Email retention policies for Ontario therapists: regulatory summary and Google Workspace setup guide

You know you need to keep clinical records. Every therapist learns that early. But when a colleague asks “how long do I need to keep client emails?”, the answer is harder than it should be. The retention rules come from multiple sources (PHIPA, your regulatory college, tax law), they overlap in confusing ways, and email sits in a grey area that none of them were designed to address.

This guide does two things. First, it gives you a regulatory cheat sheet: who requires what, for how long, and where the rules come from. Second, it walks through the Google Workspace settings that control email retention, so you can configure your system to match your obligations.

This guide focuses on Ontario (PHIPA and College of Registered Psychotherapists of Ontario (CRPO) requirements). If you practice in Alberta (HIA) or BC (PIPA), the retention principles are similar, but the specific regulatory sources and timelines differ. Check your provincial college’s record keeping standards for the requirements that apply to you.

Why email retention is different from record retention

Clinical notes live in your EHR. You create them intentionally, you store them in a structured way, and you know they’re records. Email is messier.

Your inbox contains appointment confirmations, intake form submissions, billing questions, clinical updates from clients between sessions, referral letters, and newsletters from professional associations. Some of these contain personal health information (PHI). Some don’t. Most fall somewhere in between.

PHIPA doesn’t distinguish between a formal clinical record and an informal email that happens to contain PHI. The definitions section of PHIPA defines a “record” broadly as information in any form or medium, including electronic. If an email contains PHI, it’s a record for PHIPA purposes, regardless of whether you intended it to be one.

The conservative approach: if a message contains any PHI (a client’s name connected to their appointment, a clinical detail, a medication reference), treat it as a record subject to retention requirements.

Retention requirements by source

The table below summarizes the key retention obligations for Ontario therapists. Each source has a different scope and a different retention period.

Retention requirements by source

Source	Retention period	Applies to	Citation
PHIPA	Prescribed by regulation; in practice, 10 years is the standard applied by most regulatory colleges	All records of PHI held by a health information custodian	PHIPA s.13(1)
CRPO (psychotherapists)	10 years from last interaction, or 10 years after a minor client turns 18	Client files and related records	Standard 5.1 (Clinical Records)
CRA (tax)	6 years from end of tax year	Financial and business records	Income Tax Act s.230

A few notes on reading this table:

PHIPA is the floor, not the ceiling. PHIPA s.13(1) requires health information custodians to retain, transfer, and dispose of records of PHI in a secure manner and in accordance with prescribed requirements. While PHIPA itself does not specify an exact retention period, the 10-year standard has been widely adopted through regulatory college requirements. Your regulatory college may require longer retention. When obligations overlap, the longest period wins.

CRPO measures retention from the last interaction with the client, not the last entry in the record. If you see a client for a session (interaction) but don’t update their record until a week later (entry), those are different start dates. The practical difference is usually small, but it exists.

The minor exception matters. For clients who are minors, the CRPO requires retention until 10 years after the individual turns 18, or 10 years from the last interaction, whichever is longer. A therapist who sees a 6-year-old must keep those records until the child turns 28.

CRA requirements run in parallel. Tax retention (6 years) is shorter than health record retention (10+ years), so it rarely matters on its own. But it does mean that billing related emails have an independent retention obligation even if you somehow determined they don’t contain PHI.

What counts as a “record” worth retaining?

This is the question that trips people up. Here’s a practical breakdown:

Almost always a record:

• Emails where a client discloses symptoms, feelings, or clinical concerns
• Intake form submissions and consent forms sent by email
• Referral letters (sent or received)
• Emails discussing treatment plans or progress
• Any attachment containing clinical documents

Probably a record (treat it as one):

• Appointment confirmation emails that include the client’s name and appointment type
• Billing emails that connect a client’s identity to services rendered
• Emails from a client requesting a schedule change that mention their reason (“I have a medical appointment that day”)

Probably not a record:

• A single word reply like “Confirmed” with no identifying context
• Internal administrative emails with no PHI
• Marketing newsletters and vendor communications

The grey area is wide. When in doubt, retain. The risk of keeping a non record email for 10 years is negligible storage cost. The risk of deleting a record email too early is a college complaint or an Information and Privacy Commissioner of Ontario (IPC) investigation.

Google Workspace retention: your options depend on your edition

Google Workspace handles email retention through two different mechanisms, and which one you can use depends on your subscription tier.

