Artificial intelligence holding the scales of justice (AI in legal field, concept)

The consent gap: What the Heartland lawsuit teaches us about AI in dentistry

Artificial intelligence holding the scales of justice (AI in legal field, concept)
iStock

In early July 2025, a class-action lawsuit1 was filed against Heartland Dental, the largest dental support organization (DSO) in the United States.

The lawsuit alleges that Heartland used AI-powered call tracking and transcription tools from RingCentral without obtaining informed consent from patients. It’s an eye-opener for the entire dental profession especially for those of us embracing digital workflows, automation, and artificial intelligence.

I have vetted this application for compliance, and I can say that the application itself checks most of the boxes, but that’s not the problem here.

If you’re in Canada, you might think: “That’s the U.S. It doesn’t apply to me.” But what’s at stake here? Consent, transparency, and trust is just as relevant (and legally binding) north of the border.

Let’s unpack what happened, why it matters to Canadian dental professionals, and what you can do to protect your practice while still moving forward with innovative tools like AI and automation.

What’s the Heartland case about?

According to the complaint, patients who called Heartland-affiliated dental offices had their conversations recorded, transcribed, analyzed for sentiment (the emotional tone as to whether the caller is positive, negative, or neutral), and used for operational purposes without ever being told it was happening. These calls were handled through RingCentral, which uses AI to summarize and score conversations, much like other platforms on the market.

The lawsuit claims this violates the U.S. Federal Wiretap Act and comparable state laws because no consent was obtained. Additionally, the data may have included protected health information (PHI), putting Heartland at risk of HIPAA violations.

While this is a U.S.-based case, the implications are global, especially for healthcare providers who are rapidly integrating AI into their daily operations.

What does this mean for Canadian dental practices?

In Canada, privacy laws like PIPEDA (federal), and provincial acts such as Ontario’s PHIPA or Alberta’s HIA, require organizations to obtain meaningful consent before collecting, using, or disclosing personal health information.

And most importantly, “meaningful” isn’t just a checkbox.

Your patients must understand:

  • What data is being collected
  • How it’s being used
  • Who it’s being shared with (including third parties like AI vendors)
  • What their rights are

When patients call your office, they don’t expect their words to be analyzed by AI or stored in someone else’s cloud server. If you’re using a platform that records or summarizes conversations, even if it’s “just for training or quality assurance”, you’re collecting personal information. That triggers your obligations under Canadian and Provincial privacy laws, and regulatory college guidelines.

Read related article: Some thoughts about AI in dentistry

College guidelines & consent: A common thread

Most Canadian dental regulatory colleges, including the RCDSO, clearly state that obtaining informed consent is fundamental to professional practice. While these guidelines often focus on clinical procedures, the principle applies equally to digital systems and communication tools.

You wouldn’t proceed with treatment without explaining the risks and getting consent. So why would we use AI-enhanced communications tools without doing the same? Most people just don’t think about it as something that is needed.

“But we didn’t know…” You’re not alone

If you’re reading this and thinking, “We’ve been using these tools and didn’t realize consent was required,” you’re in good company. Many practices adopt digital platforms for efficiency and service quality, without realizing the privacy implications, especially when it comes to tools with built-in AI features. The vendors are not making this known in most cases. Some also may not even realize it is needed.

As someone who works closely with dental teams across Canada, I want to be clear: This isn’t a gotcha moment. This is a chance to pause, take stock, and build better processes, ones that support innovation while protecting patient trust and complying with the law.

The challenge of consent in the AI era

Let’s be honest: It’s not easy to get informed consent for every potential call that comes in. We don’t know who’s going to call next. We can’t pause every conversation to read a disclaimer.

So how do we solve this?

It starts with system-level thinking.

Just like you build infection control protocols into your daily workflow, privacy and consent should be baked into your digital systems. That means:

  • Posting clear phone call disclaimers at the start of every call
  • Training your team on what consent really means in a digital context
  • Vetting vendors carefully to ensure their AI tools align with Canadian privacy law

Documenting your consent policies in your practice’s privacy plan

No tool is safe without a system

Over the past few years, I’ve helped hundreds of dental teams across Canada modernize their digital workflows. From secure messaging to automated reminders, call tracking, AI transcription, and patient engagement platforms, the technology is amazing. Many of these tools come with SOC2 certifications, HIPAA validations, and dazzling dashboards.

But none of that matters if we skip the human part.

Consent isn’t a software feature. It’s a conversation. And it has to be built into your process.

A highly secure, AI-powered tool can still get you into legal hot water if you haven’t updated your privacy plan, trained your staff, or notified your patients. The Heartland case proves this: even the most advanced tech won’t protect you if you miss the basics.

