AI-Assisted Technology Use Notice

Aiea Pearl City Dental Care LLP ("APCDC," "we," "our," or "the Practice") uses certain artificial intelligence ("AI"), automation, transcription, imaging analysis, and communication technologies to assist with healthcare operations, patient communication, clinical documentation, insurance coordination, scheduling, and workflow support.

This AI-Assisted Technology Use Notice ("Notice") is intended to provide patients with transparent, meaningful information regarding how AI-assisted technologies are used by this Practice, how patient information — including protected health information ("PHI") — is handled, stored, and protected in connection with those technologies, and what rights patients retain.

This Notice is separate from and supplements our HIPAA Notice of Privacy Practices. In the event of any conflict between this Notice and our HIPAA obligations, our HIPAA obligations govern. This Notice applies to the Practice and its partner dentists, associate dentists, independent contractors, hygienists, employees, workforce members, affiliated providers, and authorized vendors acting under Business Associate Agreements.

The Practice uses AI-assisted systems to improve the accuracy, efficiency, and quality of healthcare operations and patient care. These technologies are intended to assist — not replace — licensed healthcare professionals. Current and anticipated operational uses include:

• Clinical Documentation: AI-assisted and voice-activated chart note transcription, clinical charting support, and documentation accuracy tools.
• Patient Communication: AI-assisted telephone handling, two-way messaging support, call transcription, and automated scheduling workflows.
• Radiographic Support: AI-assisted x-ray review and imaging analysis for educational and clinical workflow support.
• Insurance and Billing: Automated insurance eligibility verification, claims workflow processing, and administrative coordination.
• Scheduling and Operations: Automated appointment reminders, recall workflows, and practice management integrations.
• Patient Education: Technology-assisted treatment explanation and educational content delivery.
• Internal Workflows: AI-assisted document processing and administrative workflow automation.

These technologies are not intended to independently diagnose, prescribe treatment, or make clinical determinations without licensed clinician oversight.

All clinical decisions — including diagnoses, treatment recommendations, treatment planning, radiographic interpretation, and patient care determinations — are made solely by licensed healthcare professionals using independent professional judgment. AI-assisted tools are used only in a supplemental capacity for documentation assistance, educational support, workflow processing, and imaging analysis for clinician review.

The Practice currently uses or may use the following categories of AI-assisted and automated technologies. This list is representative and may be updated as technologies evolve.

Clinical and Documentation Technologies

• Voice and Chart Note Transcription — Wispr Flow: AI-assisted, voice-activated dictation and transcription platform used for clinical chart note documentation. Wispr Flow supports HIPAA-compliant workflows including Business Associate Agreements and Privacy Mode (Zero Data Retention). When a BAA is signed, Privacy Mode is permanently locked on — no dictation audio or transcript data is retained on Wispr Flow systems after transcription, and no data is used for AI model training.
• Radiographic AI Analysis — Overjet (Vision AI): FDA 510(k)-cleared AI-assisted dental radiographic analysis platform. Overjet operates as a HIPAA Business Associate and holds HITRUST certification. Overjet's AI systems use only completely de-identified, anonymized dental radiographs for model training and improvement — no patient-identifying information is appended to imaging data or used for machine learning. Data is encrypted in transit and at rest. Overjet utilizes both Microsoft Azure and Amazon Web Services (AWS) cloud infrastructure. Clinicians retain sole authority for all diagnostic interpretations and clinical decisions.

Communication and Telephony Technologies

• VoiceStack (VoiceStack Inc. / CareStack subsidiary): Cloud-based VoIP, call transcription, AI call analytics, two-way messaging, and automated communication workflows. Cloud infrastructure: Microsoft Azure. HIPAA Business Associate Agreement confirmed active. VoiceStack AI transcription is enabled by default for all voicemails.
• CareStack (Good Methods Global, Inc.): Practice management platform including scheduling, clinical charting, insurance coordination, patient communication workflows, patient portal, and integrated AI features. Cloud infrastructure: Microsoft Azure. BAA confirmed active. AI features within the CareStack platform include: Scribe AI (AI-assisted clinical charting and documentation), VoiceStack AI (AI-assisted phone handling and call analytics), and Neo AI (AI-assisted patient communication workflows — not currently enabled, reserved for potential future use). CareStack has confirmed that no patient PHI is used to train any AI model within their platform.

Administrative and Workflow Technologies

• Insurance and Eligibility Systems: Automated insurance eligibility verification and claims processing tools integrated with practice management systems.
• Scheduling Automation: Automated appointment reminder, recall, and scheduling workflow systems.
• Future Technologies: The Practice reserves the right to implement additional AI-assisted systems as healthcare technology evolves. See Section 15.

