Skip to main content
KP

KURO PANTHERA

AI AUTOMATION

← All articles
Healthcare2026-02-15·5 min read

HIPAA-Compliant AI Scheduling for Dental Practices

A walkthrough of how Kuro Panthera handles appointment booking while staying compliant.

The promise of AI-powered scheduling for dental practices is compelling: 24/7 booking, automated reminders, zero hold times. But every dental IT director and practice manager asks the same question before signing anything — is it HIPAA-compliant? The answer depends entirely on how the AI is built, not just what it does.

Why Most AI Tools Fail HIPAA By Design

The most common HIPAA failure mode in AI systems is Protected Health Information (PHI) appearing in model prompts. When a scheduling assistant sends a message like “John Smith’s root canal is scheduled for Friday — please confirm” to a large language model, that PHI (name + procedure) is now inside a third-party AI system. If that system logs prompts (most do, by default), if it uses data for training (many do), or if it stores conversation context in non-compliant infrastructure, you have a potential HIPAA violation.

Generic AI chatbots, consumer-grade scheduling tools with AI bolted on, and most LLM-based assistants are not designed with PHI segregation in mind. They fail not because of malicious intent, but because their architecture never considered healthcare compliance.

How Kuro Panthera Handles It

No PHI in Model Prompts

Kuro Panthera’s architecture segregates PHI from LLM context at the infrastructure level. The AI receives anonymized scheduling intents — “user wants to book a cleaning, prefers mornings, has an existing patient record” — without transmitting the patient’s name, date of birth, insurance details, or procedure codes to the model. PHI lives in your existing scheduling system (Dentrix, Eaglesoft, Open Dental) and is never exported to the AI inference layer.

Audit Logs in Supabase

Every interaction that touches patient data is logged with full audit trails in a dedicated Supabase instance with row-level security. Logs include timestamp, action type, which staff member or system triggered the action, and a hash of the affected record (not the PHI itself). These logs are retained for 6 years in compliance with HIPAA’s documentation requirements and are exportable for OCR audit responses.

Data Residency

All data processing occurs within US-based infrastructure (AWS us-east-1 / us-west-2). No patient data crosses international borders. Supabase’s US regions are used exclusively. LLM inference is routed to US endpoints only.

The Booking Flow: Technical Walkthrough

  1. Patient initiates contact via SMS or WhatsApp: “I need to schedule a cleaning.”
  2. Kuro Panthera agent receives the message, parses the intent (appointment request, type: cleaning), and queries your scheduling system API for available slots — using only an anonymized patient token, not PHI.
  3. Available slots are presented to the patient. Selection is captured and written back to the scheduling system via a server-side API call that never traverses the LLM.
  4. Confirmation is sent to the patient. The confirmation message is templated on your servers with PHI substituted in — the LLM only generated the intent and the template selection, not the final message with PHI.
  5. Audit record is written: action=appointment_booked, timestamp, patient_token (hashed), provider_id. No PHI in the audit log.

BAA Requirements

HIPAA requires a Business Associate Agreement (BAA) with any vendor that handles PHI on behalf of a covered entity. Kuro Panthera executes a BAA with all healthcare vertical customers before go-live. The BAA covers:

  • Permitted uses and disclosures of PHI
  • Safeguards to prevent unauthorized use
  • Reporting obligations for breaches
  • Return or destruction of PHI upon contract termination
  • Subcontractor BAA chain (Supabase, cloud infrastructure providers)

HIPAA Compliance Checklist for Dental Practices Evaluating AI

  • PHI segregation: Does PHI ever appear in LLM prompts? (Must be NO)
  • BAA availability: Will the vendor sign a BAA? (Must be YES)
  • Data residency: Is all data processed in the US? (Strongly recommended)
  • Audit logging: Are all PHI-adjacent actions logged with retention? (Must be YES, 6-year minimum)
  • Access controls: Is PHI access role-restricted and logged? (Must be YES)
  • Encryption: Is PHI encrypted at rest and in transit? (Must be YES — AES-256 + TLS 1.3)
  • Breach notification: Does the vendor have a defined breach response SLA? (Must be YES — 60 days per HIPAA)

Kuro Panthera passes every item on this checklist. If your practice is evaluating AI scheduling solutions, we are happy to provide our security documentation and BAA template for review. Contact us to request them.

Ready to put AI to work in your business?

Join our private beta and get an AI receptionist handling your calls, texts, and WhatsApp messages within days.

Apply for Early Access
← Back to all articles