How Long Should Your Business Keep Records? A Complete Industry Guide

April 09, 2026Posted by: Tony Acerra

Contact us

COMPLETE INDUSTRY GUIDE | 2026

A definitive breakdown of records retention periods across Healthcare, Finance, Legal, and HR — so your business stays compliant and audit-ready.

This guide references regulations including IRS guidelines, HIPAA, SEC Rule 17a-4, FINRA Rule 4511, FLSA, EEOC, and OSHA. Always consult a licensed compliance professional for advice specific to your jurisdiction and industry.

Every year, thousands of businesses face audits, lawsuits, and regulatory investigations — only to discover that critical documents were destroyed too soon, or kept so long they became a liability. Whether you run a medical practice, a financial advisory firm, or a 10-person HR team, the question is the same: how long should your business keep records?

The answer depends entirely on your industry, the type of document, and which federal or state regulations govern your operations. This guide cuts through the confusion with clear, actionable retention schedules across four key industries: healthcare, finance, legal, and HR. You will also find a universal quick-reference table and the steps to build your own document retention policy.

Why Records Retention Rules Matter More Than Ever

The regulatory landscape has tightened considerably. According to Thomson Reuters Regulatory Intelligence (2024), global non-compliance fines hit a record $14 billion, driven by increased enforcement across financial services, healthcare, and data privacy. Separately, a 2025 report by Corlytics found that record-keeping failures — inadequate documentation, incomplete audit trails, and poor retention practices — contributed around $238.5 million in fines in 2025 alone.

Beyond fines, a 2025 compliance benchmark study found that 85% of companies say compliance has become more complex in the past three years, and the global average cost of a data breach has risen to $4.4 million. data protection The bottom line: getting your records retention right is not just a compliance checkbox — it protects your business from financial, legal, and reputational harm.

Records retention policy is a formalized schedule that defines which documents a business must keep, for how long, and in what format — enabling legal compliance, audit readiness, and systematic destruction of expired records.

Universal Records Retention Quick Reference

The Internal Revenue Service establishes baseline rules for all businesses. Tax records generally must be kept for 3 years after filing — the standard IRS audit window. However, if income is underreported by more than 25%, that window extends to 6 years. If you fail to file a return at all, the IRS may audit you indefinitely. Most CPAs and legal professionals recommend using 7 years as a safe standard for all tax-related documents.

Document Type	Minimum Retention	Safe Recommended Period
Business tax returns	3 years (IRS audit window)	7 years
Payroll tax records	4 years after due date	7 years
General ledgers & financial statements	6 years (SEC/accounting)	Permanent
Bank & credit card statements	1 year (if no tax relevance)	7 years if tax-related
Contracts & business agreements	Duration + 7 years	Permanent for key contracts
Business formation documents	Permanent	Permanent
Insurance policies (expired)	Until superseded + 3 years	7 years
Property deeds & titles	Duration of ownership + period of limitations	Permanent
Annual meeting minutes / bylaws	Permanent	Permanent
I-9 employment eligibility forms	3 years from hire or 1 year post-termination	7 years to be safe

Source: IRS Publication 583 (2024); U.S. Chamber of Commerce Small Business Document Retention Guide (2026); Nolo.com Business Records Guide.

Healthcare Industry Records Retention Requirements

One of the most common misconceptions in healthcare compliance is that “HIPAA requires 7 years” of medical record retention. This is incorrect. The 7-year figure comes from Medicare (Centers for Medicare & Medicaid Services), not HIPAA. HIPAA’s Privacy Rule (45 CFR 164.530(j)) requires covered entities to retain HIPAA administrative compliance documents — privacy policies, security procedures, training records, and business associate agreements — for 6 years from creation or last effective date.

