Records Retention Policy
Document Retention and Destruction Policy
RECORDS RETENTION POLICY
[Company Name]
Effective Date: [Effective Date]
Policy Administrator: [Policy Administrator]
Review Schedule: [Review Frequency]
1. PURPOSE AND SCOPE
1.1 Purpose. This Records Retention Policy ("Policy") establishes the guidelines and procedures for [Company Name], located at [Company Address], regarding the retention, management, and secure destruction of company records. The purpose of this Policy is to: ensure compliance with applicable federal and state laws governing record retention; reduce the cost and burden of storing unnecessary records; ensure that records needed for legal, regulatory, tax, and operational purposes are preserved for the required period; and ensure the secure destruction of records that are no longer needed.
1.2 Scope. This Policy applies to all records created, received, or maintained by [Company Name] and all of its employees, contractors, and officers, regardless of the medium in which records are stored (paper, electronic, digital, audio, or video). This Policy applies to all departments and business units of [Company Name].
1.3 Industry Classification. [Company Name] operates as a [Industry Type] and shall comply with all retention requirements applicable to that classification.
2. ADMINISTRATION
2.1 Policy Administrator. The [Policy Administrator] is designated as the Records Retention Administrator and is responsible for: implementing and overseeing this Policy; training employees on retention requirements; maintaining the retention schedule; coordinating record destruction; and issuing litigation hold notices when required.
2.2 Employee Responsibilities. All employees are responsible for: retaining records in accordance with this Policy; not destroying records subject to a litigation hold; cooperating with the Records Retention Administrator in the administration of this Policy; and reporting potential violations to the Records Retention Administrator.
2.3 Policy Review. This Policy shall be reviewed [Review Frequency] and updated as necessary to reflect changes in applicable law, business practices, or record types.
3. RETENTION SCHEDULE
3.1 Financial and Tax Records
Tax Returns and Supporting Documentation: [Tax Return Retention].
Bank Statements, Invoices, Accounts Payable/Receivable, General Ledgers: [Bank Record Retention].
Expense Reports and Receipts: 7 years.
Annual Financial Statements and Audit Reports: Permanently.
3.2 Employment and HR Records
Payroll Records (wages, hours, deductions): [Payroll Retention].
Employee Personnel Files (offer letters, performance reviews, disciplinary records, separation documents): [Employee File Retention].
Form I-9 (Employment Eligibility Verification): 3 years from date of hire or 1 year after termination, whichever is later.
OSHA Injury and Illness Records (Form 300, 300A, 301): 5 years from the end of the calendar year they cover.
Employee Benefit Plan Records (ERISA): 6 years from the date of filing.
3.3 Legal and Corporate Records
Contracts and Agreements: [Contract Retention].
Corporate Formation and Governance Records (articles, bylaws, board minutes, stock ledger): [Corporate Record Retention].
Intellectual Property Records (patents, trademarks, copyrights): Permanently.
Insurance Policies: Permanently (or duration + 10 years).
Litigation Files: Duration of matter + 7 years.
4. LITIGATION HOLD
4.1 Obligation to Preserve. [Litigation Hold Policy].
4.2 Scope of Hold. A litigation hold suspends the normal operation of this Policy with respect to the categories of records identified in the hold notice. Records subject to a hold may not be destroyed until the hold is formally lifted by the Records Retention Administrator in writing.
4.3 Reporting. Any employee who receives a subpoena, demand for documents, or other legal notice related to company records must immediately notify the [Policy Administrator] and legal counsel.
5. RECORD DESTRUCTION
5.1 Authorization. Records may not be destroyed without prior review and written authorization from the [Policy Administrator]. Before authorizing destruction, the Administrator shall confirm that: (a) the record has reached the end of its retention period; (b) no litigation hold is in effect; and (c) no pending audit, investigation, or regulatory inquiry requires the record to be preserved.
5.2 Paper Records. Paper records shall be destroyed by [Paper Destruction Method]. A certificate or log of destruction shall be maintained.
5.3 Electronic Records. Electronic records shall be destroyed by [Electronic Destruction Method]. A certificate or log of destruction shall be maintained for a minimum of 3 years.
