HIPAA doesn't specifically mention the retention of e-mails, however there is a six-year retention rule for security and privacy policies, procedures, documentation of complaints, etc. The purpose of this requirement is to help with follow up reference, complaint investigations, etc. There's certainly a lot of room for interpretation, but the bottom line is there's always a possibility that e-mail communications that come under review by HHS could be included in this requirement. Obviously, keeping a record of all e-mails is not going to be a simple task both from a procedural and technical perspective, but it could be in your organization's best interest. Having said all this, and graying the situation even more, this will ultimately have to be a business decision made by your upper management and legal counsel.
For more information on this topic, visit these other resources on SearchSecurity.com:
This was first published in June 2003