Medical records themselves — patient charts, diagnoses, lab results — are governed by individual state laws, which vary considerably. The American Medical Association recommends retaining all patient records for at least 10 years from the date of last treatment as a best practice, regardless of state minimums. Patient Data Management

HIPAA Administrative Documentation (Federal Baseline)

Document Type	Retention Period	Authority
Privacy policies & procedures	6 years from creation or last effective date	HIPAA 45 CFR 164.530(j)
Risk assessments & security evaluations	6 years	HIPAA Security Rule
Employee HIPAA training records	6 years from date of training	HIPAA Privacy Rule
Business associate agreements (BAAs)	6 years after relationship ends	HIPAA Privacy Rule
Breach notification logs	6 years from last use	HIPAA Breach Notification Rule
Patient authorizations for PHI disclosure	6 years from last effective use	HIPAA Privacy Rule
Audit logs and security incident reports	6 years from creation or last use	HIPAA Security Rule

Medicare & CMS Records (Federal)

Provider Type	Retention Period	Authority
Medicare fee-for-service providers	7 years from date of service	CMS / 42 CFR
Medicare managed care program providers	10 years	CMS Conditions of Participation
Cost report documentation	5 years after cost report closure	CMS
Hospitals participating in Medicare	5 years after patient discharge (minimum)	42 CFR 482.24

State Medical Records Retention: Key Variations

Because HIPAA does not set a federal minimum for medical records, healthcare providers must follow their state’s law — whichever is more stringent than any applicable federal rule. Below are selected examples:

State	Retention Period	Notes
Arkansas	10 years after discharge	Master patient index kept permanently
California	7 years from last treatment (22 CA ADC § 70751(c))	Minor records kept until age 19+
Colorado	10 years	Stringent state requirement
Florida	5 years (physicians) / 7 years (hospitals)
Georgia	10 years from date created	Applies to evaluations, diagnoses, lab reports
New York	6 years from discharge / until patient turns 22 (minors)
Nevada	5 years minimum; until age 23 for minors
Massachusetts	Up to 20 years (hospitals)	Among the longest state requirements

Source: HIPAA Journal (2026 Update); Recording Law — Medical Records Retention Laws by State (March 2026); HHS.gov HIPAA FAQ.

Financial Industry Records Retention Requirements

The financial services sector is governed by an interlocking web of federal regulations. The Securities Exchange Act (Rule 17a-3 and 17a-4), FINRA Rule 4511, the Sarbanes-Oxley Act, the Bank Secrecy Act, and the Gramm-Leach-Bliley Act each impose specific retention requirements. In fiscal year 2024, the SEC ordered $8.2 billion in financial remedies, including $600 million in penalties specifically for recordkeeping failures.

FINRA Rule 4511 requires firms to preserve for at least 6 years those FINRA books and records for which no specific retention period is prescribed under other rules. Electronic records must be stored in WORM (write once, read many) format — or, since a 2022 rule amendment, in systems with a complete audit trail permitting recreation of original records. Failure to use compliant storage was the basis for FINRA’s $14.4 million enforcement action against 12 firms in December 2016.

SEC Rule 17a-4 / FINRA Rule 4511 — Core Retention Periods

Record Type	Retention Period	Accessibility Requirement
General ledgers, trial balances, financial statements	6 years	First 2 years: easily accessible
Business communications (emails, IMs, correspondence)	3 years	First 2 years: easily accessible
Trade confirmations, order tickets	3 years	First 2 years: easily accessible
Customer account records	6 years	Easily accessible throughout
Internal audit working papers	3 years (minimum)	Per FINRA Rule 4511
Partnership articles / articles of incorporation	Life of firm + successor	Permanent
Broker-dealer registration forms (Form BD, BDW)	Life of firm	Permanent
Sarbanes-Oxley audit documentation	7 years after audit conclusion	SEC Rule (SOX Section 802)

Bank Secrecy Act & Anti-Money Laundering (AML)

The Bank Secrecy Act (BSA) requires financial institutions to retain transaction records for 5 years to support anti-money laundering investigations. This includes records of cash transactions exceeding $10,000 daily aggregate and Suspicious Activity Reports (SARs).

Sarbanes-Oxley Act (SOX) — Public Companies

Public company auditors must retain audit documentation — workpapers, memoranda, communications — for 7 years after the audit concludes, per the SEC’s final rule implementing SOX Section 802. This is designed to preserve evidence of financial reporting integrity and prevent the destruction of records seen in the Enron and Arthur Andersen scandal.

Source: FINRA.org Books and Records Overview; SEC Rule 17a-4 (17 CFR § 240.17a-4); SEC.gov Retention of Records Relevant to Audits and Reviews (2003, as amended); Corlytics Enforcement Report (2025).

