Back to Practice Pulse

    Questions to Ask Before Connecting Any Tool to Your PMS

    12 min read
    Compliance
    Practice Tips
    Dental practice owner evaluating software vendor security
    Share this article:

    That new software promises to save you hours every week. But before you hand over the keys to your practice management system, there are questions you need to ask that the sales rep probably will not bring up.

    The Integration Decision

    Every few months, another software vendor approaches your practice with a compelling pitch. They will automate something tedious. They will surface insights you are missing. They will integrate seamlessly with your existing systems. All they need is access to your practice management system.

    The benefits may be real. Many tools genuinely improve practice operations. But every integration creates a connection between your PMS and an outside system, and that connection carries implications for security, compliance, and operational stability that are not always obvious from a product demo.

    The challenge is that most practice owners are not IT security experts. You chose dentistry, not cybersecurity. When a vendor says their integration is "secure" or "HIPAA compliant," you may not know what follow-up questions to ask or how to evaluate their answers.

    This guide provides the questions you should ask before connecting any tool to your practice management system. These are not gotcha questions designed to trip up vendors. They are reasonable inquiries that any legitimate software provider should be able to answer clearly and completely. The answers will help you distinguish between vendors who have built proper, secure integrations and those who have taken shortcuts that could create problems for your practice.

    How Does Your Software Connect to Our PMS?

    This is the foundational question, and the answer reveals more than any other about how the vendor approaches integration.

    There are essentially three ways software can connect to a practice management system. The first is through official APIs and integration partnerships. Major PMS platforms like Dentrix, Eaglesoft, Open Dental, and Curve offer documented interfaces that third-party developers can use to read and write data. These interfaces are designed, maintained, and supported by the PMS vendor. When a software provider uses these official channels, updates to the PMS are less likely to break the integration, and the data exchange happens through methods the PMS vendor has explicitly approved.

    The second approach is screen scraping or robotic process automation. Instead of using official interfaces, the software mimics a human user, logging into the PMS with credentials and reading data off the screen or navigating through menus programmatically. This approach does not require partnership with the PMS vendor, which is why some companies use it. But it creates significant risks that we will discuss shortly.

    The third approach is direct database access, where the software connects directly to the underlying database that powers your PMS. This bypasses the PMS application entirely and reads data straight from the source. It can be fast and comprehensive, but it is also fragile, unsupported, and potentially problematic from both a technical and compliance perspective.

    When you ask this question, listen for specificity. A vendor with official integration should be able to name the specific API or integration program they use. They might say "We use the Dentrix G7 API" or "We are a certified Open Dental bridge partner." Vague answers like "We integrate directly with your system" or "We pull data automatically" warrant follow-up questions.

    Are You a Certified or Approved Partner of Our PMS Vendor?

    Most major PMS platforms have partner programs that vet third-party integrations. These programs vary in rigor, but certification generally means the PMS vendor has reviewed the integration, confirmed it uses approved methods, and agreed to support the connection going forward.

    Ask whether the vendor is certified, and then verify independently. Dentrix publishes a list of integrated partners. So does Eaglesoft. Open Dental maintains documentation on approved bridges. A quick check of these resources confirms whether the vendor's claim is accurate.

    If the vendor is not certified, ask why. There may be legitimate reasons. Perhaps they serve a niche use case that the PMS vendor does not prioritize for partnership. Perhaps certification is in progress. But the absence of certification should prompt deeper questions about how the integration actually works and what risks that creates.

    Some vendors will claim they do not need certification because their integration method does not require it. This is sometimes true for approaches that do not access the PMS at all, like tools that only connect to your bank or merchant processor. But if the software reads or writes data in your PMS, the absence of certification is a yellow flag worth exploring.

    What Credentials Does Your Software Need, and How Are They Stored?

    Every integration requires some form of authentication, a way to prove that the software is authorized to access your data. The nature of that authentication matters enormously for security.

    Official API integrations typically use tokens or keys rather than user credentials. The PMS generates a specific authorization that grants the third-party software limited, defined access. This token can be revoked without changing anyone's password, and its use can be logged and audited.

    Screen scraping integrations, by contrast, usually require actual user credentials: a username and password that someone at your practice would use to log in. The software then stores these credentials so it can log in repeatedly without human intervention.

    This credential storage creates risk. If the vendor's systems are breached, your PMS login credentials may be exposed. If an employee whose credentials are being used leaves your practice, you need to remember to change those credentials with the vendor, not just in your PMS. If the vendor's software malfunctions and attempts too many logins, it might trigger security lockouts.

    Ask specifically: "Does your software need to store any of our staff's login credentials?" If the answer is yes, ask how those credentials are stored, encrypted, and protected. Ask what happens if a staff member whose credentials you provided leaves the practice. Ask whether you will receive any notification if those credentials are used in unusual ways.

    The best integrations do not require storing user credentials at all. They use purpose-built authentication that separates the software's access from any individual person's access.

    What Happens When Our PMS Updates?

    Practice management systems update regularly. Sometimes these updates are minor patches. Sometimes they are major version upgrades that change how the software works. Either type of update can affect integrations, but the impact varies dramatically depending on how the integration was built.

    Official API integrations are generally resilient to updates. PMS vendors design their APIs to be stable, and they typically notify integration partners in advance when changes are coming. Breaking changes happen occasionally, but partners have time to adapt, and the integration usually continues working through routine updates.

    Screen scraping integrations are fragile by nature. They depend on the PMS interface looking and behaving exactly as expected. When the PMS vendor moves a button, changes a menu, or modifies a screen layout, the scraping software may stop working. Your practice might come in Monday morning to discover that the integration you depend on failed silently over the weekend because the PMS updated overnight.

