Data Retention and Disposal Standards in the US
Data retention and disposal standards govern how long organizations must preserve specific categories of records and the methods by which those records must be destroyed once the retention period expires. In the United States, these requirements are fragmented across federal statutes, sector-specific regulations, and state-level laws, creating compliance obligations that vary by industry, data type, and organizational size. Failure to meet these standards exposes organizations to regulatory penalties, litigation risk, and reputational harm across sectors from healthcare to financial services. Professionals navigating this landscape can explore the broader data protection service sector to identify practitioners and compliance resources by specialty.
Definition and scope
Data retention refers to the defined period during which an organization must keep records in an accessible and auditable state. Data disposal — sometimes called data destruction or sanitization — refers to the verified elimination of data in a manner that prevents reconstruction or unauthorized recovery. Together, these two obligations form the lifecycle bookends of any data governance program.
The regulatory scope in the US is multi-layered:
- Federal sector-specific statutes establish minimum retention floors for specific data types. The Health Insurance Portability and Accountability Act (HIPAA), administered by HHS, requires covered entities to retain medical records for 6 years from the date of creation or the date the record was last in effect. The Sarbanes-Oxley Act of 2002 (15 U.S.C. § 7241) mandates 7-year retention for audit workpapers. The Gramm-Leach-Bliley Act (GLBA), enforced in part by the FTC, imposes security and disposal obligations on financial institutions handling consumer financial data.
- General federal frameworks such as the Federal Records Act (44 U.S.C. § 3101) govern federal agency records, while the National Archives and Records Administration (NARA) publishes General Records Schedules that define retention periods for categories of federal records.
- State-level laws add further obligations. California's Consumer Privacy Act (CCPA), for instance, does not prescribe fixed retention periods but requires that personal data not be retained longer than reasonably necessary for disclosed purposes — a proportionality standard with enforcement teeth.
NIST's SP 800-53 Rev. 5 addresses retention and disposal under control families AU (Audit and Accountability) and MP (Media Protection), establishing baseline controls for federal information systems and widely adopted by private-sector organizations subject to FedRAMP or FISMA obligations.
How it works
A compliant data retention and disposal program operates across four discrete phases:
-
Data inventory and classification — Organizations map data assets to regulatory categories. Records are tagged by type (financial, health, personnel, contractual), applicable regulation, and sensitivity level. Without an accurate inventory, retention schedules cannot be applied consistently.
-
Retention schedule assignment — Each data category is assigned a minimum retention period derived from the applicable statute or regulatory guidance. Where multiple regulations overlap — for example, a healthcare organization subject to both HIPAA and state medical records laws — the longer period controls unless a specific statute preempts.
-
Legal hold integration — When litigation, audit, or regulatory investigation is reasonably anticipated, a litigation hold supersedes the standard retention schedule and suspends destruction. The Federal Rules of Civil Procedure (FRCP), specifically Rules 26 and 37, create spoliation liability for organizations that destroy records subject to a discoverable hold.
-
Secure disposal and verification — At expiration, records must be destroyed using methods appropriate to the media type. NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) defines three disposal categories: Clear (logical overwrite), Purge (cryptographic erase or degaussing), and Destroy (physical shredding or disintegration). The chosen method must match the data sensitivity classification. Destruction must be documented with certificates of disposal for auditable proof.
Common scenarios
Healthcare provider records — A hospital must retain patient health records for a minimum of 6 years under HIPAA, though state laws in California require retention until the patient reaches age 19, whichever is longer (California Health & Safety Code § 123111). Electronic health records must be disposed of using NIST SP 800-88 Purge-level methods when decommissioning storage media.
Financial services audit files — A public accounting firm retains audit workpapers for 7 years under Sarbanes-Oxley. Paper records must be shredded using cross-cut or micro-cut methods that meet the DIN 66399 security level P-4 or higher for confidential financial data.
Federal contractor records — Organizations operating under NIST SP 800-171 for Controlled Unclassified Information (CUI) must sanitize media before disposal or reuse, consistent with NIST SP 800-88 requirements — a prerequisite for maintaining a Defense Federal Acquisition Regulation Supplement (DFARS) compliant posture.
Employee personnel records — The Equal Employment Opportunity Commission (EEOC) requires employers to retain personnel records for 1 year from the date of the personnel action; payroll records must be retained for 3 years under the Fair Labor Standards Act (29 C.F.R. § 516).
Decision boundaries
The threshold questions for determining which standards apply involve data type, industry sector, jurisdictional reach, and media form. The comparison below illustrates how requirements diverge across two common categories:
| Factor | Health Records (HIPAA) | Financial Audit Records (SOX) |
|---|---|---|
| Minimum retention | 6 years | 7 years |
| Governing body | HHS / OCR | SEC / PCAOB |
| Disposal standard | NIST SP 800-88 (required for ePHI) | No federal media-specific standard; NIST recommended |
| Litigation hold trigger | FRCP Rule 26 | FRCP Rule 26 + SEC subpoena authority |
When state law imposes a longer retention period than federal law, the longer period governs absent federal preemption. When a record falls under two federal frameworks simultaneously — for example, a federally insured hospital subject to both HIPAA and CMS Conditions of Participation — the more stringent requirement controls at each point of compliance.
Organizations unsure which framework governs a specific data category should consult the for sector-by-sector regulatory mapping, or review the how to use this data protection resource page for navigational guidance.
The boundary between retention and disposal is not merely temporal. Disposal is triggered not only by schedule expiration but also by system decommission events, vendor contract termination, and data subject deletion requests under applicable state privacy laws. Under the CCPA, for instance, verified consumer deletion requests must be honored within 45 days (Cal. Civ. Code § 1798.105), and the organization must extend that deletion to service providers holding the same data — a cross-system disposal obligation that standard retention schedules do not automatically address.