How Long Should An Employer Retain Records Of Violent Incidents
You're cleaning out a storage closet and find a dusty binder labeled "Incident Reports — 2016." Your first thought: Can I toss this? Your second: *What if someone asks for it next week?
Most employers have been there. The rules around violent incident records aren't just bureaucratic red tape — they're the difference between a defensible position and a legal nightmare. And the answer to "how long" isn't a single number. It depends on where you operate, what industry you're in, and whether anyone's already called a lawyer.
What Counts as a Violent Incident Record
Let's start with what we're actually talking about. A violent incident record isn't just a police report. It's any documentation created when workplace violence occurs or is threatened — physical assaults, credible threats, harassment that escalates, domestic violence spilling into the workplace, active shooter events, even verbal threats that create reasonable fear.
The paperwork trail is wider than you think
OSHA's Form 300 log. On the flip side, workers' comp first reports of injury. Internal investigation notes. That said, witness statements. Security footage. Emails and texts about the incident. Still, disciplinary records tied to the event. Medical records (kept separately, always). That said, restraining orders filed by employees. Worth adding: threat assessment team notes. Training records showing you tried to prevent it.
All of it counts. And all of it has a clock ticking.
Why Retention Periods Matter More Than Most People Realize
Here's what most employers miss: the retention clock doesn't start when the incident happens. Which means it starts when the last action related to that incident concludes. A workers' comp claim stays open for years. A lawsuit gets filed two weeks before the statute of limitations expires. An OSHA citation triggers a document request covering five years back.
The cost of getting it wrong
Destroy records too early? That's spoliation. In practice, you're creating unnecessary privacy risks, storage costs, and discoverable material in future litigation. Adverse inference jury instructions. Think about it: default judgments. Keep them too long? Courts love sanctioning employers for spoliation. Six-figure fines. There's a sweet spot. It's narrower than you think.
How Long You Actually Need to Keep Them
The short answer: at least five years for OSHA-covered employers. But that's the floor, not the ceiling.
OSHA's baseline — five years, no exceptions
If you're required to keep OSHA 300 logs (most employers with 10+ employees), every recordable violent incident stays on the log for five years following the end of the calendar year it occurred. That means a December 2023 incident stays until January 1, 2029. The supporting documentation — witness statements, investigation notes, medical records — goes with it.
Workers' comp extends the clock
Most states require employers to retain workers' comp records for the life of the claim plus a statutory period after closure. In California, that's five years from the date of injury or one year from the date compensation was last provided, whichever is longer. But in New York, it's 18 years for permanent disability cases. Day to day, eighteen. Years.
Litigation holds override everything
The moment you reasonably anticipate litigation — a lawyer's letter, an EEOC charge, a union grievance, an employee saying "I'm going to sue" — every related record enters a legal hold. Think about it: destruction stops. Period. In real terms, violating a litigation hold is sanctions territory. I've seen employers lose cases they should have won because someone in HR shredded a file two days after a demand letter arrived.
State-specific requirements that catch people off guard
California's Cal/OSHA requires violence prevention plan records for five years and incident investigation records for the duration of employment plus five years. Healthcare employers under CMS conditions of participation? Six years minimum. Educational institutions under Clery Act? So naturally, new York's SHIELD Act implies longer retention for any records containing private information. Seven years for crime statistics, but the underlying incident reports often need to live longer.
Industry-specific landmines
Healthcare: Joint Commission standards, CMS, state health department rules — often 6-10 years.
Consider this: government contractors: FAR requirements, security clearance implications. That said, education: FERPA, Title IX, Clery Act — creates overlapping obligations. Transportation: DOT, FMCSA — accident registers have their own timelines.
Common Mistakes / What Most People Get Wrong
Treating all incidents the same
A shoving match in the break room and an active shooter event generate wildly different record types and retention needs. Lumping them together means you'll either over-retain the minor stuff or under-retain the major stuff. Categorize by severity and legal trigger.
Forgetting digital records
Security footage overwrites on a 30-day loop? Because of that, that's a policy decision — and it's discoverable. Emails auto-delete after 90 days? Even so, same problem. Practically speaking, text messages on personal phones? If they're about a workplace violence incident, they're business records. Your retention policy has to address every format.
Storing medical and exposure records with general HR files
OSHA's access to employee exposure and medical records standard (29 CFR 1910.1020) requires separate, confidential storage for 30 years. Mixing them with general incident files violates confidentiality and creates a mess during audits. Day to day, keep them separate. Always.
Assuming "paper only" means "safe to shred"
Scanned a document? The digital version is now the record. Shredded the original? But better hope your scan is legible, complete, and stored in a system that meets evidentiary standards. Courts have rejected poorly scanned records as unreliable.
No written retention schedule
"We keep things for a while" isn't a policy. It gets reviewed annually. A defensible retention schedule lists: record category, retention period, legal authority, disposal method, and responsible party. It's signed off by legal. Without it, you're guessing — and guesses don't hold up in deposition.