5.4 Records Destruction Log. The Records Retention Administrator shall maintain a log of all records destroyed under this Policy, including: record category, date of destruction, method of destruction, and name of person authorizing destruction.
6. ELECTRONIC RECORDS
6.1 Electronic records — including emails, digital files, database records, and cloud-stored documents — are subject to the same retention requirements as paper records of the same type. The medium of storage does not determine the retention period; the subject matter does.
6.2 Email. Emails that constitute official company records (contracts, approvals, financial data, legal correspondence) must be retained in accordance with this Policy. Routine operational emails with no record value may be deleted on a regular basis, provided no litigation hold is in effect.
6.3 Backup and Archival Systems. Electronic records in backup systems are subject to this Policy. Records may not be restored from backup for the purpose of circumventing this Policy.
7. POLICY APPROVAL AND ACKNOWLEDGMENT
This Records Retention Policy is approved and adopted by [Company Name] effective [Effective Date].
Approved by:
Signature: _______________________________ Date: _______________
Printed Name: _______________________________
Title: _______________________________
[Company Name]
Records Retention Administrator:
Signature: _______________________________ Date: _______________
Printed Name: _______________________________
Title: [Policy Administrator]
Authorized Officer
________________
Signature
Records Retention Administrator
________________
Signature
What Is a Records Retention Policy?
A Records Retention Policy in the United States sets out the rules and standards the organisation expects those it covers to follow.
The legal basis for records retention requirements in the United States derives from a complex matrix of federal agency regulations, federal statutes, and state laws. No single federal records retention law applies to all businesses — instead, requirements are imposed by the agencies and statutes that regulate each type of record. The Internal Revenue Service (IRS), through IRC § 6001 and Revenue Procedure 98-25, requires taxpayers to maintain records sufficient to establish income, deductions, and credits claimed on tax returns for the applicable statute of limitations period — generally three years, six years for returns with material understatements, and indefinitely for fraudulent returns. The Securities and Exchange Commission (SEC) Rule 17a-4 under the Securities Exchange Act of 1934 requires broker-dealers to retain account records, order tickets, and communications for three to six years. The Occupational Safety and Health Administration (OSHA) 29 C.F.R. § 1904 requires retention of workplace injury and illness records (OSHA Form 300) for five years. The Department of Labor's (DOL) regulations under ERISA require pension plan records to be retained for six years under 29 U.S.C. § 1027.
HIPAA — the Health Insurance Portability and Accountability Act — imposes records retention requirements on covered entities and business associates that handle protected health information (PHI). Under 45 C.F.R. § 164.530(j), covered entities must retain HIPAA policies, procedures, and documentation for six years from the date of creation or the date it was last in effect, whichever is later. Individual states impose additional medical records retention requirements: California Health and Safety Code § 123111 requires six years for adult medical records; New York Public Health Law § 18(3)(d) requires six years or three years after the patient's death.
Federal contractors and grantees are subject to records retention requirements under the Federal Acquisition Regulation (FAR) § 4.703, which generally requires contractors to retain contract records for three years after final payment, and under the Uniform Administrative Requirements applicable to federal grants (2 C.F.R. § 200.334), which requires grantees to retain grant records for three years after submission of the final financial report.
The Federal Rules of Civil Procedure impose a duty to preserve evidence that arises when litigation is 'reasonably anticipated' — before a lawsuit is filed. FRCP Rule 37(e) provides for sanctions (including adverse inference instructions and case-dispositive sanctions) against a party that fails to take reasonable steps to preserve electronically stored information (ESI) after the duty to preserve arises. A Records Retention Policy that includes a litigation hold procedure — suspending normal destruction when litigation is anticipated — is the standard tool for demonstrating compliance with the preservation duty.
State law imposes additional records retention requirements that vary by jurisdiction. California's Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq., does not mandate specific retention periods but requires businesses to disclose their data retention practices and to delete consumer personal information upon request. New York's SHIELD Act and other state data protection laws impose security requirements on retained records. Many state employment laws impose specific retention periods for payroll records, tax withholding records, and employment applications that differ from and sometimes exceed federal requirements.
