TRAINING
ESSENTIALS TRAINING RANSOMWARE FREE COURSE FREE UPDATES MYLA SAFE LEADERSHIP
RESOURCES
BLOG DENTAL TRAINING REQUIREMENTS DENTAL AI RISK FRAMEWORK
CERTIFICATION
ACCOUNT
Admin Member
Book a call
AI Risk Pyramid for Dentistry™ — Myla Training
Dental team reviewing AI tools
The Dental AI Framework

Ask These QuestionsBefore You Say Yes to AI.

A practical, five-layer risk framework built for Canadian dental practices. Evaluate any AI tool, stay compliant with Canadian privacy law, and protect your patients.

Go to the Framework → Why This Exists
Canadian Privacy Law
Built on PIPEDA and provincial privacy law.
Five Risk Layers
Data governance, cybersecurity, privacy, clinical safety, and AI accuracy.
Built for Dentistry
Dental workflows, PHI obligations, and real vendor scenarios.
Go Deeper
The AI Essentials course gives you the knowledge behind every question.
AI Essentials 2026 →
Why This Framework Exists

Before you say yes to any AI tool, there are some important questions to ask.

"We think one of our tools might not be compliant. And we just found out our front desk has been using an AI tool we didn't know about. What do we do?"

It wasn't a crisis call. It was a calm, concerned practice owner who had done everything right by the usual measures — good team, strong systems, genuinely thoughtful about technology. But when they started asking their AI vendor direct questions about data storage and compliance, the answers didn't come. And when they looked more carefully at what their staff were actually using day-to-day, they found a tool no one had formally approved — handling patient information in ways no one had reviewed.
Dentist reviewing AI diagnostic tools with human oversight
AI in dentistry requires human oversight at every layer — not just at the output.

This is what shadow AI looks like in a dental practice. It doesn't arrive through a breach. It walks in through a well-intentioned team member who found something helpful and started using it. No malice. No oversight. No agreements in place.

The problem wasn't that this practice had adopted AI. The problem was the order of the questions. They had asked does it work? and is it useful? before they asked where does our patient data go, who owns it, and what does Canadian law require of us before we say yes?

I've worked with dental practices for over 30 years. The right framework doesn't slow down AI adoption — it makes it sustainable. The AI Risk Pyramid for Dentistry™ gives Canadian dental practices the questions they need to ask first, so that every tool they adopt is one they can stand behind.
Built for Canadian Dental Practices

Why do we need an AI risk framework
for Canadian dentists?

Canadian law requires Canadian agreements
Most AI tools used in Canadian dental practices are built in the US. That's not the problem — the problem is that the agreements, terms, and data commitments that come with them are rarely written with PIPEDA, PHIPA, HIA, or PIPA in mind. Canadian dentists need to know exactly what to ask for — and what to insist on — before signing on.
Dental practices are a unique type of business
A dental practice isn't a hospital or a tech company. It has a practice management system, a small team, clinical obligations, and no dedicated IT department. Generic AI risk guidance — written for enterprise environments — doesn't reflect the realities of a four-operatory clinic managing patient health information every day.
Most guidance starts at the top, not the bottom
Every AI conversation leads with output quality — accuracy, hallucinations, clinical reliability. These matter. But they're the last layer of risk, not the first. Evaluating AI from the top down leaves the most consequential questions — about data, security, compliance, and clinical accountability — unanswered until it's too late.
Myla built this framework to give Canadian dental practices a clear starting point. The right questions, in the right order — so you can evaluate any AI tool with confidence, secure the agreements your practice actually needs, and know exactly where your team requires training.
The Framework

AI Risk Pyramid for Dentistry

Five layers. Every layer matters.
Most practices only examine the one at the top.