Practical Tips / What Actually Works
Build a tiered retention matrix
| Record Type | Minimum Retention | Trigger for Extended Hold |
|---|---|---|
| OSHA 300 Log & 301 Forms | 5 years | Workers' comp claim, lawsuit |
| Investigation Notes | 5 years post-closure | Litigation hold, regulatory inquiry |
| Witness Statements | 5 years post-closure | Same |
| Security Footage (incident-related) | 3 years minimum | Same |
| Threat Assessment Records | Duration of employment + 5 years | Same |
| Medical/Exposure Records | 30 years (OSHA 1910.1020) | N/A — statutory |
| Training Records | 3 years minimum | Same |
| Restraining Orders | Duration + 5 years | Same |
Adjust for your state. Have legal bless it. Review it every January.
Want to learn more? We recommend how many porta potties per person osha and osha ensures that employees have the right to: for further reading.
Automate the easy stuff
Set your document management system
Automate the easy stuff
A modern document‑management platform can enforce retention rules without manual intervention. Configure workflows that:
- Tag records at creation – assign a category (e.g., “Incident‑Investigation,” “Medical‑Exposure”) that automatically triggers the appropriate retention clock.
- Schedule disposition – set the system to flag records for review as they near the end of their statutory window, then route them to a designated approver for deletion or archival.
- Audit‑trail capture – enable immutable logs that record who accessed, edited, or moved a file. Those logs become part of the evidentiary record if a regulator asks how you handled disposal.
When automation is paired with a well‑documented retention matrix, the risk of “human error” drops dramatically, and you can prove compliance with a single click‑through report.
Keep the schedule alive
A retention policy is a living document. To stay defensible:
- Annual legal review – have counsel confirm that each retention period still aligns with the latest statutes, collective‑ bargaining agreements, and industry‑specific guidance.
- Trigger‑driven updates – when a new regulation is issued (e.g., a state expands the definition of “workplace violence” to include cyber‑threats), adjust the matrix before the next cycle.
- Cross‑functional sign‑off – involve HR, legal, IT security, and the safety team in the review. Their buy‑in ensures that the disposal method (shredding, secure deletion, third‑party archiving) satisfies each department’s operational needs.
Store the final schedule in a centrally accessible location, version‑controlled, and circulate a one‑page cheat sheet to all managers.
Integrate with incident‑response workflows
Instead of treating record‑keeping as an after‑the‑fact chore, embed it into the response process:
- Initial reporting – require the reporter to select a retention bucket (e.g., “Standard Incident” vs. “Escalated Threat”) at the moment they log the event.
- Escalation triggers – when a case moves from “preliminary inquiry” to “formal investigation,” the system automatically extends the retention period for all related files.
- Closure checklist – before a case is marked “closed,” prompt the investigator to verify that every supporting document has been indexed, stored in the correct repository, and that the retention clock has been started.
When retention decisions flow from the incident workflow, they become a natural part of the investigation rather than an add‑on.
Conduct mock audits
Periodically simulate a regulator’s request:
- Pull a random sample of records across categories.
- Verify that each file resides in the correct retention tier, that the expiration date matches the schedule, and that disposal actions are logged.
- Document any gaps and feed the findings back into the retention matrix and automation rules.
Mock audits expose hidden weaknesses—such as a forgotten email archive or a mis‑tagged medical record—before a real inspection does.
Train the front‑line
Even the best system fails if the people who create records don’t understand the rules. Tailor training to each role:
- Supervisors – focus on proper classification at the point of intake and on initiating escalation when a situation meets a legal threshold.
- HR generalists – stress the 30‑year statutory requirement for medical and exposure records and the need to keep those files separate from general personnel files.
- IT staff – cover secure deletion standards, encryption of archived footage, and the importance of preserving metadata for evidentiary integrity.
Reinforce the training with short, scenario‑based quizzes that mirror real incidents your organization has faced.
Conclusion
A defensible record‑keeping program is not a static checklist; it is a dynamic, layered system that aligns legal obligations with everyday business practice. In doing so, companies protect themselves from regulatory penalties, litigation exposure, and reputational damage, while also demonstrating a culture of accountability that resonates with employees, regulators, and the public alike. A well‑maintained retention matrix, bolstered by automation, regular legal review, and cross‑functional ownership, ensures that records are kept exactly as long as the law demands and no longer, and that they can be produced quickly, accurately, and with a clear audit trail when needed. Practically speaking, by categorizing incidents by severity, treating every format—paper, digital, audio, or video—with equal rigor, and by embedding retention rules into the tools and workflows that employees already use, organizations can transform what was once a compliance headache into a strategic asset. The result is a resilient documentation framework that safeguards both the organization and the people it serves.
Latest Posts
Brand New Stories
-
Occupational Health And Safety Masters Programs
Jul 12, 2026
-
1500 Main Street Suite 1400 Springfield
Jul 12, 2026
-
What Is A Trench In Construction
Jul 12, 2026
-
What Are Examples Of Bloodborne Pathogens
Jul 12, 2026
-
What Is Not A Physical Hazard Category
Jul 12, 2026
Related Posts
Interesting Nearby
-
How Does Osha Enforce Its Standards
Jul 06, 2026
-
Osha Standards For Construction And General Industry
Jul 06, 2026
-
Osha Requirements For First Aid Kits
Jul 06, 2026
-
Is The Osha Cert Different From The Card
Jul 06, 2026
-
Osha Requirement For First Aid Kits
Jul 06, 2026