Google Workspace retention: your options depend on your edition

Edition	Google Vault	Retention rules	Litigation hold
Business Starter	No	No	No
Business Standard	No	No	No
Business Plus	Yes	Yes	Yes
Enterprise Standard	Yes	Yes	Yes
Enterprise Plus	Yes	Yes	Yes

Google Vault is the only built in tool for automated email retention in Google Workspace. It’s available on Business Plus and above. If you’re on Business Starter or Business Standard, skip to the section on manual retention approaches below.

If you’re unsure which edition you’re on, check Admin console > Account > Subscriptions. For a detailed walkthrough of the admin console, see our Google Workspace admin security settings guide.

Setting up retention rules in Google Vault

Google Vault lets you define how long email messages are preserved, independent of what users do in their inbox. Even if a user deletes an email and empties the trash, Vault keeps a copy until the retention period expires.

Step 1: access Google Vault

Path: Admin console > Apps > Google Workspace > Google Vault

Or go directly to vault.google.com and sign in with your admin account.

Step 2: set a default retention rule

The default retention rule applies to all Gmail messages across your organization unless overridden by a custom rule.

1. In Google Vault, click Retention in the left sidebar
2. Click Default retention rules
3. Find Gmail and click Edit
4. Set the retention period to 3,650 days (10 years). Google Vault uses days, not years. If you want extra margin, 5,475 days gives you 15 years.
5. Under “What happens when the retention period expires,” select “Permanently purge messages”
6. Click Save

This rule means: every email in every user’s account is preserved for 10 years from the date it was sent or received. After 10 years, it’s permanently deleted.

Step 3: consider custom retention rules (optional)

Custom retention rules override the default for specific organizational units, date ranges, or search terms. You might use these if:

• You have administrative staff whose email doesn’t contain PHI (shorter retention)
• You want to retain email from a specific period indefinitely (e.g., during an active complaint)
• Different practitioners in your organization are regulated by different colleges with different retention periods

To create a custom rule:

1. In Google Vault, click Retention in the left sidebar
2. Click Custom rules > Create
3. Select Gmail as the service
4. Define the scope (organizational unit, date range, or search terms)
5. Set the retention period
6. Click Save

Custom rules take precedence over the default rule. If a message matches multiple custom rules, the longest retention period wins.

Step 4: understand what happens at expiry

When a retention rule expires, Google Vault permanently purges the affected messages. This is not reversible. The messages are deleted from Vault’s hold, and if the user already deleted them from their inbox, they’re gone.

This is exactly what you want for compliance. Retention obligations have an end date. Keeping PHI beyond the required period increases your breach surface without any regulatory benefit. If you’re breached, every retained message is a potential exposure. Over retention is its own risk.

Step 5: set up litigation holds (when needed)

A litigation hold preserves all messages for a specific user account indefinitely, overriding any retention rules. Use this if:

• A client files a complaint with the IPC or your regulatory college
• You receive a records request related to legal proceedings
• A client requests access to their records under PHIPA and you need time to compile the response

To create a litigation hold:

1. In Google Vault, click Matters in the left sidebar
2. Click Create Matter and give it a name (e.g., “IPC Complaint - 2026-03”)
3. Open the matter and click Holds > Create hold
4. Select Gmail as the service
5. Add the relevant user accounts
6. Optionally add search terms or date ranges to narrow the hold
7. Click Save

Messages under a litigation hold are never purged, even after the retention period expires. Remove the hold only when the matter is resolved.

If you don’t have Google Vault: manual retention approaches

Most solo therapists and small practices run Google Workspace Business Starter or Business Standard. Neither includes Google Vault. Upgrading to Business Plus costs more per user per month, and for a solo practitioner that cost may not be justified.

Here are the alternatives, in order of reliability.

Option 1: Google Takeout exports

Google Takeout lets you export a complete copy of your Gmail data in MBOX format.

1. Go to takeout.google.com
2. Deselect all products, then select only Mail
3. Click Next step
4. Choose your delivery method (download link via email is the most straightforward approach)
5. Select Export once
6. Click Create export

The export includes every email in your account. Store the downloaded file in an encrypted location (an encrypted external drive or an encrypted cloud storage service with Canadian data residency). Label it with the export date.