Legal Industry and Business Legal Records Retention

Every business accumulates legal records over time — not just law firms. Understanding how long to keep contracts, litigation files, and corporate governance records is essential for any organization. State statutes of limitations vary widely, but a 7-year default is the most widely recommended baseline for legal documents because it covers most contract dispute windows and IRS audit risk simultaneously.

Document Type	Recommended Retention	Rationale
Business formation documents (articles of incorporation, bylaws)	Permanent	Establishes legal existence of entity
Annual meeting minutes and board resolutions	Permanent	Corporate governance record
Active contracts and agreements	Duration of contract + 7 years	Covers most statute of limitations periods
Expired contracts (significant value)	7–10 years after expiration	Dispute and audit protection
Expired contracts (routine/low value)	3–5 years after expiration	State contract law typically 3–6 years
Litigation files (resolved cases)	7–10 years after resolution	Appeal window and follow-on risk
Court orders, judgments, decrees	Permanent	May need to enforce or reference indefinitely
Patents, trademarks, copyrights	Duration of IP + permanent record	Register should be retained permanently
Loan agreements and promissory notes	7 years after payoff	Lender/borrower protection
Insurance policies (significant/umbrella)	Permanent or 10+ years	Latent claims can arise years later
Real property deeds and titles	Permanent (while owned + period of limitations)	Chain of title integrity
Environmental permits and regulatory filings	10+ years or permanent	Latent liability risk

Source: Nolo.com Business Records Guide; U.S. Chamber of Commerce CO — How Long to Keep Business Documents (2026); Incorp.com — How Long to Keep Records After Closing (2026).

HR Records Retention: Employee and Payroll Documents

HR teams manage some of the most sensitive — and most regulated — documents in any organization. The Fair Labor Standards Act (FLSA), Equal Employment Opportunity Commission (EEOC), Age Discrimination in Employment Act (ADEA), Employee Retirement Income Security Act (ERISA), and OSHA all impose specific requirements that can, and frequently do, conflict with each other. The rule of thumb: keep records for whichever period is longest.

Federal HR Records Retention Summary

Document Type	Retention Period	Governing Law
Payroll records (wages, overtime, work schedules)	3 years	FLSA
Wage computation records (time cards, rate tables)	2 years	FLSA
Employment tax records (W-2, payroll filings)	4 years after tax due date	IRS
Form I-9 (Employment Eligibility Verification)	3 years from hire or 1 year post-termination (later date)	USCIS / Immigration Reform Act
Personnel files (hiring, performance, termination)	1 year minimum; 7 years recommended	EEOC + state law
ADEA: payroll records	3 years	ADEA
ADEA: benefit plan documents, seniority systems	Duration of plan + 1 year minimum	ADEA
Employee benefits records (ERISA: pension, insurance)	6 years from plan filing date	ERISA
EEOC discrimination claims & related records	1 year; until final case resolution if charge filed	EEOC / Title VII, ADA, ADEA
OSHA workplace injury logs (Form 300)	5 years after end of calendar year	OSHA 29 CFR 1904.33
Medical & hazardous substance exposure records	Duration of employment + 30 years	OSHA 29 CFR 1910.1020
Drug & alcohol test results (DOT-regulated roles)	5 years	DOT 49 CFR Part 40
Background checks, driving records	Recommend 5 years	FCRA + state law
Workers’ compensation records	Duration of claim + state statute of limitations	State workers’ comp law

Source: EEOC Recordkeeping Requirements (eeoc.gov); HRMorning.com HR Record Retention Best Practices (2025); SecureScan.com HR Record Retention Guidelines for 2026; BerniePortal HR Employee Record Retention Guidelines (2024).

How to Build a Document Retention Policy That Holds Up

Many businesses know they need a records retention policy but do not know where to start. The key is to categorize all documents your organization creates or receives, map each category to the governing law, and then set a retention schedule that meets or exceeds every applicable requirement.

