Document Retention Guidelines by Industry: How Long Should You Keep What?

The Ground Rules: Federal Retention Requirements

Before we dive into industry specifics, here are the baseline federal rules that apply to most businesses:

Tax Records

The IRS has different timelines depending on the situation:

• General business tax returns: Keep for 3 years from the filing date
• If you underreported income by more than 25%: Keep for 6 years
• If you suspect fraud: Keep indefinitely (there's no statute of limitations)
• Payroll tax records: Keep for at least 4 years
• Supporting documentation (receipts, invoices, bank statements): Keep for 3–7 years depending on context

Why it matters: The IRS can audit returns going back 3 years (or longer if there's suspicion of underreporting). You need documentation to support your claims.

Safe to destroy: Anything older than 7 years is generally safe to destroy, unless you have specific reason to keep it longer.

Employment Records

Federal law (Fair Labor Standards Act) requires:

• Payroll records: Keep for at least 3 years
• Timekeeping records: Keep for at least 2 years
• I-9 forms and background checks: Keep for 3 years after hire or 1 year after termination, whichever is longer
• Performance reviews and disciplinary records: While employment-related lawsuits can arise within 3–6 years of termination, it's prudent to keep for 3–5 years minimum

Why it matters: If an employee sues for wrongful termination, discrimination, or unpaid wages, you need documentation. Statute of limitations varies by claim type and state, but 3–6 years is a safe baseline.

State variations: Some states require longer retention. California, for instance, requires longer records for certain types of employee claims.

Safe to destroy: Employment records older than 5 years (after termination) are generally safe to destroy, unless you have active disputes.

Financial Statements & Accounting Records

SEC and IRS regulations require:

• General accounting records: 5–7 years
• Bank statements and canceled checks: 3–5 years (though banks sometimes keep longer)
• Accounts payable and accounts receivable: 5–7 years
• Ledgers and journals: 5–7 years
• Audit records and work papers: 7 years minimum

Why it matters: Financial audits, tax audits, and litigation all depend on these records. You need to be able to reconstruct transactions going back several years.

Safe to destroy: Anything older than 7 years is generally safe, with the caveat that active litigation or audits might extend that timeline.

Contracts

• General contracts: Keep for the duration of the contract plus 3–5 years after expiration
• Employment contracts: Keep for the duration of employment plus 3–5 years after termination
• Real estate/property contracts: Some should be kept indefinitely or for the life of the property
• Loan/mortgage contracts: Keep for the life of the loan plus 3–5 years after payoff

Why it matters: Contract disputes can arise years later. You need documentation if claims or disputes emerge.

Safe to destroy: Contracts older than 7 years (after expiration or termination) are generally safe, unless the contract involves ongoing obligations or is tied to property.

‍

Legal Firms & Law Practices

Law firms have unique retention obligations because they hold client confidential information and must comply with state bar rules.

Client Case Files

• Retention timeline: Keep for 5+ years after case closure (varies by state)
• Civil cases: 5 years is common
• Criminal cases: Longer retention often required (some states require 7–10 years)
• Bankruptcy cases: 5–7 years minimum
• Minors' cases: Keep until the minor reaches the age of majority plus 5 years

Why it matters: Statutes of limitations for malpractice claims and appeals vary by state but typically range from 2–6 years after case closure. You need documentation to defend against claims that you provided inadequate representation.

State variations matter: Some states require longer retention. Check your state bar rules for specifics.

Safe to destroy: Case files older than 7 years (after closure) are generally safe in most states, but verify your specific state bar association's guidelines.

Billing & Fee Records

• Keep for: 5–7 years
• Why: To substantiate time entries, fee disputes, and tax deductions
• Safe to destroy: Anything older than 7 years

Engagement Letters & Client Agreements

• Keep for: Duration of representation plus 7 years
• Why: Establishes scope of engagement, fee arrangements, and protects against fee disputes
• Safe to destroy: 7 years after representation ends

Attorney Work Product & Communications

• Keep indefinitely or per state bar rules
• Why: Attorney-client privilege never expires. Even after a case closes, work product may need to be protected
• Complication: "Destroyed" doesn't mean shredded once. Client confidentiality obligations remain even after the case is over
• Professional standard: Use NAID-certified destruction companies that provide chain-of-custody documentation

Important Note on Confidentiality

Unlike other businesses, law firms can't simply shred old case files without careful consideration. They must:

1. Verify the statute of limitations – State bar rules may require longer retention
2. Document destruction – Chain of custody and destruction certificates matter
3. Maintain confidentiality – Even destruction must be secure and documented
4. Use certified partners – NAID-certified destruction companies provide the documentation law firms need

A law firm's reputation depends on secure handling of client information throughout its entire lifecycle, including destruction.

