Security built for patient phone calls
Every call your practice takes contains protected health information — a name, a date of birth, a reason for the visit. DentalReception AI is built for healthcare from the phone line up, so that information is handled the way a dental practice is required to handle it.
HIPAA compliance and a signed BAA
DentalReception AI is HIPAA compliant, and we sign a Business Associate Agreement with every practice before going live. The BAA spells out exactly how call data is processed, stored, and protected, so your compliance officer has the paperwork they need on day one.
What we protect, and how
- Encryption — call audio and transcripts are encrypted in transit and at rest.
- Audit logs — every call, booking, and data write is logged, so you can see who accessed what and when.
- Least-privilege access — staff and systems only see the data they need to do their job.
- Data minimization — we collect what's needed to answer the call and book the appointment, and nothing more.
Why security is built in, not bolted on
A general-purpose phone bot treats PHI like any other input, because it was never designed to know the difference. DentalReception AI was built for one industry, and that focus shapes the security model as much as it shapes the conversation. The agent is collecting names, dates of birth, reasons for a visit, and insurance details on every call — so the same dental-only design that lets it triage a knocked-out tooth also means PHI handling is a first-class part of the product, not an afterthought layered on at the end. Every control below exists because a dental practice is legally required to treat those calls a particular way, and the product is built to make that the default.
Security across the booking path
Protecting a call isn't only about the audio. The appointment the agent books is written in real time straight into your practice management system — Dentrix, Open Dental, Eaglesoft, Curve Dental, or CareStack — and that write-back path is part of what we secure. Because the booking lands directly in your live schedule with no staff re-keying and no message sitting in an inbox, there are fewer places for patient data to leak or linger. The same principle of data minimization that governs the call governs the write: the agent collects what it needs to book or triage the appointment, writes it where it belongs, and stops there.
Bilingual calls, same protections
DentalReception AI handles calls in both English and Spanish, and the security posture doesn't change with the language of the call. A Spanish-language new-patient intake collects the same kinds of PHI — name, date of birth, reason for visit, insurance details — and is encrypted, logged, and minimized exactly the same way an English call is. Whichever language a patient speaks, the BAA, the audit trail, and the least-privilege access model cover the conversation identically.
A clear record of every conversation
Because each call produces a written summary and transcript, you get a defensible record of what was said and what was promised — useful for training, quality review, and resolving the occasional "but I was told…" conversation at the front desk.
| Control | What it means for your practice |
|---|---|
| Signed BAA | Required paperwork handled before launch |
| Encryption in transit & at rest | Call audio and PHI are never stored in the clear |
| Per-call audit log | Full history of access and changes |
| Role-based access | Staff see only what they need |
| Data minimization | Only what's needed to answer and book the call is collected |
What's still being finalized
We hold ourselves to publishing only what we can stand behind. A few elements of our security posture are still being confirmed and will be documented here before launch:
- SOC 2 status — [TODO: confirm SOC 2 status before publish.]
- Data hosting and region — [TODO: confirm hosting region before publish.]
- Retention window — call audio, transcripts, and summaries are retained according to your agreement; the specific window is [TODO: confirm retention window before publish.]
Until each of these is confirmed, we won't assert it. That's the same standard we apply to every claim on the site.
Frequently asked questions
Is DentalReception AI HIPAA compliant?
Yes. The product is built for healthcare, is HIPAA compliant, and a signed Business Associate Agreement is available for every practice before go-live.
Do you sign a BAA?
Yes. We sign a BAA with every customer as part of onboarding, before any live patient calls are handled.
Where is call data stored, and for how long?
Call audio, transcripts, and summaries are encrypted and retained according to your agreement. (TODO: confirm hosting region and retention window before publish.)
Can we review what the AI told a patient?
Always. Every call is summarized and transcribed, and access is recorded in the audit log.
How is the appointment written into our PMS kept secure?
Bookings are written in real time directly into your practice management system — Dentrix, Open Dental, Eaglesoft, Curve Dental, or CareStack — so there's no message queue or manual re-keying step where data can sit exposed. The write-back path is covered by the same encryption, audit logging, and least-privilege access as the rest of the system.
Are you SOC 2 certified?
[TODO: confirm SOC 2 status before publish.] We publish compliance claims only once they're confirmed, so this page will state our SOC 2 status explicitly before launch.
Who on our team can access call recordings and transcripts?
Only the people you authorize. Access is role-based, so a front-desk team member sees what they need to do their job while broader access is reserved for the roles you designate. Every view and export is written to the audit log, so you always have a record of who accessed which call and when — useful for both internal review and any compliance inquiry.
What happens to call data if we stop using DentalReception AI?
Your data handling and retention are governed by the agreement and BAA you sign at onboarding, including what happens at the end of the relationship. (TODO: confirm exact data-return and deletion terms before publish.) We document this up front so your compliance officer knows the full lifecycle of call data before a single patient call is handled.
For more on how the product fits your stack, see our integrations and implementation plan, or hear a demo call.