What you can do right now

If this has you rethinking some of the tech in your practice, that’s a good thing. Here’s where I recommend you start:

  • Review your current tech stack
    Do you use any AI-powered communication tools, call tracking platforms, or virtual assistants? Find out what data they collect and how it’s used.
  • Update your privacy notice
    Make sure it includes details about digital communications, AI, and third-party data processors.
  • Add a consent disclaimer to your phone system
    Even a simple message like: “This call may be recorded and analyzed using AI to help us serve you better” can make a big difference.
  • Train your team
    They’re on the frontlines. Help them understand how to talk about consent and privacy in plain language.
  • Create a privacy playbook
    Have a documented process for how you evaluate, adopt, and monitor new technologies. Build in questions like:
  • Does this tool process personal or health information?
  • Where is the data stored?
  • Does it have the appropriate security in place?
  • Is consent required, and if so, how is it obtained?

Moving forward: It’s not about fear, it’s about leadership

I know it can feel overwhelming, especially when you’re trying to grow your practice, meet patient expectations, and adopt tools that improve efficiency. Leading a modern dental practice means owning the responsibility that comes with innovation, even when it’s complex.

Let’s not let this lawsuit become a cautionary tale in our own backyards.

Let it be a turning point where we elevate our standards, strengthen our systems, and protect the trust that patients place in us. Let’s be proactive.

If you’re unsure about your current tools, processes, or policies, you’re not alone. This is evolving fast. My work is focused on helping dental teams navigate exactly these kinds of changes, practically, affordably, and without judgment.

Let’s make privacy part of the workflow, not a barrier to it.

If you need help to assess your communication tools or want to explore team training on privacy and cybersecurity, feel free to reach out. I’m here to help.

Call consent readiness checklist for dental practices

Protect your patients. Protect your practice.

This checklist will help you assess whether your current phone, call tracking, or AI-enhanced communication tools are being used in compliance with Canadian privacy laws and college guidelines.

Step 1: Assess your current tools

Do we use any of the following technologies?

  • Call recording systems
  • VoIP or cloud-based phone systems (e.g. RingCentral, Zoom, etc.)
  • Call transcription or summarization tools
  • AI-powered phone assistants or chatbots
  • Conversation sentiment or scoring analytics
  • Have we reviewed the vendor’s data handling policies and privacy documentation?
  • Is personal or health information being processed, transcribed, or stored by these tools?
  • Do we know where the data is stored (e.g., U.S., Canada, international)?

Step 2: Confirm legal & regulatory alignment

Have we evaluated whether the tool aligns with:

  • PIPEDA (federal privacy law)?
  • Our province’s healthcare privacy law (e.g., PHIPA, HIA, etc.)?
  • Our dental college’s privacy and consent guidelines?
  • Are we confident that our use of this tool and our processes meet the requirements for meaningful consent under privacy law?

Step 3: Build consent into the workflow

  • Is there a pre-recorded message on incoming calls that clearly states: The call may be recorded, transcribed, or analyzed?
  • Why this is being done?
  • How the information will be used?
  • That continuing the call implies consent?
  • Have we updated our:
  • Privacy Notice and posted it in the clinic and on our website?
  • New Patient Intake Forms to include consent for digital tools?
  • Staff training to cover what’s being collected and how to explain it?

Step 4: Train your team

Have we trained all staff on:

  • What constitutes personal and health information?
  • How consent works in non-face-to-face interactions?
  • What to do if a patient asks about recordings or data use?

Have we provided scripts or language for explaining call consent in plain terms?

Step 5: Document & review your process

  • Do we have a written policy for evaluating and onboarding new digital tools?
  • Does our Privacy Officer (or designated lead) regularly review these tools?
  • Do we document consent processes as part of our privacy and security plan?

Do we have a process for updating call scripts and disclaimers if our tech changes?

Questions to ask your vendor

  • Is your tool compliant with Canadian privacy laws (not just HIPAA)?
  • Do you store or process data outside of Canada?
  • How is consent handled or built into the system?
  • Can we disable or customize call summaries or recordings?
  • Do you use any data for AI model training?
  • Do you have a SOC2, ISO27001, or other security certification?

If you answered “no” to any of these…

That’s okay, it’s a sign to act, not panic. Start by documenting what you’re using, review where consent can be improved, and don’t hesitate to get help.

References

  1. Heartland Dental hit with class-action lawsuit over AI use – Beckers Dental + DSO Review July 11, 2025 https://www.beckersdental.com/dso-dpms/heartland-dental-hit-with-class-action-lawsuit-over-ai-use/

About the author

Anne Genge, Certified Information Privacy Professional (CIPP/C) and founder of Myla Training Corp., helps dental practices across Canada create privacy-compliant digital workflows that work in the real world. Visit Myla.Training or reach out for training, risk assessments, or a quick AI tool review.