AI OUTPUT ACCURACY Hallucinations · Decision support limitations CLINICAL SAFETY Diagnostic accuracy · Chart summaries Treatment recommendations PRIVACY & COMPLIANCE Federal & provincial privacy obligations · Patient consent · Cross-border data CYBERSECURITY Vendor integrations · Expanded attack surface · System access DATA GOVERNANCE Data ownership · Storage & retention · Vendor access rights ★ Where most practices focus
AI Adoption Checklist
Each section maps directly to one layer of the pyramid above. Work through all five layers. The questions most practices skip are at the foundation — not the top. Use any gaps as your action plan.
A note on jurisdiction: Privacy law obligations vary by province. The guidance referenced throughout this checklist draws primarily from the IPC Ontario's AI Scribes: Key Considerations for the Health Sector (January 2026) — the most comprehensive Canadian regulatory guidance on AI in healthcare published to date — and Ontario's Personal Health Information Protection Act (PHIPA). The underlying principles are broadly consistent across Canadian jurisdictions, but dentists in BC, Alberta, and other provinces should confirm how their applicable provincial privacy legislation applies to their specific circumstances.
DATA GOVERNANCE Layer 1 of 5
1
Who owns your data after it enters the AI system — you, the vendor, or both?
Your practice must retain full ownership of all patient data. The vendor should never claim rights to use, sell, or train on your data.
2
Where is your patient data stored, and how is it protected under applicable federal and provincial privacy law?
Most AI tools used in Canada are built on US infrastructure — that is not automatically a problem, but it does create an obligation. You need to know where data is stored, confirm it is protected under applicable Canadian federal and provincial privacy law, and have that commitment documented in your vendor agreement. Canadian servers are preferable where available, but the legal protection and the written agreement matter most.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.4.6 (Jan 2026)
3
Can you delete your data completely and permanently when you end the relationship?
A clear data deletion policy — with a written confirmation process — is the minimum standard for any vendor handling PHI.
4
Does your vendor agreement require the vendor to notify you proactively if the AI is performing below accuracy thresholds or producing unexpected outputs?
This is a specific contractual clause worth asking for by name. A responsible vendor should be obligated to alert you when their system is underperforming — not leave you to discover it through a patient care issue. If the agreement is silent on this, that is a gap to negotiate before signing.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, ss.5.3, 6.8 (Jan 2026)
CYBERSECURITY Layer 2 of 5
1
Does this vendor have independent security verification appropriate to the data it handles — such as SOC 2 Type II, ISO 27001, or equivalent?
Not every AI tool will carry formal certifications, and not every tool requires them. But any tool handling patient data should be able to demonstrate that its security controls have been independently verified. Ask what certification or audit process applies to this specific tool — and ask to see the most recent report.
2
How does this AI integration affect your existing network and security perimeter?
Every new integration is a new potential entry point. Your IT provider must assess how the AI tool connects to your practice management system and patient data.
3
What is the vendor's breach notification process, and what is their obligation to notify you?
Breach reporting obligations exist under both federal and provincial privacy law across Canada. Under federal PIPEDA, breaches posing a real risk of significant harm must be reported to the Office of the Privacy Commissioner and affected individuals notified. Provincial health privacy legislation imposes parallel obligations. Your vendor agreement must include a clear, contractual obligation to notify you promptly — and you need to know what that timeframe is before an incident occurs.Source: PIPEDA s.10.1; IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.3.7 (Jan 2026) — confirm applicable provincial requirements for your jurisdiction
4
Does your practice have a policy governing which AI tools staff are permitted to use independently, without practice approval?
Adopting one approved AI tool does not close the door on staff using personal or unapproved AI tools with patient data. This is sometimes called "shadow AI" and it has resulted in serious privacy breaches in Canadian healthcare settings. Before adopting any AI tool, the practice needs a clear acceptable use policy that addresses this gap specifically.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.3.5, Spotlight on Shadow AI (Jan 2026)
PRIVACY & COMPLIANCE Layer 3 of 5
1
Has the vendor signed a data agreement that meets the privacy law requirements of your province — not just a US-style Business Associate Agreement?
