The Health Professions Appeal and Review Board’s December 2025 decision in Drake v. Mueller offers a cautionary lesson for Ontario dentists about patient privacy, informed consent, and the regulatory risks of using video surveillance in dental offices. While the case did not result in discipline, it confirms that even inactive or partially implemented surveillance systems can trigger serious College scrutiny and mandatory remediation. The decision reinforces the Royal College of Dental Surgeons of Ontario’s (RCDSO) expectations around patient privacy, informed consent, and a dentist’s responsibility for their practice’s technology systems.
In this post, we explain what happened, why the RCDSO intervened, and what dentists should take away before considering any form of video surveillance in their practices.
The Complaint and Why It Escalated
The complaint arose from a deteriorating professional and personal relationship between the dentist, Dr. David Drake, and an IT contractor who was also his patient and tenant. The contractor alleged that video cameras installed in the dental office breached patient privacy, that patient information had been improperly shared, and that a police report had been filed in retaliation.
Most of these allegations were ultimately dismissed. However, the presence of video surveillance equipment inside the dental office was enough to prompt intervention by the RCDSO’s Inquiries, Complaints and Reports Committee (ICRC).
Dr. Drake maintained that the cameras were installed for security and safety purposes, but were not fully operational. Nonetheless, the ICRC focused on the privacy implications created by the installation itself, rather than on whether recordings had actually occurred.
The Issues
At the centre of the case were two related questions:
- Can video surveillance equipment inside a dental office raise patient privacy and consent concerns even if the cameras are not actively recording?
- Is regulatory intervention justified where the risk of a privacy breach exists, even without evidence of actual misuse?
The Decision
The ICRC directed Dr. Drake to complete a Specified Continuing Education or Remediation Program (SCERP) focused on informed consent and patient privacy, along with 24 months of practice monitoring.
Dr. Drake appealed the decision, arguing it was overly punitive and reiterating that the cameras were not operational during the inspection and that no patient information had been recorded. The Health Professions Appeal and Review Board disagreed and confirmed the College’s decision in full. The Board confirmed that the RCDSO does not need to establish actual harm or a proven privacy breach before taking action. The risk created by installing surveillance equipment in a clinical environment, particularly without explicit patient knowledge and consent, was sufficient to justify remediation.
Why This Matters for Dentists
Intent Does Not Eliminate Risk
A critical takeaway from this decision is that good intentions do not neutralize privacy concerns. The Board accepted the ICRC’s reasoning that the dentist intended to rely on his existing signage and consent processes once the new cameras were operational. However, those processes were already inadequate, posing a real risk to patient privacy—even before recording began.
The Board made clear that waiting to “fix” consent and signage later is not an acceptable compliance strategy. Dentists must have privacy-compliant systems in place before surveillance is installed or activated.
Consent Is Not a Formality
At the heart of the decision is the RCDSO’s long-standing guidance on the use of video cameras in dental offices. The Board endorsed the Committee’s finding that Dr. Drake’s consent process fell short in several ways.
The signage in the practice was not prominent and did not explain that cameras could record both audio and video. The patient consent form merely stated that the office had recording devices, without disclosing who could access recordings, how they were stored, how long they were retained, or what security safeguards were in place. Critically, the Committee emphasized that video recordings in operatories are personal health information and must be treated as part of the patient record.
For Ontario dentists, the message is unmistakable: generic consent language and implied acceptance are insufficient when surveillance is involved. Express consent is required wherever surveillance is present and must be detailed, informed, and documented in the patient’s chart. Anything less invites regulatory intervention.
You Are Responsible for Your IT Systems
Another important lesson from the case is that dentists cannot shift privacy responsibility to vendors. The dentist argued that any weaknesses in the surveillance system were the IT provider’s fault and that he did not intend for the contractor to have access to recordings. The Board rejected that framing outright.
Under Ontario law, the dentist remains fully responsible for safeguarding personal health information, including ensuring that access controls are secure, credentials are limited, and third parties cannot view or retrieve recordings. Even unintended access is treated as a serious compliance concern.
This reinforces a broader regulatory reality: outsourcing technology does not outsource accountability.
Regulatory Action Can Be Preventive
Finally, this case illustrates the preventative role of professional regulators. Colleges are not required to wait for a proven breach, patient harm, or misuse of information before intervening. The Board emphasized that SCERPs and monitoring are remedial, not punitive and squarely aimed at protecting the public. The ICRC considered the dentist’s lack of prior privacy-related history and tailored its response accordingly.
From a regulatory standpoint, the decision reinforces that education orders are often the College’s preferred response when deficiencies relate to systems, insight, or compliance — rather than clinical incompetence.
What Ontario Dentists Should Do Now
This decision has immediate implications for dental practices across the province. Dentists using or contemplating video surveillance should carefully reassess their current setup.
Surveillance in patient-care areas, transitional spaces, or locations where personal health information may be visible requires careful planning and clear consent processes. Dentists must confirm whether the cameras record audio, who can access the footage, where recordings are stored, and how long they are retained. Consent forms should be reviewed to ensure they fully comply with the RCDSO’s guidance and the Personal Health Information Protection Act. Signage must be clear, prominent, and informative — not symbolic.
Equally important, dentists should document their decision-making and demonstrate insight. The absence of proactive correction in this case weighed against the applicant. Regulatory bodies expect dentists to recognize potential privacy risks and address them promptly, not defensively.
Bottom Line
The Drake v. Mueller decision underscores that privacy compliance in dental practices should be proactive, not reactive. With increasing use of digital systems, cameras, cloud storage, and third-party vendors, Colleges are scrutinizing how personal health information is collected, used, stored, and protected. Even well-intentioned decisions can escalate into regulatory involvement if risks are not anticipated and managed carefully.
