Your filing cabinet is quietly working against you. Whether it is stuffed with paper invoices from five years ago or bloated with digital folders no one has touched since the last administration, holding on to documents longer than necessary creates real legal and operational risk for your business.
On the flip side, deleting records too early can land you in serious trouble during an audit, lawsuit, or regulatory review. The sweet spot is knowing exactly what to keep, for how long, and what to do with it after that window closes.
A solid document retention policy takes all of that guesswork off the table. It protects your organization, keeps you compliant with industry regulations, and gives your team a clear, consistent process to follow every single time. Here are three ready-to-use samples you can adapt for your specific needs.
Document Retention Policy Samples
Every organization is different, and a law firm has very different retention needs than a healthcare clinic or a small e-commerce business. The samples below cover a general business, a healthcare provider, and a small business, giving you a practical starting point no matter what type of organization you run.
1. General Business Document Retention Policy
Document Retention Policy [Company Name] Effective Date: [Date] Approved by: [Name/Title]
1. Purpose
This policy establishes guidelines for the retention, storage, and disposal of documents and records created or received by [Company Name] in the course of its operations. Its purpose is to ensure legal compliance, support business continuity, and protect the organization from unnecessary liability.
2. Scope
This policy applies to all employees, contractors, and authorized third parties who create, receive, store, or manage records on behalf of [Company Name], regardless of format (physical or digital).
3. Document Categories and Retention Periods
| Document Type | Retention Period |
|---|---|
| Corporate formation documents (articles of incorporation, bylaws) | Permanent |
| Board meeting minutes and resolutions | Permanent |
| Annual financial statements | 7 years |
| Tax returns and supporting documents | 7 years |
| Accounts payable and receivable records | 7 years |
| Bank statements and reconciliations | 7 years |
| Payroll records | 7 years |
| Employment contracts | 7 years after termination |
| Employee personnel files | 7 years after termination |
| General contracts and agreements | 7 years after expiration |
| Insurance policies | 10 years after expiration |
| Correspondence (general business) | 3 years |
| Marketing materials | 3 years |
| Routine operational records | 1 year |
4. Storage Requirements
4.1 Physical Records Physical documents must be stored in a secure, climate-controlled environment with restricted access. Only authorized personnel may access confidential or sensitive records.
4.2 Electronic Records All digital documents must be stored on [Company Name]-approved systems and backed up regularly according to the company’s IT policy. Employees may not store official records on personal devices or unauthorized cloud platforms.
5. Legal Hold
In the event of actual or anticipated litigation, government investigation, or regulatory inquiry, normal retention schedules are suspended for all records that may be relevant to the matter. The Legal Department or senior management will issue a formal legal hold notice identifying the scope of records to be preserved. No documents subject to a legal hold may be destroyed until the hold is officially lifted in writing.
6. Document Disposal
6.1 Physical Documents All physical documents containing confidential, sensitive, or personally identifiable information must be shredded using a cross-cut shredder. General non-sensitive documents may be recycled.
6.2 Electronic Documents Electronic records must be permanently deleted using approved data destruction methods that render the data unrecoverable. Simply moving a file to the trash is not sufficient.
6.3 Disposal Log A record of all document disposals must be maintained, including the date of disposal, description of materials destroyed, method of destruction, and the name of the individual who authorized and carried out the disposal.
7. Responsibilities
- Department Heads: Ensure their teams comply with this policy and that records are properly organized, labeled, and stored.
- Records Manager / Designated Administrator: Oversee implementation of this policy, maintain the disposal log, and coordinate legal holds.
- All Employees: Follow retention schedules, handle records securely, and report any known or suspected policy violations.
8. Policy Review
This policy will be reviewed annually and updated as needed to reflect changes in applicable law, regulation, or business operations.
9. Non-Compliance
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, and may expose [Company Name] to legal liability.
Approved by: ___________________________ Title: ___________________________ Date: ___________________________
2. Healthcare Organization Document Retention Policy
Document Retention Policy [Healthcare Organization Name] Effective Date: [Date] Policy Number: [Number] Approved by: [Name/Title]
1. Purpose
This policy governs the creation, maintenance, storage, and destruction of records at [Healthcare Organization Name]. It is designed to ensure compliance with applicable federal and state healthcare regulations, including the Health Insurance Portability and Accountability Act (HIPAA), Centers for Medicare and Medicaid Services (CMS) requirements, and applicable state medical records laws, while protecting patient privacy and supporting quality care.
2. Scope
This policy applies to all workforce members, including employees, volunteers, students, trainees, and contractors who access, create, or manage protected health information (PHI) or other organizational records on behalf of [Healthcare Organization Name].
3. Definitions
- Medical Record: Any documentation related to a patient’s health history, diagnosis, treatment, and care provided by this organization.
- Protected Health Information (PHI): Individually identifiable health information as defined under HIPAA.
- Legal Hold: A directive to preserve records relevant to pending or anticipated litigation or regulatory inquiry.
4. Retention Schedule
| Record Type | Retention Period |
|---|---|
| Adult patient medical records | 10 years from date of last treatment |
| Minor patient medical records | Until patient turns 21, or 10 years from last treatment, whichever is longer |
| Deceased patient records | 10 years from date of death |
| Labor and delivery records | 25 years |
| Diagnostic images (X-rays, MRIs, scans) | 10 years |
| Operative reports | 10 years |
| Pathology records | 10 years |
| Billing and claims records | 10 years (CMS requirement) |
| Medicare cost reports | 5 years after filing |
| HIPAA authorization forms | 6 years from creation or last effective date |
| Personnel files | 7 years after separation |
| Payroll records | 7 years |
| Corporate and governance records | Permanent |
| Contracts and agreements | 10 years after expiration |
| Incident and occurrence reports | 10 years |
| Infection control records | 10 years |
Note: Where state law mandates a longer retention period than the federal requirement, the longer period applies.
