Artificial intelligence (AI) is changing the status quo in dentistry and enhancing practice efficiency. It facilitates the design of restorations, highlights dental decay or the position of the ID nerve on radiographs, and streamlines dental reception management. It is such an exciting emerging field, research[i] suggests that a third of US practices had already embraced AI by 2023. For more practices to do the same, it’s important they choose the right provider of AI-supported technology.
Concerns about AI
In the aforementioned research, 67% of dentists surveyed were concerned about data privacy and security, as well as reliability and accuracy of AI systems in dentistry. And they may be right to be.
When analysing x-ray images, or designing crowns from a scan, clinical data can easily be separated from the personal, anonymised and learnt from by “Narrow AI” systems, without compromising data privacy.
But what happens when using “Generative AI” – Large Language Models (LLMs) that generate something new – to create clinical written records that contain sensitive information?
Some industry standards regulating the use of data are well-established. The challenge is understanding the implications of using personal, sensitive data with AI. Can you use GDPR-protected data to train AI models? Can you use ChatGPT to generate letters or does this fall foul of data privacy rules? Can Generative AI systems access the personal information needed to populate clinical records and consultation notes?
These are not easy questions, but they’re essential to build a safe future with AI-supported healthcare.
Protection from within
The dental practice is a data controller and must appoint a Data Protection Officer (DPO) responsible for ensuring the privacy, security and protection of patient information. Registration with the Information Commissioner’s Officer (ICO) is also essential for practices – and for individual dentists who take patient information off-site.[ii]
Where using AI to generate written notes, the practice DPO must ensure that data is used, stored and processed in accordance with the UK regulatory framework. A Data Protection Impact Assessment (DPIA) helps to identify and minimise data protection risks and is crucial for due diligence. Patients have a right to expect their data not to be used to train LLMs without their explicit consent.
Further, the creation and storage of clinical records must have a secure audit trail to demonstrate authenticity and accuracy.
Dental practices must, therefore, also ensure their AI technology provider meets the relevant standards for data privacy, security and the clinical record.
Standards for AI technology providers
Standards for data security are well-established and technology providers must demonstrate compliance with one or more security standards.
Cyber Essentials[iii] is a government-backed scheme designed to prevent cyber attacks. The NHS Data Security and Protection Toolkit (DSPT)[iv] is a self-assessment solution for businesses handling NHS data, necessitating an annual security penetration test.[v] For more advanced cyber resilience, the ISO/IEC 27001[vi] governs information security management systems.
If a technology provider uses third-party systems to perform some or all of the data processing, zero-retention agreements must be in place.
The world’s first AI management system standard is the ISO/IEC 42001[vii] promoting the responsible and effective use of AI. The US National Institute of Standards and Technology (NIST)[viii] also facilitates federal coordination of AI standards.
These standards are very new and currently focus more on AI development than usage. It’s also worth noting that these standards, while easily applied to Narrow AI (such as x-ray reporting), are much more difficult to apply to Generative AI models (those used for generating written records from a voice audio recordings).
The enormous speed of software and AI development keeps governance in a state flux, so end users may easily lag behind. Consequently, dentists should work with technology suppliers that understand the evolving field and care about keeping you and your business compliant.
Confidence in your provider
When using an AI note generating software, that technology provider should provide evidence of their ICO registration and share any current certificates from programmes like Cyber Essentials and the NHS DSPT to demonstrate the data protection and security credentials necessary for compliance. You can confirm all of these by visiting the respective organisation websites. Dental practices should also ask about the data policies and processes in place to ensure data is protected from generation to storage.
For instance, Dental Audio Notes (DAN) utilises AI algorithms to generate written records from audio records of patient consultations, and no information is ever used directly to train or build new models. It also has zero-retention policies in place with AI model providers, and offers a complete audit trail for the clinical record. Immediate end-to-end encryption further protects data. This means that DAN provides a safe way of recording patient consultations, ensuring complete, contemporaneous and accurate record keeping while also maximising data security for total peace of mind.
A bright future
It is likely that specialist large language models will soon be designed to fulfil the specific data privacy and security needs of dentistry. Until then, we must continue to utilise AI capabilities carefully to avoid unintentional consequences for dentists and for the patients whose data is being processed.
Definitely do check out AI generated record keeping. But please do it safely. You want to make sure that you stay on the right side of the ICO – data protection breaches can be very expensive.
To discover Dental Audio Notes (DAN), or arrange a free demo, visit dentalaudionotes.com
Author: Aleksandra Rozwadowska – Ala
Ala is a dentist and the co-founder of Dental Audio Notes alongside her husband, Adam. Dental Audio Notes was created in response to the challenges of trying to master every aspect of clinical dentistry. Together, they love helping dentists to master their clinical records, and to finally get credit for the good work they do with their patients, instead of relying just on what they had time to write down.
[i] Dentaly.org. AI in Dentistry Survey. US. July 2023. https://www.dentaly.org/us/research/ai-in-dentistry/ [Accessed June 2024]
[ii] Taylor L. Dentists as data controllers. DDU Journal. 2018. https://ddujournal.theddu.com/issue-archive/summer-2018/dentists-as-data-controllers#:~:text=Our%20advice%20is%20that%20it,to%20be%20registered%20as%20such. [Accessed June 2024]
[iii] National Cyber Security centre. Cyber essentials. About Cyber Essentials. https://www.ncsc.gov.uk/cyberessentials/overview [Accessed June 2024]
[iv] NHS England. Data Security and protection Toolkit. https://www.dsptoolkit.nhs.uk/ [Accessed June 2024]
[v] NHS England. Data Security Standard 9 – IT protection. Penetration testing (9.2.1 – 9.2.2) https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides/guide-9—it-protection/penetration-testing [Accessed June 2024]
[vi] ISO/IEC 2700:2022. Information security, cybersecurity and privacy protection – information security management systems – requirements. Edition 3. 2022. https://www.iso.org/standard/27001 [Accessed June 2024]
[vii] IOS/IEC 42001:2023. Information technology – Artificial intelligence – management system. Edition 1, 2023. https://www.iso.org/standard/81230.html [Accessed June 2024]
[viii] NIST. Artificial Intelligence. AI Standards. https://www.nist.gov/artificial-intelligence/ai-standards [Accessed June 2024]