‍

Healthcare & Medical Practices

HIPAA (Health Insurance Portability and Accountability Act) governs medical record retention and destruction. The rules are strict, and violations carry significant penalties.

Patient Medical Records

• Retention timeline: Generally 5–10 years after the patient's last encounter (varies by state)
• Minors: Several states extend this to when the minor reaches the age of majority plus additional years (sometimes up to 10 years after age 18)
• Why: Patients may need records for ongoing treatment, insurance claims, or litigation
• Some states require: Longer retention (California requires longer than many states; check your specific state)

Safe to destroy: Only after the retention period ends AND the patient has been notified of your destruction policy.

Prescription Records

• Controlled substances: DEA requires 2 years minimum
• Other prescriptions: Generally 2–5 years depending on state

Safe to destroy: After the state-mandated retention period.

Billing & Insurance Records

• Keep for: 5–7 years
• Why: To substantiate claims, handle disputes, and respond to insurance audits
• Safe to destroy: After 7 years

Lab Results & Imaging

• Keep for: 5–10 years (varies by test type and state)
• Why: May be needed for ongoing patient care or litigation
• Note: Some results (pathology, radiology) may require longer retention

HIPAA Destruction Requirements

This is critical: "Destroyed" under HIPAA requires more than throwing files in the trash.

HIPAA requires covered entities to "implement policies and procedures that reasonably and appropriately safeguard patient information." That includes secure destruction methods:

• Paper records: Cross-cut shredding (not single-pass shredding)
• Digital records: Certified data wiping or device destruction (not just deletion)
• Certificates of destruction: Healthcare practices should maintain documentation proving records were destroyed per HIPAA standards

Audit risk: During HIPAA audits, regulators ask: "How do you destroy old patient records?" If your answer is "We throw them in the trash," that's a violation. If you say "We contract with a NAID AAA certified destruction company and maintain destruction certificates," you're protected.

Fines for improper destruction: Up to $50,000 per record, per incident. If a practice improperly destroys 100 patient records, the potential fine is in the millions.

‍

Financial Institutions & Accounting Firms

Multiple regulations govern financial record retention, and compliance is non-negotiable.

Tax Returns

• Client copies: 5–7 years
• Your working copies: 5–7 years
• Supporting documentation: 5–7 years
• Why: To support deductions, respond to audits, and defend against IRS claims

Safe to destroy: After 7 years, assuming no active audits or disputes.

Bank Statements

• Personal/business: 3–5 years
• If part of tax file: 7 years
• Why: To reconcile accounts, support tax returns, and respond to inquiries
• Bank retention: Banks often keep longer (some keep indefinitely), but you don't have to

Safe to destroy: 3 years for personal use; 5–7 years if tied to tax documentation.

Investment Records

• Brokerage statements: 5–7 years
• Trade confirmations: 5–7 years (longer if tied to ongoing investments)
• Why: To calculate cost basis, report capital gains/losses, and substantiate transactions
• Important: Keep longer if the investment is still active

Safe to destroy: 5–7 years after the investment is closed, or per the brokerage's retention policy.

Loan Documents

• Loan agreements: Keep for life of loan plus 3–5 years
• Payment records: Keep for 3–5 years after payoff
• Refinancing paperwork: Keep for duration of new loan plus 3 years
• Why: To verify payoff status, calculate interest deductions, and defend against disputes

Safe to destroy: 3–5 years after payoff or loan closure.

Client Financial Records (For Accountants)

• Retention timeline: 5–7 years minimum
• Why: To respond to client questions, defend against malpractice claims, and comply with audit requests

Safe to destroy: 5–7 years after the last service provided, assuming no pending disputes.

