In 2023, a mid-sized health plan paid over $1.2 million in a settlement with the HHS Office for Civil Rights after failing to produce documentation requested during a compliance review — including emails containing protected health information. The organization had purged email archives without a defensible retention policy, and OCR treated the gap as both a documentation failure and a potential Security Rule violation. HIPAA email retention is one of those requirements that flies under the radar until it triggers serious consequences.

Why HIPAA Email Retention Isn't Optional

Healthcare organizations consistently assume that HIPAA only requires retaining formal policies and signed authorizations. That assumption is wrong. The HIPAA Privacy Rule and Security Rule both impose documentation retention obligations that extend to any medium — including email — where protected health information is created, received, maintained, or transmitted.

Under 45 CFR § 164.530(j), covered entities must retain HIPAA-related documentation for six years from the date of creation or the date when the document was last in effect, whichever is later. This includes policies, procedures, written communications, and any actions, activities, or designations that the Privacy Rule requires to be documented.

The Security Rule adds its own layer. Under 45 CFR § 164.316(b)(2)(i), documentation related to Security Rule compliance — including risk analyses, audit logs, and security incident records — must also be retained for six years. If emails contain evidence of any of these activities, they fall squarely within the retention mandate.

Which Emails Fall Under HIPAA Email Retention Rules

Not every email your organization sends requires a six-year hold. The retention requirement applies to emails that serve as HIPAA-required documentation or that contain PHI. In my work with covered entities and business associates, I categorize retained emails into three buckets:

  • Emails containing PHI: Patient communications, referral correspondence between providers, lab result notifications, insurance coordination messages, and any email where protected health information is discussed or attached.
  • Emails documenting compliance activities: Correspondence about risk analysis findings, security incident response, breach notification decisions, workforce training completion, and policy approvals.
  • Emails related to Business Associate Agreements: Negotiations, executed agreements, termination notices, and any breach reports exchanged between a covered entity and a business associate.

If an email thread documents a decision required by HIPAA — say, a determination that a breach doesn't require individual notification — that thread is a compliance record and must be retained for six years.

The Biggest Mistake Organizations Make With Email Retention

The most dangerous practice I encounter is applying a blanket auto-delete policy to all email. Organizations set a 90-day or one-year purge cycle to manage storage costs, and in doing so, they destroy records that HIPAA requires them to keep. OCR doesn't accept "we deleted everything" as a defense during an investigation.

Equally problematic is the opposite extreme: retaining every email indefinitely without classification. This creates massive risk surfaces for breach exposure. The more unmanaged PHI sitting in email archives, the larger the potential impact when a compromise occurs — and the harder it becomes to conduct an accurate risk analysis.

Your organization needs a policy that distinguishes between routine operational email and HIPAA-regulated correspondence. Apply the six-year floor to the latter. Build in technical controls — litigation holds, retention labels, archive segregation — to enforce the policy automatically.

Aligning Email Retention With State Law and Other Regulations

HIPAA sets a six-year federal floor, but state laws often impose longer retention periods. In many states, medical records must be retained for seven to ten years — and some states extend requirements to 10 years after the last patient encounter or until a minor reaches a certain age. Where emails constitute part of the medical record or the designated record set, the longer state requirement controls.

Additionally, organizations subject to the Federal Rules of Civil Procedure face preservation obligations once litigation is reasonably anticipated. Destroying emails containing PHI during a hold period can result in spoliation sanctions that compound any HIPAA penalties.

Building a Defensible HIPAA Email Retention Policy

A strong HIPAA email retention policy includes these components:

  • Scope definition: Identify which email categories are subject to HIPAA retention — PHI-containing messages, compliance documentation, BAA-related correspondence.
  • Retention periods: Set the six-year HIPAA minimum and layer applicable state requirements on top.
  • Technical enforcement: Use email archiving solutions that support automated retention labels, legal holds, and role-based access controls consistent with the minimum necessary standard.
  • Encryption and access controls: Archived emails containing PHI must remain protected under the Security Rule. Encryption at rest, audit logging, and access restrictions are non-negotiable.
  • Destruction procedures: When retention periods expire, PHI must be disposed of in compliance with 45 CFR § 164.310(d)(2) — rendering it unreadable and unrecoverable.
  • Workforce training: Every member of your workforce who uses email must understand what qualifies as a HIPAA-regulated communication and how to flag it for retention.

This last point is where most compliance programs fall short. Policies that exist only in a handbook don't protect your organization. Your team needs practical, role-specific training on email handling. Our HIPAA training and certification program covers email-specific scenarios that prepare your workforce to make the right call in real time.

What OCR Expects When They Come Asking

During a complaint investigation or compliance review, OCR routinely requests documentation going back several years. They expect to see your Notice of Privacy Practices versioning, risk analysis history, breach response records, and BAA documentation. If any of that lived in email and you can't produce it, you have a problem.

OCR has repeatedly emphasized that the inability to produce required documentation creates a presumption of noncompliance. In enforcement actions from 2019 through 2024, documentation failures have appeared as contributing factors in the majority of settlements exceeding $500,000. Your email archives are part of your compliance evidence — treat them accordingly.

Start With a Gap Assessment

If your organization doesn't have a written HIPAA email retention policy today, you're exposed. Start by inventorying where PHI exists in your email environment. Map those repositories against your current retention and deletion schedules. Identify the gaps between what you're keeping and what HIPAA and state law require you to keep.

Then formalize the policy, implement technical controls, and train your people. HIPAA Certify's workforce compliance platform can help you build a training program that addresses email retention, PHI handling, and the full range of Privacy and Security Rule requirements your team needs to understand.

HIPAA email retention isn't a storage question — it's a compliance obligation with real enforcement consequences. Build the policy now, before OCR asks for what you've already deleted.