Certain AI-assisted systems may access, process, or transmit limited PHI as necessary for healthcare operations, treatment coordination, insurance verification, scheduling, documentation, and administrative workflows, consistent with the minimum necessary standard under HIPAA (45 C.F.R. § 164.502(b)). Depending on the specific AI workflow, information processed may include:

• Patient name and date of birth
• Appointment and scheduling information
• Clinical chart notes and treatment documentation
• Dental radiographs and imaging data
• Voice recordings and transcriptions of clinical encounters or telephone calls
• Insurance subscriber and eligibility information
• Billing and claims data
• Patient communications (text, phone, and messaging platform interactions)
• Internal patient identification numbers and demographic data

The Practice applies the HIPAA minimum necessary standard to limit PHI access by AI systems to the least amount reasonably required for the applicable operational purpose.

The following summarizes the confirmed AI model training status for each of our AI-enabled vendors:

• Overjet (Radiographic AI) — Confirmed: Overjet utilizes only completely de-identified, anonymized dental radiographs to train and improve its machine learning algorithms. No patient-identifying information is appended to imaging data or used for model development.
• Wispr Flow (Voice Transcription) — Confirmed: When a HIPAA BAA is signed, Privacy Mode (Zero Data Retention) is permanently and irrevocably locked on. No dictation audio or transcript data is retained after transcription, and no data is used for AI model training by Wispr Flow or any of its subprocessors.
• CareStack / VoiceStack / Scribe AI / Neo AI — Confirmed: CareStack has provided written confirmation that no patient PHI is used to train, develop, fine-tune, or improve any AI model within the CareStack platform. This confirmation covers all AI features currently available or planned within the platform, including Scribe AI, VoiceStack AI, and Neo AI. Call recordings and transcripts are stored securely and encrypted in transit but are not used for AI model training.
• De-Identified Data: Vendors may use de-identified data — information from which all HIPAA-specified patient identifiers have been removed under 45 C.F.R. § 164.514 — for model improvement purposes. De-identified data is not PHI and is not subject to HIPAA restrictions. This is the standard applied by Overjet for its radiographic AI.
• Patient Authorization: Any use of identifiable patient PHI for AI model training beyond standard healthcare operations requires a separate, written HIPAA-compliant authorization signed by the patient or their authorized representative.

AI-assisted technologies used by the Practice may process and store data using cloud-based infrastructure, local/on-premise systems, or a combination of both.

Cloud-Based Storage

Many AI-assisted and practice management systems operate using cloud-based infrastructure — meaning data is stored on and processed by remote servers operated by or on behalf of third-party vendors, rather than on servers physically located in our office.

• CareStack and VoiceStack operate on Microsoft Azure cloud infrastructure. Azure is a HIPAA-eligible cloud platform.
• Overjet operates on both Microsoft Azure and Amazon Web Services (AWS) cloud infrastructure. Both are HIPAA-eligible enterprise platforms implementing encryption at rest and in transit.
• Wispr Flow operates on cloud infrastructure with encryption in transit and at rest. When a HIPAA BAA is signed, Zero Data Retention is permanently enforced — no audio or transcript data remains on any Wispr Flow or subprocessor system after transcription.
• All cloud vendors are required to execute HIPAA Business Associate Agreements and implement safeguards consistent with the HIPAA Security Rule.
• Data may be stored on servers located outside of Hawaii. The Practice requires vendors to comply with applicable data protection standards regardless of data center location.

Local / On-Premise Systems

The Practice may also use AI systems that operate locally — meaning AI processing occurs on devices or servers within our office network, without transmitting PHI to external cloud infrastructure. Such systems are subject to the Practice's own HIPAA Security Rule physical, administrative, and technical safeguards and offer a higher degree of direct data control.

The Practice requires that AI-assisted technology vendors implement encryption and technical security standards consistent with HIPAA Security Rule requirements (45 C.F.R. § 164.312) and HHS/NIST guidance for protecting electronic PHI.

Encryption Standards

• Data at Rest: PHI stored by AI systems should be encrypted using AES-256 (Advanced Encryption Standard, 256-bit key length) or equivalent, consistent with NIST Special Publication 800-111.
• Data in Transit: PHI transmitted between systems or cloud infrastructure should be protected using TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated and should not be used for PHI transmission.
• End-to-End Encryption: Where technically feasible, the Practice prefers AI systems that implement end-to-end encryption for PHI in communication workflows.