Schedule this quarterly or annually. Set a recurring calendar reminder. The export is your retention archive. If you delete an email from Gmail after exporting it, the copy in your Takeout archive satisfies the retention requirement, provided you can actually find and produce the email if asked.

The weakness: MBOX files are not searchable without special tools. If a college asks for “all emails related to Client X between 2026 and 2028,” you’ll need to import the MBOX into an email client or use a tool like Thunderbird to search it.

Option 2: label and never delete

The most straightforward approach: create a Gmail label called “Client Records” (or one label per client). Apply it to any email containing PHI. Never delete labeled emails.

This works, but it depends entirely on your discipline. If you forget to label an email, it’s unprotected. If you (or a future employee) accidentally deletes labeled emails, they’re gone after 30 days in the trash.

Option 3: forward to an archival service

Some practices use a separate archival email service or document management system. You forward or BCC client related emails to an archive address. This creates a second copy outside of Gmail.

If you go this route, make sure the archival service stores data in Canada. Sending PHI to a US based archival service creates a new compliance problem while trying to solve an existing one.

The honest limitations of Google Workspace retention

Even with Google Vault properly configured, there are gaps you should understand.

Retention rules are all or nothing for email. You can’t tell Google Vault to retain only emails containing PHI. It retains everything: client emails, spam, vendor newsletters, promotional messages. There’s no content aware filter for retention. You’re retaining 100% of your email to ensure the 5% that contains PHI is covered.

If your account is compromised, the attacker gets 10 years of email, not just recent messages. Over retention increases breach exposure, and this is a real tradeoff, not a hypothetical one. The IPC has recognized that minimizing data collection and retention is itself a safeguard.

Under retention violates college standards. If you set retention too short, or if you manually delete emails before the retention period expires, you’re out of compliance with CRPO Standard 5.1, PHIPA s.13(1), or both. A college complaint about missing records is a serious matter.

Retention doesn’t equal accessibility. Keeping emails for 10 years is only half the obligation. PHIPA s.52 gives individuals the right to access their records. If a client requests their records, you need to be able to find and produce the relevant emails within 30 days. A 10-year Gmail archive with no labeling or organization makes this difficult. See our guide on handling client record access requests under PHIPA for the full process.

Google Vault doesn’t create an audit trail. Vault preserves messages, but it doesn’t log who accessed them or when. CRPO Standard 5.6 requires access records. Vault retention and audit logging are separate problems that require separate solutions.

When a user deletes an email and empties the trash, Google keeps it for an additional 25 days before permanent deletion. If you don’t have Vault, that 25-day window is your only safety net. After that, the email is unrecoverable.

A practical retention checklist

Here’s what to do this week:

1. Check your Google Workspace edition. Admin console > Account > Subscriptions. If you’re on Business Plus or higher, set up Vault retention rules (Steps 1-4 above). If you’re on Starter or Standard, choose a manual approach.

2. Pick your retention period. For most Ontario psychotherapists (CRPO), 10 years covers both PHIPA and college requirements. When in doubt, round up. Adding an extra year or two of retention is far less costly than deleting records a year too early.

3. Create a “Client Records” label in Gmail. Even if you have Vault, labeling emails that contain PHI makes them findable when you need them. This takes five seconds per email and saves hours during a records request.

4. Set a calendar reminder for quarterly Takeout exports if you don’t have Vault. Store exports on an encrypted drive. Label each export with the date range.

5. Document your retention policy in writing. A single page document that states: what you retain, for how long, where it’s stored, and when it’s destroyed. Keep this with your practice policies. If the IPC or your college ever asks, this is the first thing they want to see.

6. Review your admin console security settings if you haven’t already. Retention is one piece of the compliance picture. Encryption, access controls, and data residency matter too. For the full picture of PHIPA obligations for email, see our PHIPA email requirements guide.

What this guide doesn’t solve

Retention settings protect you from one specific failure mode: losing records before the retention period expires. They don’t address encryption, consent tracking, breach notification, or the other PHIPA obligations that apply to email communication.

No single configuration change makes your practice fully compliant. Compliance is a set of overlapping safeguards, and retention is one of them. But it’s a concrete one, and after today you either have it configured or you don’t.

If you want to check where your Google Workspace stands beyond just retention, we’re building a compliance auditor that checks your setup against PHIPA, CRPO, and CRA requirements in one pass (coming soon at curio.health/compliance-auditor).

---

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

---

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.