Document Retention: OSHA, DOT & HIPAA Record Rules

Quick Answer

Federal law requires personnel files for at least 1 year after termination (Title VII, ADA). However, many states require longer: California requires 4 years after termination, and best practice is 7 years after termination to cover most statute of limitations periods for employment lawsuits.

Last reviewed May 7, 2026 · By Chad Griffith

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

This comprehensive guide covers everything you need to know about document retention: osha, dot & hipaa record rules. Whether you're a safety manager, compliance officer, or operations director, understanding compliance requirements is critical to avoiding costly fines and failed audits.

FileFlo's AI-powered compliance platform helps companies in regulated industries automate document tracking, expiration alerts, and audit preparation. Start your 5-day free trial at app.getfileflo.com.

Frequently Asked Questions

How long must compliance documents be retained?

Varies by regulator and document type. FMCSA DQF: while employed + 3 years after termination (49 CFR 391.51). MVR: 3 years from pull date. HOS records: 6 months. Drug & alcohol testing: 5 years (some lifetime per 382.401). HIPAA records: 6 years from creation OR last effective date (45 CFR 164.530(j)). OSHA 300/300A: 5 years from year of occurrence (1904). I-9: 3 years from hire OR 1 year from termination (later applies). Tax records: 7 years (IRS). Litigation hold: indefinite during active litigation.

What's the longest retention period I'll face?

Litigation hold (indefinite during active litigation), then SOX/audit-related (7 years), then HIPAA/HHS (6 years), then OSHA (5 years for most categories). Carrier insurance companies may require records for the duration of the policy + the carrier's contractual liability tail. Healthcare malpractice statute of limitations varies by state but is typically 3-7 years post-treatment.

Can I destroy compliance documents after retention period expires?

Yes, with caveats. (1) Confirm no active litigation hold. (2) Destruction must be documented (date, method, witness/authorizer) for compliance proof. (3) Some records have separate destruction documentation requirements (HIPAA PHI destruction logs per 45 CFR 164.310). (4) Destroy by methods preventing recovery (cross-cut shredding, certified e-waste destruction). Don't destroy a record that another regulator might need just because one's retention period expired.

What's the penalty for not retaining compliance documents?

Recordkeeping violations are typically classified as serious by regulators. FMCSA: $1,496 per missing document under 49 CFR 386 (2026). OSHA: $16,131 serious / $161,323 willful per missing record under 1903.15. HIPAA: tiered penalty $137-$2,067,813 per violation category (45 CFR 102 2026). FDA recordkeeping (21 CFR Part 11) violations can be cited per missing record.

Does FileFlo handle retention schedules?

Yes. FileFlo's rule-packs include retention schedules per regulator (FMCSA, OSHA, HIPAA, FDA, state cannabis, FERPA, IRS), per document type. Documents auto-flag as retention-period-met but never auto-delete (litigation hold safety). Bulk export-and-destroy workflow with destruction log generation. Per-regulator audit binder includes retention attestation.

Ready to automate your compliance?

FileFlo tracks 85+ document types across OSHA, DOT, HIPAA, and state regulations. $299/month, unlimited users.

Start Free Trial