When Do You Need a Records Retention Policy?
A Records Retention Policy in the United States is needed by every business — regardless of size — that creates, receives, or maintains records in the course of its operations, because every business is subject to at least some federal or state records retention requirements and faces potential litigation that triggers evidence preservation duties.
A Records Retention Policy is needed before a business faces an IRS audit or tax examination. The IRS has authority under IRC § 7602 to examine a taxpayer's books, records, and other data. A business that cannot produce tax records — because it destroyed them without a policy or retained them without organization — faces the risk of the IRS reconstructing income by other means, which typically produces a higher tax assessment than the actual tax due. A documented retention policy demonstrates that records practices were systematic and in good faith.
The policy is needed before litigation arises. Once a business receives a demand letter, regulatory inquiry, or learns of circumstances that could result in a lawsuit, the duty to preserve relevant documents attaches immediately. A business with an existing Records Retention Policy can immediately implement a litigation hold (suspending normal destruction for affected records) and document its compliance. A business without a policy has no framework for doing so and risks spoliation sanctions under FRCP Rule 37(e) — including sanctions as severe as dismissal of the defendant's case or default judgment for the plaintiff in egregious cases.
A Records Retention Policy is needed for HIPAA compliance by any healthcare provider, health plan, or business associate that handles PHI. The HHS Office for Civil Rights (OCR) enforces HIPAA and has imposed civil monetary penalties ranging from $100 to $1.9 million per violation category for HIPAA violations, including records management failures. A documented records retention policy with HIPAA-specific retention periods and security protocols is a fundamental requirement of HIPAA compliance.
The policy is needed for SEC-registered broker-dealers, investment advisers, and public companies that are subject to SEC books and records requirements under Exchange Act Rules 17a-3 and 17a-4 and Investment Advisers Act Rule 204-2. SEC examination staff routinely test records retention compliance, and failures to maintain required records have resulted in significant enforcement actions and penalties.
A Records Retention Policy is needed as part of a broader data governance program for any business that collects and retains consumer personal information subject to the CCPA, New York SHIELD Act, Virginia CDPA, Colorado Privacy Act, or other state privacy laws. These laws require businesses to disclose how long they retain personal data and to honor consumer deletion requests — both of which require a defined retention policy.
What to Include in Your Records Retention Policy
A Records Retention Policy for a US business must address every major category of business record, specify retention periods with legal bases, set out destruction procedures, and include a litigation hold protocol.
The scope and applicability clause defines which records are covered by the policy (all records created, received, or maintained by the organization in any format — paper, electronic, email, text message, social media, voicemail, database records), which employees and contractors are subject to the policy, and how the policy interacts with records maintained by third-party service providers and cloud storage platforms.
The records retention schedule is the operational core of the policy. The schedule organizes records by category and specifies the retention period and legal basis for each. Key retention categories and minimum periods for US businesses include:
Tax and accounting records: IRS requires records supporting tax returns for the longer of three years (standard statute of limitations), six years (if underreported income by more than 25%), or seven years (if worthless securities or bad debt deduction claimed). Best practice: seven years for all tax and accounting records. Corporate and legal entity records (articles, bylaws, board minutes, shareholder records): permanent. Employment records (applications, hiring records, I-9 forms, payroll records): four to seven years depending on federal and state law; I-9 forms for the longer of three years from hire or one year from termination under 8 C.F.R. § 274a.2. OSHA injury and illness records (Form 300, 300A, 301): five years under 29 C.F.R. § 1904.33. ERISA plan records: six years under 29 U.S.C. § 1027. SEC records (broker-dealers): three to six years under Rule 17a-4. Contracts and agreements: statute of limitations plus three to six years (four to six years for written contracts in California, New York, and Texas). HIPAA records: six years from creation or last effective date under 45 C.F.R. § 164.530(j).
