The risky AI moment isn't the clinic. It's the billing desk at 4:45.
Picture a regional dental group: six locations, one billing team that batches insurance follow-ups at the end of the day. A coordinator is fighting a denied claim, opens a free chatbot, and pastes the denial letter in to draft an appeal. The letter has the patient's name, date of birth, member ID, procedure codes, and the carrier's reasoning. It's a great appeal. It also just walked protected health information out the door of a system nobody vetted.
That's the scenario your policy exists to prevent, and it's worth naming precisely because the danger in a dental group doesn't live where people assume. It's not the operatory or the imaging software. It's the administrative seam where patient, payer, and claim data all collide: intake, eligibility checks, treatment-plan financing, and the denials queue. Those are exactly the workflows where AI feels most helpful, which is exactly why staff reach for whatever tool is fastest.
Research on smaller operators backs the discipline this requires. Surveys from RSM, the San Francisco Fed, and the OECD SME AI report converge on one point: AI pays off only when process ownership, skills, and governance come first. For a dental group that means a policy short enough to read between patients, not a binder nobody opens.
Draw one line: does it touch a patient or a payer?
Skip the long taxonomy. Give your offices a single decision they can make in two seconds: if the text in front of you would identify a patient or connect to their coverage, claim, or chart, it does not go into a general assistant. Everything else is fair game.
On the green side, where any approved tool helps and the upside is real: rewriting a new-hire onboarding checklist, drafting a generic recall-call script ("Hi, this is the office, you're due for a cleaning"), summarizing a team huddle, turning a vendor's clunky email into a clear one, or outlining staff training on a new sterilization protocol. None of that names a patient.
On the red side, where work stays inside a reviewed, contracted system with a human signing off: anything pulled from intake forms, a treatment plan tied to a name, eligibility or benefits details, claim and denial correspondence, scheduling notes that reveal a condition, and employee files. A denial appeal feels administrative, but it carries the full payload of PHI, so it belongs in red.
Two frameworks turn that instinct into something auditable. The NIST AI Risk Management Framework gives you a way to map where data flows and keep accountability visible across six locations that don't all do things the same way. CISA's AI Data Security Best Practices pins down the data questions: what's used, where it lands, who can reach it, how outputs get logged. And if you're weighing a managed tool, read the vendor's own controls — Microsoft 365 Copilot privacy or OpenAI's enterprise privacy commitments — but treat them as the opening of a review with your privacy and security counsel, not the verdict. A privacy page is not a business associate agreement.
Make a regional manager the owner, and spot-check the denials queue
A dental group's policy fails the moment it has no name attached to it. So assign one: a practice or regional operations owner who maintains the approved-tool list, fields the "can I use AI for this?" questions, and owns the escalation path when someone's unsure. Post the green/red line at each front desk and in the billing room — not in a shared drive nobody scrolls to.
Then verify it's actually working, because policies drift fastest where the pressure is highest. Once a month, pull a small sample from the three workflows most likely to leak: end-of-day insurance follow-ups, intake summaries, and recall scripts. You're checking two things — did patient or payer data end up in an unapproved tool, and did any AI-drafted appeal or patient message go out without a person reading it first. Five minutes of spot-checking the denials queue tells you more than a signed acknowledgment form ever will.
If you want to ground the policy in your group's real readiness before you roll it out, run the SMB AI readiness assessment to gauge your data and reviewer maturity, then use the 90-day implementation plan to sequence the rollout and stand up your first governed pilot — likely on the green-side admin work, where you can build the habit without touching a chart.
