Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?
Does your practice have a process for document classification, retention, destruction and de-identification of patient information?
This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.