A new vendor wants a phone line that hears patient names, dates of birth, insurance details, and reasons for the visit — and writes appointments straight into your practice management system. The front office sees a receptionist that never sleeps. You see protected health information moving through a third party, a write path into your PMS, call recordings sitting somewhere, and a vendor risk review with your name on it. The questions land on your desk and they're non-negotiable: Is there a signed BAA? Is the data encrypted in transit and at rest? Who at the vendor can see a recording, and is that access logged? Can you produce an audit trail if a patient or an auditor asks? "It's a great tool" is not an answer you can sign off on.
DentalReception AI answers every call in under two rings and books the appointment live, 24/7 — and it's built to be defensible when the work lands on your side of the house. It's HIPAA compliant with a signed BAA available, with encryption, audit logging, and access controls so the convenience the front office wants doesn't become the exposure you have to explain.
HIPAA and a signed BAA, not a verbal promise
The first gate for any PHI-touching vendor is a Business Associate Agreement, and a tool that handles patient calls clearly qualifies as a business associate. DentalReception AI is HIPAA compliant and a signed BAA is available, so the contractual basis for handling PHI is in place before a single call routes through it — not something you chase after go-live. That gives your compliance review a real document to attach to the vendor file rather than a marketing claim. The full trust posture lives on the security and HIPAA-compliant AI receptionist pages so you can route them straight to your reviewers.
Encryption, access control, and audit logs
PHI moves through this system at three points — the call, the recording or transcript, and the write-back into the PMS — and each needs to be protected and accountable. DentalReception AI encrypts data in transit and at rest, restricts who can access call recordings and patient details through access controls, and logs activity so there's an audit trail of what was handled and who touched it. That maps to the questions your review actually asks: not "is it secure" in the abstract, but "is the data encrypted, is access least-privilege, and can I prove who did what." For the specifics your assessment needs — and any items still being finalized — work from the security page rather than assumptions. (TODO: confirm SOC 2 status and data hosting region before sign-off)
A controlled write path into your PMS
The part that should make any IT lead pause is a vendor writing into the live schedule. DentalReception AI's write-back into Dentrix, Open Dental, Eaglesoft, Curve Dental, and CareStack is a scoped, real-time integration — it books, reschedules, and cancels against your schedule, and that activity is logged rather than happening as an opaque background sync. For systems outside those five, it connects via API and works alongside your setup rather than asserting deep write access you'd have to vet separately. Setup itself is a phone-forwarding change plus a schedule sync — no new hardware on your network, no server to harden, and no endpoint to patch. See implementation for what actually touches your environment.
Before and after
| Your security review | Without a defensible vendor | With DentalReception AI |
|---|---|---|
| BAA for PHI handling | Chased post-launch or missing | Signed BAA available up front |
| Data protection | Unverified | Encrypted in transit and at rest |
| Recording access | Unknown / unlogged | Access-controlled and logged |
| Audit trail | Reconstructed by hand | Activity logged for review |
| PMS write path | Opaque background sync | Scoped, logged integration |
Convenience the front office wants, exposure you can defend
A receptionist that answers 100% of calls and books them live, 24/7, is an easy yes for operations — your job is to make it an easy yes for security too. DentalReception AI is designed so those goals don't conflict: HIPAA compliant, signed BAA available, encrypted, access-controlled, and auditable, on a flat monthly subscription (provisional $449/mo per location [PROVISIONAL — confirm final price and unit]). Start your assessment from the security overview, point your reviewers to the HIPAA-compliant AI receptionist page, and book a demo when you're ready to validate it against your own requirements.
Frequently asked questions
Is there a signed BAA available?
Yes. DentalReception AI is HIPAA compliant and a signed Business Associate Agreement is available. Because the system handles protected health information — patient names, dates of birth, insurance details, and reasons for calling — a BAA is the baseline requirement for using it, and it's in place before any call routes through the platform rather than something negotiated after go-live. That gives your vendor review an executed agreement to attach to the file. The security and HIPAA-compliant AI receptionist pages cover the compliance posture you can route to your reviewers and legal team.
How is patient data protected?
Data is encrypted in transit and at rest, and access to call recordings and patient details is restricted through access controls so that exposure is limited to who genuinely needs it. PHI is present at three points — the live call, the recording or transcript, and the write-back into your PMS — and the controls are intended to cover each. For the precise technical specifications your assessment requires, including items like SOC 2 status and data hosting region that are still being confirmed, work from the security page rather than assuming, so your sign-off rests on verified detail. (TODO: confirm SOC 2 status and data hosting region)
Can I get an audit trail of what was handled?
Activity is logged, so there's a record of calls handled and access to recordings and patient details, which supports producing an audit trail when a patient request, an internal review, or an external auditor requires one. Every call is also recorded and summarized, giving you a searchable account of what was said and what action was taken. This means accountability isn't reconstructed after the fact from scattered sources — it's captured as the system operates. Confirm the exact retention and export specifics against the security documentation as part of your assessment.
What does the integration into our PMS actually do?
For Dentrix, Open Dental, Eaglesoft, Curve Dental, and CareStack, it's a scoped, real-time write-back: the system books, reschedules, and cancels appointments against your live schedule, and that activity is logged rather than running as an opaque sync. For other systems it connects via API and works alongside your setup, without claiming deep write access you'd need to separately validate. Crucially, setup is a phone-forwarding change plus a schedule sync — there's no new hardware on your network, no server to harden, and no endpoint to manage. See implementation for exactly what touches your environment.
How does setup affect our network and endpoints?
Minimally. DentalReception AI runs as a hosted service; going live is a matter of forwarding your existing phone number and syncing your schedule, not deploying appliances or agents inside your network. That means there's no new attack surface in the form of on-premise hardware, no server for your team to patch and maintain, and no endpoint footprint to manage. Your security scope narrows to the vendor relationship itself — the BAA, encryption, access control, and logging — which is what the security page is built to help you evaluate, rather than a new piece of infrastructure to own.