Additional Technical Safeguards

• Multi-Factor Authentication (MFA): Required or strongly preferred for all AI-assisted systems that access PHI.
• Access Controls: Role-based access controls limit PHI access to authorized workforce members with a legitimate operational need.
• Audit Logging: Systems processing PHI maintain activity logs sufficient to support HIPAA audit requirements under 45 C.F.R. § 164.312(b).
• Device Management: AI-assisted tools are restricted to Practice-managed devices wherever operationally feasible.

The Practice applies HIPAA's minimum necessary standard when using AI-assisted systems, disclosing only the minimum amount of PHI reasonably necessary to accomplish the intended operational purpose (45 C.F.R. § 164.502(b)).

Where operationally feasible, the Practice uses or encourages de-identified patient information in AI workflows. De-identified information is not PHI and is not subject to HIPAA privacy restrictions. De-identification may be applied using either the Safe Harbor Method (removal of all 18 HIPAA-specified patient identifiers per 45 C.F.R. § 164.514(b)) or the Expert Determination Method (statistical analysis confirming that re-identification risk is very small). In certain administrative workflows, the Practice may use internal patient identification numbers rather than direct demographic identifiers when interacting with AI systems as an additional safeguard.

The Practice implements reasonable and appropriate administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) to protect PHI processed by AI-assisted systems.

Administrative Safeguards

• HIPAA Security Officer designation and oversight
• Workforce training and HIPAA awareness programs
• Risk analysis and risk management policies
• Vendor management and Business Associate Agreement program
• Policies and procedures governing AI technology use and PHI access

Technical Safeguards

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Multi-factor authentication on systems containing PHI
• Role-based and least-privilege access controls
• Audit logging and activity monitoring
• Firewall and network security protections
• Managed IT services and endpoint protection

Physical Safeguards

• Restricted physical access to office systems and devices
• Secure device management and screen-locking policies
• Offline and encrypted backup systems
• Controlled visitor access to clinical and administrative areas

Certain AI-assisted technologies involve third-party vendors — known as Business Associates under HIPAA — who may access, process, or store PHI on behalf of the Practice. Each Business Associate is required to enter into a HIPAA-compliant Business Associate Agreement (BAA) before accessing any PHI.

Confirmed Vendors

• VoiceStack / VoiceStack Inc. (CareStack subsidiary): Cloud-based VoIP, AI call handling, transcription, and analytics. Cloud infrastructure: Microsoft Azure. BAA confirmed active. AI transcription enabled by default for all voicemails.
• CareStack / Good Methods Global, Inc.: Practice management and patient communication platform. Cloud infrastructure: Microsoft Azure. BAA confirmed active. AI features: Scribe AI, VoiceStack AI, Neo AI (not currently enabled). CareStack confirmed no patient PHI is used to train any AI models. Written confirmation on file.
• Wispr Flow: AI-assisted voice dictation and chart note transcription. BAA signed; Privacy Mode (Zero Data Retention) permanently activated. No dictation audio or transcript data retained after transcription. No data used for AI model training.
• Overjet, Inc.: FDA 510(k)-cleared AI-assisted dental radiographic analysis (Vision AI). HITRUST certified. HIPAA Business Associate. Cloud infrastructure: Microsoft Azure and AWS. Encryption at rest and in transit confirmed. BAA executed. Overjet BAA Section 2.6 explicitly authorizes use of de-identified PHI for AI model training — consistent with Overjet's practice of using only fully de-identified, anonymized dental radiographs for model improvement.
• Darkhorse Tech: Dental-specific managed IT services — cloud backup, network security, and IT infrastructure support. BAA executed and on file.
• Oahu Computers: Local Hawaii IT provider (Pearl City, HI) — network solutions and hardware support. BAA executed and on file.

Downstream and Subcontractor Data Handling

Primary vendors (Business Associates) may themselves engage subcontractors who may also access PHI in the course of providing services. Under HIPAA, Business Associates are required to enter into BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on their behalf (45 C.F.R. § 164.308(b)(2)). The Practice requires vendors to disclose material subcontractors and confirm that appropriate protections are in place throughout the data handling chain. Vendor subcontractors may include cloud infrastructure providers (Microsoft Azure, Amazon Web Services) and third-party telephony providers such as Twilio for SMS and VoIP routing through VoiceStack.