GLBA & FACTA Compliance

GLBA (Gramm-Leach-Bliley Act) and FACTA (Fair and Accurate Credit Transactions Act) require financial institutions to "securely dispose of consumer financial information."

What this means: You can't just toss records containing SSNs, account numbers, or financial data. You must:

• Use a certified destruction company (NAID AAA is ideal)
• Maintain documentation of destruction
• Use cross-cut shredding for paper, certified wiping or physical destruction for digital media

Fines for non-compliance: Up to $100–$1,000 per violation.

‍

Human Resources & Payroll

Hiring Documents

• Resumes and applications: 3 years minimum (FCRA requirement)
• Background check reports: 3 years minimum
• Screening notes: 3 years minimum
• Why: EEOC regulations require these for discrimination investigations, which can reach back 3 years

Safe to destroy: 3 years after the hiring decision.

Performance Reviews & Evaluations

• Keep for: 3–5 years after termination
• Why: If an employee sues for discrimination or wrongful termination, you need documentation of performance and disciplinary history
• Statute of limitations: Varies by claim type (discrimination claims can go back 3–6 years in some states)

Safe to destroy: 5 years after termination is a safe baseline.

Disciplinary Records & Warnings

• Keep for: Duration of employment plus 3–5 years after termination
• Why: To defend against wrongful termination or discrimination claims
• Important: States have different standards; some require longer retention

Safe to destroy: 5 years after termination (or per your state's requirements).

I-9 Forms & Work Authorization

• Keep for: 3 years after hire or 1 year after termination, whichever is longer
• Why: I-9 documents verify work authorization; audits can happen years later
• Note: If you're acquired or merge with another company, I-9s often must be transferred

Safe to destroy: 3 years after hire date (or 1 year after termination if that's longer).

Payroll Records

• Wage and hour records: 3 years minimum (federal), but some states require 5–7 years
• Tax withholding records: 3–7 years
• Benefits records: Duration of employment plus 3–5 years
• Why: To respond to wage/hour audits, tax claims, and benefits disputes

State variations: California requires longer retention than many states.

Safe to destroy: After 7 years (to account for state-specific requirements).

‍

Manufacturing & Supply Chain

Lot/Batch Records

• Keep for: Varies widely (2–10+ years depending on product)
• Why: To track product quality, respond to recalls, and defend against liability claims
• Critical if: Your products have long lifespans (medical devices, automotive) or longer statute of limitations for liability

Example: If you manufacture a part used in vehicles, keep records longer because vehicles last 10+ years and liability claims can arise years after manufacturing.

Safe to destroy: Only after the statute of limitations for product liability in your state.

Testing & Quality Control Data

• Keep for: 3–7 years (varies by product type and liability risk)
• Why: Proves products met quality standards; essential if defects arise

Safe to destroy: After your statute of limitations for product liability.

Supplier Records & Certifications

• Keep for: 3–5 years
• Why: To verify supplier compliance, respond to audits, and track supply chain accountability

Safe to destroy: 3–5 years after supplier relationship ends.

‍

Real Estate & Property Management

Contracts & Deeds

• Keep for: Indefinitely or for life of property
• Why: Proves ownership, mortgage status, and property history
• Note: Some should never be destroyed (deeds, title docs)

Safe to destroy: Never destroy original property documents. Keep copies permanently.

Lease Agreements

• Residential leases: 3–7 years after lease ends
• Commercial leases: 5–7 years after lease ends (longer if ongoing lease)
• Why: To respond to disputes, defend security deposit claims, or handle tenant inquiries

Safe to destroy: 7 years after lease termination.

Maintenance & Repair Records

• Keep for: Life of property plus 3 years after sale
• Why: Proves property was maintained, important if disputes arise about property condition
• Liability: If someone is injured and claims the property was poorly maintained, records prove otherwise

Safe to destroy: 3 years after property is sold or no longer relevant.

‍

Nonprofits & Grant Organizations

Grant Records

• Keep for: Duration of grant plus 3–7 years
• Federal grants: 3–5 years minimum (some require 7)
• Why: Grant agencies audit compliance years after funding ends
• Includes: Timesheets, invoices, expense reports, progress reports

Safe to destroy: After grant audit period expires.

