Do HIPAA rules require a hospital to keep emails and texts that contain patient health information?
The short answer: HIPAA itself does not set a single retention period for clinical records, and it does not specifically say “keep every email or text.” Instead, two things matter — the content of the message and the type of HIPAA requirement involved. A message that contains protected health information (PHI) is governed by the same principles as any other PHI record, regardless of whether it lives in an email inbox, a text thread, or a chart.
What HIPAA Actually Requires
HIPAA’s rules break into two relevant pieces:
- Documentation retention. HIPAA requires covered entities (including hospitals) to retain certain HIPAA-related documents — such as privacy policies, notices, authorizations, and records of disclosures — for a set minimum period after they were created or last in effect. This applies to compliance paperwork, not to every clinical communication.
- Medical record retention. HIPAA does not set the retention period for the medical record itself. That period is set by state law and by other federal programs (for example, conditions of participation in Medicare). State requirements vary widely.
So an email or text is not preserved “because of HIPAA” in the abstract. It is preserved if its content makes it a record the hospital must keep under state medical-record law, HIPAA documentation rules, or another legal or operational obligation.
When the Message Is a Record
The governing principle in records management is that the medium does not change the obligation. If an email or text documents a clinical decision, a disclosure of PHI, an authorization, or a patient communication that belongs in the record, it must be captured, classified, and retained according to the applicable schedule — and disposed of consistently when that period ends.
Practical implications for a hospital:
- Manage by content, not channel. Identify which messages are records and route them into a managed repository.
- Apply one schedule. The same retention period applies whether the PHI sits in an email, a text, or a chart.
- Protect throughout the lifecycle. Privacy and security controls (a core HIPAA expectation) apply to messages in transit and at rest, including during retention and disposition.
- Avoid silent deletion. Auto-purging texts or mailboxes can destroy records that law requires you to keep.
For more on governing messaging as records, see the email and messaging topic hub. Aligning practices to recognized records and privacy frameworks helps a hospital apply these rules consistently.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Do HIPAA rules require a hospital to keep emails and texts that contain patient health information?. Records Management University. https://www.recordsmgmt.org/questions/does-hipaa-require-keeping-emails-texts-with-patient-information/
MLA
RM University Editorial. "Do HIPAA rules require a hospital to keep emails and texts that contain patient health information?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/does-hipaa-require-keeping-emails-texts-with-patient-information/.
Related questions
- Are emails between teachers and parents considered education records under FERPA?
- Are emails in my Sent folder and Inbox both records, or just one copy?
- Are emails on my personal phone discoverable in a lawsuit?
- Are ephemeral or disappearing messages legal to use for work, or do they violate recordkeeping rules?
- Are text messages and chat business records?