AI Chatbot for Medical Practices: The GDPR Guide for 2026

Your practice’s phone rings 40 times a day with the same questions: “What are your opening hours?” “Do you accept new patients?” “What documents should I bring?” “How does reimbursement work?” Your receptionist answers each one — instead of focusing on the patients in front of them.

AI chatbots are solving exactly this problem for medical practices, pharmacies, dental offices, and opticians across France and Europe. But in healthcare, the question of data sovereignty is not optional. Let’s break down what you can automate, what you cannot, and why the choice of hosting matters.

Why Healthcare Practices Are Adopting AI Chatbots in 2026

The numbers are hard to ignore. According to recent market data, 75% of healthcare organizations are now integrating AI into their operations in 2026, and the global healthcare AI market is projected to reach $45 billion — up from $4.9 billion in 2020. That is nearly a tenfold increase in six years.

The trigger? In January 2026, OpenAI launched its healthcare-focused ChatGPT service in the United States, sending a clear signal that tech giants are moving aggressively into medical AI. This has accelerated the race for sovereign European alternatives that can match the capability without shipping patient data across the Atlantic.

For a general practice, pharmacy, or specialist clinic in France, the math is simple: a chatbot that answers routine administrative questions around the clock costs a fraction of the staff time it replaces — and it never puts a patient on hold.

What a Medical Practice Chatbot Can (and Cannot) Do

This distinction is critical, both legally and practically.

What AI chatbots handle well in healthcare settings

Administrative FAQ is the primary and safest use case. A well-trained chatbot answers:

• Opening hours and appointment booking procedures
• Which specialist is available and when
• What documents to bring to the first consultation
• Insurance and reimbursement procedures (Sécurité Sociale, mutual funds)
• Directions, parking, accessibility information
• Vaccination schedules and general preventive health information already published by public health authorities
• Post-visit instructions for standard procedures (pre-op, post-op, medication schedules)

This content comes from documents your practice already publishes — appointment guides, patient leaflets, website FAQ pages. A RAG chatbot trained on these sources answers with your exact information, not something invented.

Lead qualification and appointment routing is the second strong use case. A chatbot can ask a new patient: “Is your request urgent, semi-urgent, or routine?” and direct them to the appropriate channel — emergency line, online booking, or a callback request form.

What AI chatbots must not do

An AI chatbot must never attempt to diagnose, prescribe, or give individualized medical advice. This is both an ethical boundary and a legal one under French and European law. A chatbot that says “Your symptoms suggest X, you should take Y” is a medical device under the EU Medical Devices Regulation — and triggers a completely different regulatory framework.

The rule is simple: your chatbot speaks from your published documents. It does not interpret symptoms, it does not recommend treatments, and it clearly identifies itself as an AI assistant at the start of every conversation (as required by the EU AI Act, effective August 2026).

GDPR and Data Sovereignty: Why Hosting Location Matters in Healthcare

Healthcare is a sensitive sector. Even for purely administrative interactions, you need to know where your data goes.

The HDS distinction

In France, HDS certification (Hébergement de Données de Santé) is required for systems that store or process health data — patient records, diagnoses, prescriptions, imaging results. If your chatbot only handles administrative FAQ (hours, procedures, documents) and does not store patient identifiers alongside medical information, you are operating outside HDS scope.

That said, even administrative chatbots collect data: names, email addresses, phone numbers submitted through contact forms. This data falls under standard GDPR rules — not HDS — but it still demands a hosting provider with proper data processing agreements and infrastructure in the EU.

The problem with US-hosted solutions

The dominant chatbot platforms — ChatGPT API, Chatbase, CustomGPT.ai — are hosted in the United States. Any conversation a patient has with your chatbot, including their name, symptoms they mention casually, or their contact details, may transit through American servers subject to US law (including the CLOUD Act).

For a French medical practice, this is a compliance risk. The CNIL has been clear: health-adjacent data must remain under European jurisdiction with appropriate safeguards.

DoxyChat: Built for European Data Sovereignty

DoxyChat is a 100% French AI chatbot platform, with data hosted exclusively on Scaleway infrastructure in France. It was built with RGPD compliance as a core principle, not an afterthought.

Three features make it particularly suited to healthcare settings:

RAG technology with zero hallucination outside your documents. DoxyChat does not generate answers from general training data. It retrieves information strictly from the documents you upload — your patient guide, your FAQ page, your procedure leaflets. If a patient asks something outside that scope, the bot says it does not know and suggests they call the practice. No invented medical information.

Private mode for sensitive environments. If you want your chatbot to be accessible only to authenticated users — for example, an internal knowledge base for staff — DoxyChat’s Private mode requires a verified Supabase account. For a patient-facing FAQ, Public mode works fine. For partner portals or internal use, Shared (password-protected) or Private gives you full control.

Native GDPR consent management. DoxyChat’s lead capture form includes built-in GDPR consent collection. When a patient submits their contact details through the chatbot, they explicitly consent to how their data will be used. The audit trail is built in.

Deployment takes under two minutes: upload your documents, embed a single line of JavaScript on your website, and your AI receptionist is live.

A Concrete Example: General Practice FAQ Bot

Let’s make this real. A GP clinic in Lyon uploads three documents to DoxyChat:

1. Their practice information sheet (hours, location, doctors, specialties)
2. Their new patient registration guide
3. A FAQ on social security reimbursements and mutual fund procedures

The chatbot, embedded on their website, can now answer:

• “Is Dr. Martin accepting new patients?” — Yes, based on the uploaded document.
• “What should I bring for my first appointment?” — The full list from the patient guide.
• “How does reimbursement work if I don’t have a médecin traitant?” — Accurate procedure from the FAQ.
• “Can you tell me if I have appendicitis?” — “I’m an administrative assistant and I can’t answer medical questions. Please call the practice directly or dial 15 in case of emergency.”

The last answer is not a failure. It is exactly the correct behavior — and it is what distinguishes a responsible, well-configured RAG chatbot from a general-purpose LLM left to improvise.

Who Benefits Beyond General Practice

The same approach works across the broader healthcare ecosystem:

Pharmacies: Answer questions about opening hours, available services (blood pressure monitoring, vaccination), insurance reimbursement on common medications. Deflect clinical questions (“Is this drug right for me?”) to the pharmacist.

Dental practices: Appointment procedures, pricing transparency, pre-op and post-op care instructions, insurance coverage questions.

Opticians: Product information, appointment booking FAQ, insurance coverage for glasses and lenses.

Private clinics and specialist centers: Procedure preparation guides, post-operative care sheets, patient pathway information.

Physiotherapy and osteopathy practices: Session duration, pricing, what to wear, cancellation policy.

In every case, the chatbot handles the volume of routine administrative questions — freeing the front desk for complex interactions that genuinely require a human.

Getting Started in Two Minutes

The barrier to deploying an AI chatbot for your practice is lower than most healthcare professionals expect.

With DoxyChat’s free Discovery plan, you can create one chatbot, upload up to 10 documents, and handle 200 monthly conversations — enough to test the concept on your existing patient FAQ without any upfront commitment.

The paid plans (from €19/month) scale with your volume and give you access to web scraping so the bot can stay in sync with your published website content automatically.

Your documents. Your data. Your infrastructure, hosted in France.

Try DoxyChat free at www.doxychat.com — and give your receptionist their time back.