Record retention is the practice of keeping documents, files, and data for a specific period of time before securely disposing of them. It applies to individuals managing their own tax paperwork, businesses complying with federal and state regulations, and organizations in healthcare, finance, and other industries that handle sensitive information. The goal is straightforward: hold onto records long enough to satisfy legal requirements and protect yourself, then destroy them properly so they don’t become a liability.
Why Record Retention Matters
Every document you create or receive has a useful life. Tax returns support your position if you’re audited. Employment records prove you paid workers correctly. Medical files document patient care. Contracts verify what was agreed to. Keeping these records for the right amount of time protects you legally and financially. Destroying them too early can leave you unable to defend yourself in an audit, lawsuit, or regulatory inquiry.
On the other hand, holding records forever creates its own problems. Storing mountains of old paperwork or digital files costs money, increases the risk of a data breach, and makes it harder to find what you actually need. A clear retention schedule tells you exactly how long to keep each type of document, so you’re neither exposed nor buried.
IRS Retention Periods for Tax Records
The IRS ties its retention requirements to the “period of limitations,” which is the window of time during which you can amend a return or the IRS can assess additional tax. For most people, that means keeping tax records for three years from the date you filed your return (or two years from the date you paid the tax, whichever is later).
Several situations extend that window significantly:
- Underreported income by more than 25%: Keep records for six years.
- Worthless securities or bad debt deduction: Keep records for seven years.
- Unfiled returns or fraudulent returns: Keep records indefinitely. There is no statute of limitations if you never file or if the return is fraudulent.
Property records deserve special attention. You need to keep documentation on any asset you own (real estate, investments, business equipment) for as long as you hold the property, plus the retention period for the tax year in which you sell or dispose of it. That’s because you’ll need the original purchase records to calculate your gain or loss. If you received property through a tax-free exchange, keep the records from both the old and new property until the limitations period expires for the year you eventually sell.
Employment and Payroll Records
Federal law under the Fair Labor Standards Act requires employers to preserve payroll records, collective bargaining agreements, and sales and purchase records for at least three years. Records that support wage calculations, such as time cards, work schedules, wage rate tables, and records of additions to or deductions from wages, must be kept for at least two years.
Employment tax records follow a separate IRS rule: keep them for at least four years after the date the tax becomes due or is paid, whichever is later. This covers forms like W-2s, W-4s, and records of federal tax deposits. Because the IRS and Department of Labor have overlapping but different requirements, many employers simply default to keeping all payroll and employment records for at least four years to stay safe under both sets of rules.
Medical and Healthcare Records
HIPAA, the main federal health privacy law, does not set a minimum retention period for medical records. State laws govern how long healthcare providers must keep patient files, and those requirements vary widely. Some states require records to be maintained for a set number of years after the last patient encounter, while others tie retention to the patient’s age (particularly for minors).
What HIPAA does require is that any medical records or protected health information still in a provider’s possession be safeguarded with appropriate administrative, technical, and physical protections for as long as the information exists, including during the disposal process. That means shredding paper files and securely wiping digital records when retention periods end.
Building a Record Retention Policy
If you run a business or manage records for an organization, a written retention policy turns these scattered requirements into a single, consistent system. A good policy covers several key areas.
First, it defines what counts as a business record. This includes both paper and electronic documents: contracts, emails, invoices, personnel files, financial statements, and any other files the organization creates or receives. The policy should specify how long each category of record is kept, based on the legal requirements that apply to your industry and the practical needs of the business.
Second, it assigns responsibility. Someone (or a small committee) needs to oversee the program, manage storage, and ensure documents are actually destroyed on schedule. Without clear ownership, retention policies tend to exist on paper but not in practice.
Third, it addresses litigation holds. When a lawsuit or government investigation is pending or reasonably anticipated, you must suspend normal destruction schedules and preserve all potentially relevant documents. Destroying records that should have been preserved during litigation can result in severe penalties, including court sanctions and negative inferences drawn against you. The policy should spell out how a litigation hold is triggered, communicated, and lifted.
Finally, the policy needs a communication and training plan. Employees can’t follow rules they don’t know about. Regular training, periodic reviews, and updates to the policy as laws change keep the system working over time.
How to Dispose of Records Securely
When a document reaches the end of its retention period, simply tossing it in the trash creates a security risk. Paper records containing personal information, financial data, or proprietary business details should be cross-cut shredded, not just strip-cut (which can sometimes be reassembled). For large volumes, professional shredding services offer on-site mobile shredding or off-site plant-based destruction. Look for providers that hold NAID AAA Certification, an industry standard that verifies the company follows best practices for secure destruction.
Digital records require their own protocols. Deleting a file from your computer or server doesn’t actually erase the data. Secure disposal of hard drives, USB drives, and other digital media typically involves specialized software that overwrites the data multiple times, or physical destruction of the storage device itself. Cloud-based records need to be permanently deleted through the platform’s tools, with confirmation that backups have also been purged.
A Practical Starting Point for Individuals
You don’t need a formal policy to manage your own records effectively. A simple filing system, whether physical folders or digital storage, organized by year and document type covers most needs. Keep tax returns and supporting documents for at least three years (seven if you want extra protection). Hold onto records for any property you own. Save pay stubs and W-2s for at least four years. Keep records related to insurance claims, major purchases, and loan agreements for the life of the policy, warranty, or loan, plus a few years after.
Once a year, go through your files and shred anything that has passed its retention period. A basic cross-cut shredder costs $30 to $60 and handles the volume most households produce. For old hard drives or devices, many electronics retailers and recycling centers offer secure destruction services at little or no cost.