5. Storage and Security
5.1 Physical Records Medical records and other documents containing PHI must be stored in locked, access-controlled areas. Access is limited to authorized clinical and administrative personnel with a documented need.
5.2 Electronic Health Records (EHR) All electronic records must be maintained within [Healthcare Organization Name]’s approved EHR or records management system. Access is role-based and logged. Systems must comply with HIPAA Security Rule requirements, including encryption, audit controls, and automatic logoff.
5.3 Offsite Storage Records transferred to approved offsite storage facilities must be tracked using a chain-of-custody log. Vendor agreements must include HIPAA-compliant Business Associate Agreements (BAAs).
6. Legal Hold Procedures
Upon receipt of a legal hold notice from the Compliance or Legal Department, all affected workforce members must immediately suspend the destruction of any records specified in the notice. Legal holds remain in effect until formally released in writing by the issuing authority.
7. Record Disposal
7.1 Physical Records Documents containing PHI must be shredded on-site by authorized staff or destroyed by a HIPAA-compliant vendor. Certificates of destruction must be obtained and retained.
7.2 Electronic Records Electronic PHI must be purged or destroyed using NIST-approved data sanitization methods. Simple deletion does not satisfy this requirement.
7.3 Destruction Log A destruction log must be maintained for all records disposed of and must include the record type, date range, destruction date, method used, and the name of the authorizing official.
8. Patient Rights
Patients have the right to request access to, amendment of, and an accounting of disclosures of their medical records as provided under HIPAA and applicable state law. Requests must be directed to the Health Information Management (HIM) Department and processed in accordance with [Healthcare Organization Name]’s Patient Rights Policy.
9. Responsibilities
- Chief Compliance Officer: Oversee policy implementation and regulatory compliance.
- Health Information Management Department: Manage day-to-day records administration, retention tracking, and disposal.
- Department Managers: Ensure staff adherence to this policy within their departments.
- All Workforce Members: Handle all records in compliance with this policy and report potential violations immediately.
10. Policy Review
This policy is reviewed annually or whenever significant regulatory changes occur.
Approved by: ___________________________ Title: ___________________________ Date: ___________________________
3. Small Business Document Retention Policy
Document Retention Policy [Business Name] Effective Date: [Date] Prepared by: [Owner/Manager Name]
1. Purpose
This policy outlines how [Business Name] stores, manages, and disposes of its business records. It helps us stay organized, protect sensitive information, meet our legal obligations, and avoid holding on to documents longer than necessary.
2. Scope
This policy applies to the owner, all employees, and any contractors or service providers who handle [Business Name] records, whether in paper or digital format.
3. Retention Schedule
| Document Type | How Long to Keep |
|---|---|
| Business licenses and registrations | Permanently |
| Tax returns (federal, state, local) | 7 years |
| Sales records and receipts | 7 years |
| Bank statements | 7 years |
| Accounts payable and receivable | 7 years |
| Payroll records and W-2s/1099s | 7 years |
| Vendor and supplier contracts | 5 years after contract ends |
| Customer contracts and invoices | 5 years |
| Employee records | 5 years after employee leaves |
| Insurance policies | 5 years after policy expires |
| General business correspondence (emails, letters) | 3 years |
| Marketing and advertising materials | 2 years |
| Routine operational notes and scheduling | 1 year |
4. How We Store Documents
Physical Documents:
- Kept in a locked file cabinet in [designated location].
- Only the owner and designated staff members have access.
- Sensitive documents (tax records, employee files, contracts) are stored separately from general operational files.
Digital Documents:
- Stored in [approved software/cloud platform, e.g., Google Drive, Dropbox Business, QuickBooks].
- Protected by strong passwords and, where possible, two-factor authentication.
- Backed up automatically at least once a week.
- Employees may not save official business records to personal devices or accounts.
5. Document Disposal
When a document reaches the end of its retention period, it must be disposed of in the following way:
- Paper documents: Shredded using a cross-cut shredder. Sensitive documents (financial records, employee files, customer information) must always be shredded, never simply thrown in the trash.
- Digital documents: Permanently deleted from all locations, including cloud backups, email attachments, and local drives.
- Vendor-handled disposal: If a third-party shredding service is used, a certificate of destruction must be obtained and kept on file for at least 3 years.
6. Legal Holds
If [Business Name] receives notice of a lawsuit, audit, or government inquiry, no documents related to that matter may be destroyed until the issue is fully resolved. The owner will notify all relevant staff immediately when a legal hold applies.
7. Who Is Responsible
- Owner/Manager: Reviews and updates this policy annually, approves all document disposals, and handles legal hold decisions.
- Employees and Contractors: Follow this policy for all records they handle and ask questions if unsure about a specific document type.
8. Policy Updates
This policy will be reviewed every year or whenever there is a significant change to the business or applicable laws.
Owner/Manager Signature: ___________________________ Date: ___________________________
Wrapping Up
A document retention policy is one of those things that seems like a formality until the day you actually need it. Whether you are facing an IRS audit, an employment dispute, or a data privacy complaint, having the right records in the right place (and having destroyed the ones you should no longer hold) can be the difference between a manageable situation and a costly one.
Pick the sample that fits your organization best, customize it with your specific details, and make sure your team knows it exists. A policy that lives only in a folder on someone’s desktop protects no one.