The litigation hold procedure is mandatory for legal defensibility. The policy must specify: what events trigger a litigation hold (receipt of a demand letter, service of legal process, notice of government investigation, or any circumstances creating reasonable anticipation of litigation or regulatory inquiry); who is responsible for issuing the hold notice (typically the General Counsel or outside counsel); how the hold notice is communicated to employees with potentially relevant records; what records categories are covered by the hold; and how hold compliance is monitored and documented. FRCP Rule 37(e) safe harbor protection depends on the organization having taken 'reasonable steps to preserve' ESI after the preservation duty arose — a formal, documented hold procedure is the standard evidence of reasonable steps.
The electronic records management provisions address the special requirements for electronically stored information (ESI): email retention (often the largest single records category for most businesses); records maintained in cloud platforms such as Microsoft 365, Google Workspace, Salesforce, and Dropbox; instant messaging and collaboration platform data (Slack, Microsoft Teams); mobile device records (text messages, WhatsApp); and accounting and ERP system data (QuickBooks, SAP, Oracle). The policy must specify whether electronic records are treated as originals, whether metadata must be preserved, and the backup and archival procedures for each platform.
The secure destruction procedures clause specifies how records at the end of their retention period are destroyed: paper records must be shredded (cross-cut shredding to NIST guidelines or destruction by a certified shredding vendor under a Certificate of Destruction); electronic media must be sanitized to NIST SP 800-88 standards (overwriting, degaussing, or physical destruction of hard drives); and cloud-stored records must be deleted through the platform's certified deletion process with confirmation documentation. Records subject to a litigation hold must never be destroyed, even if they have passed their scheduled retention period, until the hold is formally released.
The policy governance provisions specify: who is responsible for administering and updating the policy (Records Manager, Compliance Officer, or General Counsel); the schedule for periodic review and update (at least annually, and whenever applicable law changes); employee training requirements (all employees must receive training on their records retention obligations at hire and annually thereafter); and the consequences of non-compliance with the policy (which may include disciplinary action up to termination for willful destruction of records subject to a litigation hold).
Sources & Citations
Statutory citations link to official government sources.
- 29 U.S.C. § 1027US – Cornell LII
- 29 C.F.R. § 1904US – eCFR
- 45 C.F.R. § 164.530US – eCFR
- 2 C.F.R. § 200.334US – eCFR
- 8 C.F.R. § 274US – eCFR
- 29 C.F.R. § 1904.33US – eCFR
- IRC § 6001US – Cornell LII
- IRC § 7602US – Cornell LII
- ERISAUS – Cornell LII
- HIPAAUS – Cornell LII
- Health Insurance Portability and Accountability ActUS – Cornell LII
- Cal. Civ. Code § 1798.100CA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Records Retention Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/records-retention-policy
"Records Retention Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/records-retention-policy.
@misc{formslegal-records-retention-policy,
author = {{Forms Legal}},
title = {Records Retention Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/records-retention-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Frequently Asked Questions
The IRS generally recommends retaining records that support items reported on a tax return until the period of limitations for that return expires. The period of limitations is the amount of time in which the IRS can assess additional tax or you can file an amended return. Key IRS retention periods include: 3 years for records supporting items on a return if you file on time and no fraud is involved; 6 years if you underreported gross income by more than 25%; 7 years if you filed a claim for a loss from worthless securities or bad debt; and indefinitely if you did not file a return or filed a fraudulent return. Beyond IRS requirements, the SEC requires broker-dealers and registered investment advisers to retain trading records for 3–6 years; ERISA requires pension records to be retained for 6 years; and OSHA mandates retention of injury and illness records for 5 years. Most businesses should retain general financial records (bank statements, invoices, receipts) for at least 7 years.
Failure to maintain required records can expose a business to significant legal and regulatory consequences. In tax matters, the absence of records may result in the IRS disallowing claimed deductions, resulting in additional tax liability and penalties. Businesses in regulated industries (financial services, healthcare, public companies) face regulatory sanctions including fines, license revocation, and civil liability for failure to maintain required records. In litigation, failure to retain records — particularly after receiving a legal hold notice — can result in spoliation sanctions, adverse inference instructions to the jury, or even case-dispositive sanctions that effectively dismiss the defendant's case or grant judgment for the plaintiff. The Federal Rules of Civil Procedure and most state civil procedure rules impose affirmative duties to preserve evidence once litigation is 'reasonably anticipated.' Establishing a written Records Retention Policy and following it consistently demonstrates good faith and reduces legal exposure.
