Document retention requirements vary by state and by industry. How do you decide what to save?
What Should You Archive?
Securities brokers and dealers, for example, are required to retain all business-related communications for three years, the ﬁrst two years in an accessible format. Trucking companies must keep the results of employee alcohol tests for up to ﬁve years. All businesses must retain federal payroll tax records for at least four years from the date the tax is paid.
There are currently over ten thousand federal, state and local laws and regulations addressing document retention. The most widely enforced include:
Health Insurance Portability and Accountability Act (HIPAA): HIPAA affects any organization that creates, receives or maintains healthcare information. HIPAA requires that Protected Health Information (PHI) be kept secure and archived for at least six years or two years after an individual’s death. This includes patient medical records, billing records, authorization forms from physicians, and all communications between patient and physician – basically any healthcare information that can be linked to a speciﬁc individual.
Sarbanes-Oxley Act (SOX): SOX mandates the retention of records used for ﬁnancial audits and reporting for at least seven years. A record is any material containing information about the company, including plans, results, policies or performance. All records may be subject to an audit. The lack of a good records management and retention system is a red ﬂag for auditors. Under SOX, the annual report of a company must include a review of the effectiveness of internal controls of the document management system, as well as the policies and processes of the company as a whole. The records also must be searchable and quickly made available upon request.
Organizations need a system that can be adopted in a wide range of regulatory environments. Your legal department or corporate counsel should get involved in helping to deﬁne the requirements.