A Business Associate Agreement (BAA) is a US document type written for HIPAA compliance — it does not satisfy Canadian provincial privacy law. The agreement your practice needs depends on your province, but it must reflect applicable Canadian federal and provincial privacy obligations. If a vendor only offers a standard US BAA, that is a gap that needs to be addressed before you proceed.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.5.3 (Jan 2026)
2
Do your patient consent forms cover AI-assisted tools and how patient data is used within them?
Implied consent does not extend to AI tools. Under Canadian federal and provincial privacy law, patients have the right to know when AI is involved in their care or the handling of their information — and the right to withhold consent. Review your consent forms with this in mind.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.6.2 (Jan 2026)
3
Has a Privacy Impact Assessment been completed for each AI tool that handles patient data?
A Privacy Impact Assessment identifies risks before they become breaches. Some provincial regulators require them and all treat them as a recognized best practice. Even where not explicitly required, completing one demonstrates accountability and due diligence — and positions your practice well in the event of a complaint or investigation.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.3.4 (Jan 2026); OIPC Alberta, AI Scribe PIA Guidance (Sept 2025)
4
If the AI tool records or transcribes patient appointments, does your practice have a documented process for patients who decline — and can you confirm their care will be unaffected?
Under Canadian privacy law, there is no implied consent for AI tools that record or transcribe patient conversations. Patients have the right to withhold consent, and the practice must be able to continue providing the same standard of care without the AI tool if they do. This process needs to exist before the tool is deployed, not after.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.6.2 (Jan 2026)
CLINICAL SAFETY Layer 4 of 5
1
Is this AI tool classified as a Software as a Medical Device (SaMD) under Health Canada guidance?
AI tools that inform diagnosis or treatment may require Health Canada licensing. Using an unlicensed tool in a clinical pathway creates patient safety and liability risk.Source: Health Canada, Guidance Document: Software as a Medical Device (SaMD): Definition and Classification (Oct 2019); IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.4.1 (Jan 2026)
2
What clinical evidence supports the tool's diagnostic or treatment recommendation accuracy?
Independent clinical validation evidence — beyond the vendor's own internal testing — is the standard to ask for. Look for evidence that the tool has been evaluated in settings and patient populations comparable to your own.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, ss.4.3, 4.4 (Jan 2026)
3
What is the required human oversight protocol when this AI generates clinical outputs?
AI output must never replace clinical judgment. Every tool should have a documented protocol for how and when a licensed clinician reviews AI-generated recommendations.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, ss.3.10, 6.1 (Jan 2026)
AI OUTPUT ACCURACY Layer 5 of 5
1
Does the vendor disclose the known error rate, hallucination risk, and limitations of their AI model?
Any vendor unwilling to disclose known limitations is a red flag. Responsible AI vendors publish accuracy benchmarks and are transparent about where their models can fail.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, ss.4.3, 5.2, Spotlight on LLM Hallucinations (Jan 2026)
2
How does the system handle uncertainty — does it flag low-confidence outputs or present them as facts?
A trustworthy system communicates its own uncertainty. If an AI tool presents speculative output as definitive, your team has no way to apply appropriate clinical skepticism.
3
Who is legally and professionally responsible if an AI output contributes to a patient harm event?
Responsibility does not transfer to the vendor. The treating clinician and the practice remain accountable. Review your liability coverage with your insurer before adopting clinical AI tools.Source: IPC Ontario, AI Scribes: Key Considerations for the Health Sector, s.5.1 (Jan 2026); Canadian Medical Protective Association, AI Scribes: Answers to Frequently Asked Questions (Dec 2023)
Ready to go deeper?

Get the answers.
Build the confidence.

The checklist tells you what to ask. The AI Essentials course gives you the knowledge to understand the answers — and the confidence to lead your practice through AI adoption safely, in full compliance with Canadian privacy law.

Explore AI Privacy & Cybersecurity Essentials
What you'll learn
AI Privacy & Cybersecurity
Essentials 2026
  • How to evaluate any AI tool against all five risk layers
  • Canadian privacy law applied to AI in dental practice
  • What to look for in vendor agreements and DPAs
  • How to lead your team through safe AI adoption
  • Created and taught by Anne Genge — 30 years of dental operations experience
Anne Genge — CIPP/C, CHCSP, Certificate in AI & Law (Queen's University), Healthcare AI (Harvard Medical School). 2× Global InfoSec Award Winner.