The 5 Core Elements of a Document Retention Policy

• Document inventory — list every document type your business creates, receives, or stores, grouped by department
• Retention schedule — assign a specific retention period to each document type based on the applicable federal/state law, with the most stringent period winning
• Storage standards — specify whether records may be kept in paper, electronic, or both formats; define security and access controls for each
• Litigation hold procedures — detail how to immediately suspend normal destruction when litigation is reasonably anticipated (“legal hold”)
• Secure destruction protocol — define the approved method for destroying expired records (shredding for paper; certified data wiping or deletion with audit log for digital)

IMPORTANT: Eight U.S. states have adopted the Uniform Preservation of Private Business Records Act (UPPBRA), which provides a default 3-year retention period for ordinary business documents not covered by a specific statute. This is a floor, not a ceiling — check your state’s specific requirements to ensure you’re using the correct minimum.

Frequently Asked Questions About Business Records Retention

How long should a small business keep financial records?

A small business should keep tax returns and supporting financial records for at least 7 years from the date of filing — this covers the IRS’s 3-year standard audit window and the 6-year window for cases of substantial underreporting. General ledgers, bank statements with tax relevance, and payroll records should also follow the 7-year rule. Business formation documents, ownership records, and major contracts should be kept permanently.

Does HIPAA require medical records to be kept for 7 years?

No. This is a widespread misconception. HIPAA does not require medical records to be kept for any specific period — it only requires HIPAA administrative compliance documents (privacy policies, training records, BAAs) to be retained for 6 years. The 7-year figure comes from Medicare/CMS requirements for Medicare providers. State laws govern actual medical record retention and vary from 5 years (Florida, physicians) to 20 years (Massachusetts, hospitals). The AMA recommends a best practice of 10 years regardless of state minimum.

What happens if my business destroys records too early?

Destroying records before their retention period expires can have serious consequences: the IRS may assume non-compliance and assess taxes; courts may apply an adverse inference if destroyed documents are sought in litigation; regulators can issue fines and sanctions. For financial firms, FINRA has issued multi-million-dollar fines for premature or non-compliant record destruction. Once litigation is “reasonably anticipated,” premature destruction can constitute spoliation of evidence — a significant legal liability.

Can I store business records electronically instead of in paper form?

Yes. The IRS, SEC, FINRA, OSHA, and most state agencies accept electronic records as legally equivalent to paper, provided they are legible, complete, and secured against unauthorized alteration. The SEC and FINRA specifically require broker-dealers to use WORM (write once, read many) electronic storage or an audit-trail system that can recreate original records. Always back up electronic records to at least one secure off-site or cloud location.

How long should HR keep employee records after termination?

The federal minimum varies by document type: I-9 forms must be kept for 3 years from hire or 1 year post-termination (whichever is later); EEOC-related personnel records for at least 1 year; payroll records for 3 years under FLSA. However, most employment attorneys recommend keeping full personnel files for 7 years after termination to cover all potential employment law claims. OSHA medical and hazardous-exposure records require retention for the duration of employment plus 30 years.

Are there records I should never destroy?

Yes. The following categories of records should typically be kept permanently: business formation documents (articles of incorporation, bylaws, operating agreements); ownership records (stock ledgers, deeds, titles); annual meeting minutes and board resolutions; court orders and judgments; patents, trademarks, and copyright registrations; and core tax returns (even though supporting documents may be destroyed after 7 years, many advisors recommend keeping filed returns forever). If your business closes, these obligations do not disappear — you remain responsible for records retention obligations for the applicable periods post-closure.

Conclusion: Build Your Retention Schedule Now, Not After an Audit

Records retention compliance is not optional — it is one of the most basic risk management functions every business must get right. The cost of getting it wrong runs from missed tax deductions to multi-million-dollar fines, litigation exposure, and reputational harm. Here is a summary of the key retention periods to remember:

• Universal baseline: 3 years (IRS standard audit window); 7 years for tax-related documents and employee records
• Healthcare: 6 years for HIPAA administrative docs; 7–10 years for Medicare patient records; 5–20 years for medical records (state law dependent)
• Financial services: 3 years for communications/operational records; 6 years for accounting records; 7 years for SOX audit documentation
• Legal documents: 7 years for most contracts; permanent for formation docs, court orders, and IP registrations
• HR records: 2–7 years for most; employment + 30 years for OSHA hazardous exposure records
• Permanent: formation documents, ownership records, minutes, deeds, licenses, key court orders

Your next step: conduct a document inventory, identify the governing law for each document type in your industry, and formalize a written document retention policy that your entire team understands and follows. Review it annually — regulations change, and an outdated policy can be worse than none at all.