Patients acknowledge that AI-assisted technologies involve certain inherent technical and operational risks, including:

• Transcription Inaccuracies: AI transcription systems may produce errors or omissions. All AI-generated transcriptions are subject to clinician review before becoming part of the official patient record.
• AI Hallucination Risk: AI systems can generate plausible-sounding but factually incorrect output. This risk is mitigated by requiring clinician review and verification of all AI-generated clinical content.
• Algorithmic Bias: AI systems may reflect biases present in their training data. The Practice monitors AI tool performance and does not rely solely on AI output for clinical decisions.
• Technical Malfunctions: AI and electronic systems may experience downtime or service interruptions. Clinical workflows are maintained through manual processes in the event of system outages.
• Cybersecurity Risks: Despite reasonable safeguards, no electronic system is completely immune to unauthorized access, data breaches, or other cybersecurity incidents.
• Communication Delays: Automated communication workflows may experience delays due to carrier, network, or system limitations outside the Practice's direct control.

Incident Response and Breach Notification

In the event of a security incident or breach involving PHI processed by an AI-assisted system, the Practice will conduct a risk assessment consistent with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414), notify affected individuals without unreasonable delay and no later than 60 days following discovery, and comply with applicable Hawaii data breach notification requirements under Hawaii Revised Statutes Chapter 487N.

Patients retain the following rights in connection with the Practice's use of AI-assisted technologies:

• Right to Request Non-AI Alternatives: Patients may request that certain AI-assisted workflows be modified or avoided in connection with their care. The Practice will make reasonable, clinically feasible accommodations.
• Right to Access Records: Patients retain the right to access their medical records, including records created or processed with AI-assisted documentation tools, consistent with HIPAA and applicable Hawaii law.
• Right to Amend Records: Patients may request amendment of records they believe to be inaccurate or incomplete, including AI-generated documentation, consistent with 45 C.F.R. § 164.526.
• Right to an Accounting of Disclosures: Patients may request an accounting of disclosures of their PHI, including disclosures made to AI vendors and business associates, to the extent required by HIPAA.
• Right to a Copy of This Notice: Patients may request a current copy of this Notice at any time from our office.
• Right to File a Complaint: Patients who believe their privacy rights have been violated may file a complaint with the Practice's HIPAA Privacy Officer or directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at www.hhs.gov/ocr without retaliation.

By receiving treatment, communicating with the Practice, signing the Practice's AI Consent and Acknowledgment Form, or continuing care with the Practice after receiving this Notice, patients acknowledge and consent to the Practice's use of AI-assisted technologies for healthcare operations, treatment coordination, documentation, communication, and administrative support as described in this Notice.

Patients understand that AI-assisted technologies are supplemental tools and are not substitutes for licensed professional clinical judgment or independent clinician review.

The Practice reserves the right to implement additional AI-assisted technologies, local AI systems, cloud-based systems, workflow automation systems, imaging analysis systems, communication platforms, and operational technologies as healthcare technology evolves and as the Practice's operational needs develop. Future implementations may include:

• Private or locally-hosted AI language models operating within the Practice's own network infrastructure
• AI-assisted diagnostic imaging analysis integrated with radiographic equipment
• Automated patient communication and scheduling platforms
• AI-assisted treatment planning support tools
• Online scheduling and AI chatbot features integrated into the Practice's website

Any future AI technology that involves processing of patient PHI will be governed by an executed Business Associate Agreement and will be implemented consistent with HIPAA requirements. This Notice will be updated to reflect material changes in AI technology use, and patients will be notified as required by applicable law.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, AIEA PEARL CITY DENTAL CARE LLP AND ITS PARTNERS, ASSOCIATED PROFESSIONAL ENTITIES, ASSOCIATE DENTISTS, INDEPENDENT CONTRACTORS, EMPLOYEES, WORKFORCE MEMBERS, AGENTS, REPRESENTATIVES, AFFILIATES, SUCCESSORS, AND ASSIGNS SHALL NOT BE LIABLE FOR:

• Technical errors or inaccuracies in AI-generated transcriptions or documentation
• Software interruptions, system outages, or AI service unavailability
• Delays in AI-assisted communications
• Cybersecurity incidents beyond the Practice's reasonable control
• Third-party technology failures or vendor system errors
• AI hallucinations or algorithmic errors that do not affect clinical outcomes due to clinician review
• Indirect, incidental, consequential, special, exemplary, or punitive damages arising from AI-assisted systems used in healthcare operations

Nothing in this Notice limits rights that cannot be legally waived under applicable federal or Hawaii law, including rights under HIPAA, HITECH, or Hawaii Revised Statutes Chapter 323C.

The Practice reserves the right to modify this Notice at any time to reflect changes in AI technology use, applicable law, or regulatory guidance. Material changes will be communicated through the Practice's website or other appropriate patient communication channels, and the effective date at the top of this Notice will be updated. Patients may request a current copy of this Notice from our office at any time.

Patients with questions regarding AI-assisted technologies, privacy practices, or this Notice may contact us: