US document retention requirements: by industry
US document retention requirements by industry. Statutory periods under SOX, HIPAA, IRS rules, SEC Rule 17a-4, FINRA, DOL regulations
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokUS businesses must retain most financial and corporate records for at least 3 to 7 years, depending on the document type and applicable regulator. The IRS requires tax records for a minimum of 3 years (up to 7 in certain circumstances), while the SEC mandates broker-dealer records be kept for 3 to 6 years under Rule 17a-4. Healthcare organizations face HIPAA requirements of 6 years for most records, with state laws sometimes extending this to 10 years or more. Failing to meet these requirements can result in criminal penalties, regulatory fines, adverse litigation outcomes, and the inability to defend against legal claims. This guide covers the statutory retention periods applicable to US businesses, organized by document type and industry sector.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
Statutory framework for document retention in the US
The United States has no single federal statute that governs document retention across all sectors. Instead, retention obligations arise from multiple federal agencies, state laws, and industry-specific regulations, each covering a specific domain of business activity.
Core federal requirements
The Internal Revenue Code (IRC) requires businesses to keep records that support their tax returns. The general rule is 3 years from the filing date, but this extends to 6 years if income is underreported by more than 25%, and 7 years for losses from worthless securities or bad debt deductions. There is no statute of limitations for fraudulent returns or failure to file.
The Sarbanes-Oxley Act of 2002 (SOX) imposes specific recordkeeping requirements on public companies and their auditors. Section 802 requires audit workpapers and related documents to be retained for at least 7 years. Section 103 requires the PCAOB to set record retention standards for auditors. Violation of SOX document retention requirements carries penalties of up to $5 million in fines and 20 years' imprisonment.
The Fair Labor Standards Act (FLSA) and Department of Labor regulations require employers to retain payroll records for at least 3 years and supplementary records (timecards, wage computation records) for at least 2 years.
Retention periods by document type
| Document type | Minimum retention period | Legal basis |
|---|---|---|
| Tax returns and supporting records | 3 years (up to 7 years) | IRC / IRS |
| Payroll records | 3 years | FLSA / DOL |
| Timecards and wage computations | 2 years | DOL regulations |
| Employment tax records | 4 years after filing date | IRS / IRC Section 6001 |
| Contracts and agreements | 6 years after expiry (varies by state) | State statutes of limitations |
| Corporate minutes and resolutions | Permanent | State corporation laws |
| Stock transfer records | Permanent | SEC / state laws |
| Insurance policies | 6 years after expiry (or longer) | State statutes of limitations |
| Personnel records | 1 year after termination (EEOC) | Title VII / ADEA / ADA |
| OSHA records (injury/illness logs) | 5 years | 29 CFR 1904.33 |
| I-9 forms (employment eligibility) | 3 years after hire or 1 year after termination | USCIS / 8 CFR 274a.2 |
| Import/export records | 5 years | 19 CFR 163 |
| ERISA plan records | 6 years | 29 USC 1027 |
Industry-specific retention requirements
Beyond the general statutory framework, individual sectors face additional obligations imposed by their regulators or sector-specific legislation.
Financial services
The Securities and Exchange Commission (SEC) requires broker-dealers to retain records under Rule 17a-3 (record creation) and Rule 17a-4 (record retention). Most records must be kept for 3 years (first 2 years in an easily accessible location), while certain records -- including communications with customers, transaction records, and account documentation -- must be retained for 6 years.
FINRA Rule 3110 requires member firms to maintain a supervisory system that includes written procedures and the retention of correspondence and communications. FINRA Rule 4511 requires members to make and preserve books and records as prescribed by applicable SEC rules.
Bank Secrecy Act (BSA) and anti-money laundering requirements mandate that financial institutions retain Customer Identification Program (CIP) records for 5 years after the account is closed. Suspicious Activity Reports and supporting documentation must be retained for 5 years from the date of filing. Currency Transaction Reports must be retained for 5 years. For more on business verification obligations, see our complete KYB guide.
Healthcare
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to retain HIPAA-related documentation for 6 years from the date of creation or the date when the document was last in effect, whichever is later. This includes policies and procedures, training records, risk assessments, and business associate agreements.
Medical records retention is primarily governed by state law, and periods vary significantly:
| State | Adult medical records | Minor medical records |
|---|---|---|
| California | 7 years from discharge | Until age 19 or 7 years, whichever is later |
| New York | 6 years from discharge | Until age 21 or 6 years, whichever is later |
| Texas | 7 years from last treatment | Until age 20 or 7 years, whichever is later |
| Florida | 5 years from last contact | Until age 25 or 7 years, whichever is later |
| Illinois | 10 years from last treatment | Until age 23 or 10 years, whichever is later |
Medicare and Medicaid providers must retain records for at least 10 years under the False Claims Act statute of limitations (31 USC 3731).
Construction and infrastructure
Federal construction projects under the Davis-Bacon Act require contractors to retain payroll and basic employment records for 3 years from the completion of the project. The Occupational Safety and Health Administration (OSHA) requires employers to retain exposure monitoring records for 30 years under the Hazardous Chemicals standard. Asbestos exposure records must be retained for the duration of employment plus 30 years.
State building departments increasingly require project records -- including structural calculations, material certifications, and inspection reports -- to be maintained for the life of the structure, particularly for commercial and public buildings.
Legal profession
The American Bar Association (ABA) Model Rules of Professional Conduct require attorneys to safeguard client property, including files and records. State Bar Associations set specific retention requirements. Most states require law firms to retain client files for at least 5 to 7 years after the matter is concluded. However, specific work types warrant longer periods: 10 to 15 years for real estate transactions, until the client reaches majority plus the statute of limitations for matters involving minors, and permanently for estate planning documents (wills, trusts, powers of attorney).
Education
The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to maintain education records for as long as they are used for their intended purpose. In practice, most institutions retain student records permanently or for at least 5 years after the student's last attendance. Financial aid records must be retained for at least 3 years from the end of the award year per 34 CFR 668.24. Campus safety records under the Clery Act must be maintained for 7 years.
Data protection and retention: the US privacy law balance
The growing patchwork of state privacy laws -- led by California's CCPA/CPRA -- requires organizations to balance retention needs against data minimization principles.
Lawful basis for retention
When a federal or state statutory obligation requires the retention of documents containing personal information, this generally provides a valid basis for retention under applicable privacy laws. For example, the CCPA/CPRA exempts personal information that is retained to comply with a legal obligation.
However, once the statutory retention period expires, the legal basis for retention may cease to exist. The organization should then either delete the personal information, anonymize it, or identify a different lawful basis for continued retention.
Practical implementation
The FTC recommends that organizations implement a data retention schedule that maps each category of personal information to its retention period and legal basis. The National Institute of Standards and Technology (NIST) Special Publication 800-53 provides a comprehensive framework for information security controls, including data retention and disposal.
Automated deletion or anonymization processes should trigger at the end of each retention period. Manual processes are acceptable for smaller organizations but increase the risk of non-compliance.
Access controls should ensure that archived records are accessible only to authorized personnel for the specific purposes permitted by law. A payroll record retained for IRS purposes should not be accessible to a marketing team.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotDigital retention and electronic records
US law treats electronic records as equivalent to paper records in most circumstances, provided certain conditions are met.
Admissibility of electronic records
The Federal Rules of Evidence -- particularly Rule 803(6) (business records exception to hearsay) and Rules 902(13)-(14) (self-authenticating electronic records) -- establish the framework for admissibility of electronic records. The key requirement is authenticity: the party relying on the record must be able to demonstrate that it was made in the regular course of business, at or near the time of the event, and has not been tampered with.
Metadata, audit trails and digital signatures all strengthen the evidential weight of electronic records. Organizations should ensure their document management systems maintain comprehensive audit logs showing when documents were created, modified, accessed and by whom.
IRS requirements for digital records
The IRS accepts electronic records as equivalent to paper records under Revenue Procedure 98-25, provided the electronic storage system accurately reproduces the original records, ensures the records are accessible, and provides a complete and accurate index. Since 2023, the IRS has expanded its acceptance of digital records through the Tax Administration Modernization initiative, and electronically filed returns are now the default for most business entities.
Building a document retention policy
A retention policy document transforms scattered legal obligations into a structured, operational framework that every department can follow.
Key components
Document inventory. Catalog every type of document produced or received across the organization. Include physical files, digital records, emails, instant messages, and cloud-stored documents.
Retention schedule. Map each document type to its applicable retention period, citing the specific legal basis. Where multiple obligations apply (e.g., a contract that is both a commercial record, a tax record, and contains personal data), apply the longest required period.
Storage and security. Define where documents are stored, who has access and what security measures protect them. Encryption, access controls and backup procedures should be documented.
Disposal procedures. Specify how documents are destroyed at the end of their retention period. Physical documents should be cross-cut shredded. Digital records should be securely wiped using methods that prevent recovery, consistent with NIST Special Publication 800-88 (Guidelines for Media Sanitization).
For guidance on automating these processes, see our article on automated document verification workflows.
Common retention mistakes and how to avoid them
Keeping everything indefinitely. This is not a safe default. Retaining personal data beyond the required period may violate state privacy laws (CCPA/CPRA, VCDPA, CPA) and exposes the organization to discovery obligations in litigation. The more data you retain, the more you must produce in response to subpoenas and discovery requests.
Applying a single retention period to all documents. Different document types have different legal requirements. A one-size-fits-all approach will inevitably result in some records being destroyed too early and others being kept too long.
Ignoring litigation holds. When litigation is anticipated or underway, normal disposal procedures must be suspended for all documents relevant to the dispute. Destroying documents subject to a litigation hold constitutes spoliation of evidence and can result in severe sanctions, including adverse inference instructions and default judgments. The duty to preserve is triggered as soon as litigation is reasonably anticipated.
Failing to account for extended limitation periods. The general statute of limitations for contracts varies by state (4 to 6 years for most), but extends significantly for certain claim types. Fraud claims typically have 6-year statutes of limitations in most states. Tax fraud has no statute of limitations. Personal injury claims involving latent injuries can be brought years after the event. Retention periods should account for these variations.
Overlooking state-specific requirements. Federal minimums may be shorter than state requirements. California, New York, Texas, and other states impose sector-specific retention periods that exceed federal floors. Always check both federal and applicable state requirements.
How CheckFile helps manage document retention
CheckFile automates document collection, verification and lifecycle management. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a 67% cost reduction compared to manual document management. The platform automatically classifies incoming documents, applies the correct retention period based on document type and industry, and triggers alerts before retention deadlines.
Integration with existing document management systems via API means no manual re-entry of data. Visit our pricing page to find the plan that matches your document volume, or request a personalized demo.
For a comprehensive view of document verification processes, see our document verification guide.
For a comprehensive overview, see our document verification complete guide.
Frequently asked questions
How long must US businesses keep tax records?
The IRS requires businesses to retain records supporting their tax returns for at least 3 years from the filing date. This extends to 6 years if more than 25% of gross income is unreported, and 7 years for losses from worthless securities or bad debt deductions. Employment tax records must be kept for at least 4 years. In practice, most tax professionals recommend retaining all tax records for 7 years as a conservative approach.
Are electronic records legally equivalent to paper records in the US?
Yes. The E-SIGN Act, UETA (adopted in 47 states), and the Federal Rules of Evidence establish that electronic records are admissible as evidence and have equivalent legal standing to paper records. The key requirement is that the organization can demonstrate the authenticity and integrity of the electronic record through audit trails, access controls and appropriate storage. SEC Rule 17a-4 specifically addresses electronic storage requirements for broker-dealer records.
What happens if a company destroys documents too early?
Destroying documents before the statutory retention period expires can have several consequences. If the IRS conducts an examination and records are unavailable, the company may face estimated assessments, penalties, and potential criminal prosecution. In civil litigation, courts may impose sanctions for spoliation of evidence, including adverse inference instructions (directing the jury to assume the destroyed evidence was unfavorable) and, in extreme cases, default judgment. Under SOX, willful destruction of financial records carries criminal penalties of up to 20 years' imprisonment.
How do state privacy laws affect document retention?
State privacy laws -- including California's CCPA/CPRA, Virginia's VCDPA, and Colorado's CPA -- require organizations to minimize data collection and retention. However, these laws generally include exceptions for records retained pursuant to legal obligations. The practical impact is that organizations must be able to articulate a specific legal basis for retaining personal information beyond its operational use. Once the statutory retention period expires, continued retention without a lawful basis creates compliance risk under these state laws.
Do retention periods apply to emails and instant messages?
Yes. Emails and instant messages are business records and are subject to the same retention requirements as any other document. An email containing a contractual agreement must be retained for the same period as a paper contract. In financial services, FINRA requires all business-related electronic communications to be retained for 3 years (6 years for customer communications). Organizations should implement email archiving solutions that apply retention rules automatically based on content classification, sender/recipient and metadata.
The information presented in this article is provided for informational purposes only and does not constitute legal advice. Regulatory obligations vary by state, industry, and organization size. Consult a qualified attorney for analysis specific to your situation.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.