign privacy practice documents after scheduling appointments, either through text messages or email. This approach could streamline the compliance process while ensuring that every patient interaction includes proper documentation.

As Adrian noted with amusement, “What we’re doing is we’re getting AI agents to basically protect the practice from being sued about their AI agents.” This meta-solution highlights how thoughtfully implemented AI can enhance rather than complicate compliance efforts.

Throughout the discussion, both Adrian and Powers emphasized that AI phone systems are designed to handle routine tasks, not replace the human connections that define quality dental care. AI agents excel at answering basic questions like practice hours, scheduling routine appointments, and collecting patient information.

However, complex conversations about treatment plans, insurance coverage, or patient concerns still require human intervention. “The AI agents aren’t here to replace your practice team members. They’re here to take away some of those form fills,” Powers explained.

This distinction is crucial for both patient acceptance and regulatory compliance. Patients understand and accept AI assistance for routine tasks, but they expect human interaction for meaningful healthcare decisions. Practices that clearly communicate these boundaries can build trust while leveraging AI efficiency.

The key is transparency about what tasks AI handles versus what remains in human control. When patients understand that AI is answering basic scheduling questions but their treatment discussions will always involve real team members, they’re more likely to embrace the technology.