    Ask the vendor directly: "When our PMS updates, what happens to your integration?" Listen for whether they have a process for monitoring updates, how quickly they can respond to breaking changes, and what their track record has been with past updates. Ask whether you will be notified if the integration breaks and how long a fix typically takes.

    Also ask about major version upgrades. If you are planning to move from Dentrix G6 to G7, or from a legacy Eaglesoft version to a current one, will the integration continue working? Does the vendor support multiple PMS versions simultaneously?

    How Do You Handle Protected Health Information?

    Your practice management system contains protected health information subject to HIPAA regulations. Any software that accesses that data becomes part of your HIPAA compliance landscape, which creates obligations for both you and the vendor.

    At minimum, the vendor should execute a Business Associate Agreement with your practice. This contract establishes that they understand their responsibilities under HIPAA, that they will protect the data they access, and that they will notify you if they experience a breach. If a vendor is unwilling to sign a BAA, that is disqualifying. Walk away.

    Beyond the BAA, ask how the vendor protects PHI in practice. Where is data stored? Is it encrypted at rest and in transit? Who at the vendor can access your data, and what controls exist on that access? How long is data retained, and what happens to it if you terminate the relationship?

    Ask about the vendor's security practices more broadly. Have they completed a SOC 2 audit? Do they conduct regular penetration testing? Do they have security certifications? These questions may seem technical, but the vendor should be able to answer them in plain language. Evasive or confused responses suggest security is not a priority.

    Also consider what data the vendor actually needs. Some integrations require comprehensive access to patient records. Others only need financial data. A vendor asking for more access than their product requires is another yellow flag. The principle of least privilege suggests they should only access what is necessary for their software to function.

    What Audit Trail Does Your Software Create?

    When your staff accesses patient records in your PMS, that access is typically logged. You can see who looked at what and when. This audit trail is both a compliance requirement and a protection against misuse.

    Third-party integrations should maintain similar accountability. When the vendor's software reads or writes data in your system, there should be a record of what was accessed and what changes were made.

    Ask the vendor: "What logging do you maintain for actions your software takes in our PMS? Can we access those logs? How long are they retained?" Some integrations offer detailed audit trails that you can review anytime. Others provide minimal logging that would make it difficult to investigate if something went wrong.

    Also ask how actions taken by the integration appear in your PMS's own audit trail. Official API integrations often have their own identity in the PMS logs, so you can distinguish between actions taken by staff and actions taken by the integration. Screen scraping integrations use staff credentials, so their actions appear as if a human user did them, making it harder to audit what the software actually accessed.

    What Support Do You Provide When Things Go Wrong?

    Integrations break. Software has bugs. Sometimes the problem is on the vendor's end, sometimes on yours, and sometimes the cause is unclear. When issues arise, you need to know what support is available.

    Ask about the vendor's support channels. Can you call someone, or is support only available via email or chat? What are their response time commitments? Is support available during the hours your practice operates?

    Ask specifically about integration issues. If the connection between their software and your PMS stops working, what is the process for diagnosing and resolving the problem? Will they work directly with your PMS vendor if needed, or will you be stuck in the middle trying to coordinate between two companies that each blame the other?

    Ask about their track record. How often do integration issues occur? What was the longest outage in the past year, and what caused it? A vendor confident in their integration quality should be able to answer these questions honestly.

    What Happens If We Stop Using Your Software?

    The beginning of a vendor relationship is also the time to think about how it might end. Software needs change. Vendors get acquired or go out of business. You may simply find a better alternative.

    Ask what happens to your data if you terminate the relationship. Can you export everything the software has collected? In what format? How long do you have to retrieve your data before the vendor deletes it?

    Ask about the integration itself. Can you revoke the software's access to your PMS cleanly and completely? If the vendor stored credentials, what ensures those credentials are deleted from their systems?

    Ask whether there are any termination fees or long notice periods that might complicate a transition. Understanding the exit before you enter protects you from unpleasant surprises later.

    The Questions They Should Ask You

    A vendor focused on security and compliance should ask you some questions too. They should want to understand your PMS version, your IT environment, and your compliance requirements. They should ask about your practice's policies for vendor access and data handling.

    If a vendor is eager to connect to your PMS without asking any questions about your setup or requirements, that eagerness might indicate they are prioritizing speed over security. A brief mutual discovery process is actually a good sign that the vendor takes integration seriously.

    Putting It Together

    Asking these questions is not about being difficult or paranoid. It is about making informed decisions for your practice. Legitimate vendors with proper integrations welcome these questions because they demonstrate that you take your practice's security seriously, and because the vendors can answer them confidently.

    When you do ask, pay attention not just to the content of the answers but to how they are delivered. A vendor who can clearly explain their integration architecture, who provides specific details about their security practices, and who readily offers documentation like BAAs and security certifications is demonstrating that they have built their software responsibly.

    A vendor who seems confused by basic security questions, who cannot explain how their integration actually works, or who is dismissive of your concerns is showing you something important about how they approach the relationship. Trust what they are showing you.

    Zeldent connects to your PMS through official integration partnerships, not screen scraping or credential storage. We execute BAAs with every practice, maintain comprehensive audit trails, and provide dedicated support when you need it. If you are evaluating reconciliation tools and want to see what a properly built integration looks like, schedule a demo.

    Share this article:

    Ready to protect your practice revenue?

    Missed collections and revenue leaks add up quickly. With Zeldent, you can automatically safeguard your income, prevent revenue loss, and simplify dental billing in one streamlined platform.

    Related Articles