Donation Records

• Keep for: 3–5 years (IRS can audit donor contributions)
• Why: To substantiate donor records and tax deductions
• Important: Donors need records for their own tax purposes

Safe to destroy: 3–5 years.

Board & Governance Records

• Keep for: Indefinitely
• Why: Fiduciary records, liability protection, governance history
• Some states require: Permanent retention of certain records

Safe to destroy: Board minutes and governance records should typically be kept indefinitely.

‍

What You Should Do Right Now

If you're uncertain about your retention obligations, take these steps:

1. Create a Retention Schedule

List the types of documents you maintain and the retention requirements:

• Tax returns: 7 years
• Payroll records: 7 years
• Client files (if applicable): 5–7 years per industry
• Financial statements: 7 years
• Etc.

Post this schedule in your office so employees know what to keep and when it's safe to destroy.

2. Identify Outdated Records

Audit your current storage:

• What documents are you keeping beyond their retention requirement?
• Are you storing things out of habit rather than legal necessity?
• Are you paying for storage you don't need?

3. Schedule Secure Destruction

Don't throw old documents in the trash or regular recycling. That exposes sensitive information.

Schedule destruction for records that have exceeded their retention period:

• If they contain personal information (SSNs, account numbers, health data): Use certified destruction
• If they contain business confidential information: Use certified destruction
• If they're mundane (old newsletters, generic business documents): Less critical, but still better to shred

4. Document Your Process

Keep records of what was destroyed and when:

• Destruction certificates (especially for regulated documents)
• Destruction date and method
• Who handled the process (you or a third party)

This documentation protects you if regulators ask: "How do you handle document destruction?"

5. For Regulated Industries, Use Certified Partners

If you're in healthcare, finance, law, or government:

• Use a NAID-certified destruction company
• Request destruction certificates
• Maintain chain-of-custody documentation
• Verify the company's credentials (check the NAID directory)

This transforms destruction from a liability risk into compliance documentation.

‍

Why Professional Shredding Matters

DIY document destruction has problems:

1. Incomplete destruction: Personal shredders may not fully destroy all document copies or fragments
2. Employee access: Staff handling sensitive data increases breach risk
3. No proof of destruction: If auditors ask how you destroyed records, "I shredded them" isn't documentation
4. Liability exposure: If records aren't properly destroyed and leak, you're liable

Professional NAID-certified shredding solves these problems:

• Chain of custody: Documents are tracked from pickup through destruction
• Verified destruction: Certified methods ensure complete destruction
• Legal proof: Destruction certificates document compliance
• Liability shift: Certified professionals bear responsibility, not you

The cost difference between DIY shredding and professional certified destruction is often $100–500 per engagement. Compare that to potential fines, litigation costs, or HIPAA penalties, and certified destruction is always the cheaper option.

‍

Key Takeaways by Category

Tax & Accounting Records: Keep 3–7 years, then destroy

Employment Records: Keep 3–5 years after termination, then destroy

Healthcare Records: Follow HIPAA guidelines (5–10 years), then use certified destruction

Legal Case Files: Keep 5–7 years after case closes (check state bar rules), then use certified destruction

Financial Institution Records: Keep 5–7 years, use certified destruction for records with consumer data

Real Estate Records: Keep property deeds and titles indefinitely; other records 3–7 years

Nonprofit Grants: Keep 3–7 years after grant period, use certified destruction

‍

Important Disclaimer

This guide provides general information about common retention timelines. However, retention requirements vary by industry, state, and specific regulations. Consult with your attorney, accountant, or industry-specific compliance officer before destroying records. The information here is educational and not legal advice.

‍

Next Steps

If you have records that exceed your retention timeline, don't wait:

1. Review this guide for your specific industry
2. Consult with your accountant or attorney to confirm timelines
3. Schedule destruction for outdated records
4. Create a retention schedule for future reference
5. Use a certified destruction partner for anything containing sensitive information

The investment in proper destruction is one of the easiest compliance wins your business can achieve.

‍