A litigation hold (also called a legal hold or document preservation notice) is a directive that suspends normal document destruction practices for categories of records that are relevant to pending, anticipated, or threatened litigation, government investigation, or regulatory inquiry. Courts have held that the duty to preserve evidence arises when litigation is 'reasonably anticipated' — which can be before a lawsuit is filed, upon receipt of a demand letter, or when the company learns of circumstances that are likely to result in litigation. When a litigation hold is triggered, the company must: notify all employees who may have relevant documents; suspend the Records Retention Policy as to affected documents; preserve all relevant paper documents, electronic files, emails, text messages, and other communications; and document the hold process. Failure to issue a timely and effective litigation hold is one of the most common causes of spoliation sanctions in business litigation.
Electronic records must be managed with the same rigor as paper records under a Records Retention Policy. Modern records retention programs must address: emails and attachments (often the most voluminous category); documents stored in cloud services (Google Drive, SharePoint, OneDrive, Dropbox); instant messages and collaboration platform data (Slack, Teams); accounting and ERP system data; CRM and customer records; and backup tapes and archived data. The Policy should specify: whether electronic records in each category are treated the same as paper originals; the format in which electronic records must be preserved (editable, read-only, or with metadata); backup and archival procedures; and secure deletion standards for records that have reached their retention expiration (such as NIST SP 800-88 standards for electronic media sanitization). For healthcare businesses, HIPAA requires specific safeguards for electronic protected health information (ePHI), including audit logs, access controls, and encryption.
A small business Records Retention Policy should cover: the purpose and scope of the policy; who is responsible for implementing and overseeing the policy (often the office manager, CFO, or HR manager); a retention schedule organized by record category — identifying each type of record, the applicable retention period, and the legal basis for that period; procedures for secure destruction of records at the end of their retention period (shredding for paper, certified electronic deletion for digital records); special rules for records subject to litigation holds; employee training requirements; and a schedule for periodic review and update of the policy. For small businesses, the retention schedule should at minimum address: tax and accounting records (7 years); employment records including payroll (4–7 years); contracts and agreements (duration + 3–6 years for statute of limitations); corporate formation documents (permanent); insurance policies (permanent or duration + several years); and health and safety records (5+ years). A simple, well-organized policy that employees actually follow is far more valuable than a complete policy that is ignored.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Workplace Harassment Policy
Protect your workforce and limit employer liability with a comprehensive Workplace Harassment Policy for US employers. This template addresses prohibited conduct, reporting procedures, investigation protocols, confidentiality, anti-retaliation protections, and disciplinary consequences. Compliant with Title VII of the Civil Rights Act, the EEOC Harassment Guidance, and state-specific requirements in California (FEHA), New York, and other jurisdictions.
Remote Work Policy
Establish clear expectations for remote and hybrid employees with a comprehensive Remote Work Policy for US employers. This template covers eligibility, work hours, communication standards, equipment and expense reimbursement, data security, performance expectations, and the right to revoke remote work privileges. Compliant with FLSA overtime rules, state wage and hour laws, and OSHA home office safety guidance.
Employee Handbook
Create a comprehensive workplace policy guide with this US Employee Handbook. Covers at-will employment, anti-discrimination policies, leave entitlements, code of conduct, benefits overview, disciplinary procedures, and technology use in compliance with federal and state employment law.
Privacy Policy
Running a website or app that collects any user data — even just an email for a newsletter? You legally need a Privacy Policy. It's not optional; regulations like GDPR and CCPA require you to tell users what data you collect, why you collect it, and how you protect it. Without one, you risk fines and lost trust. Our free template helps you cover data collection practices, cookie usage, third-party sharing, user rights, and contact information. Fill in the details, preview your policy, and download it as PDF or Word — no account needed.