How a Regional Healthcare HR Team Built a Compliant Data Retention Schedule in 7 Steps — and Passed a Federal Audit

Sarah’s team had what most HR departments have: records everywhere, no clear rules about when to delete anything, and a general assumption that keeping everything was safer than deleting anything. That assumption is wrong — and a pending federal wage-and-hour review made the cost of being wrong very concrete, very fast. This case study documents exactly how the team rebuilt their HR data retention and archiving framework across seven steps, what they found along the way, and what the outcomes looked like twelve months later. It sits within a broader HR data governance framework that treats retention as one operational layer in a larger compliance architecture.

Context and Baseline: What “No Schedule” Actually Looks Like

Sarah’s team was not negligent. They were typical. When we mapped their records environment at the start of the engagement, here is what we found:

• Employee files going back to 2011 stored in a shared drive with no folder-level access controls
• Application materials — including pre-employment screening results — for filled positions dating back four years, with no legal basis for retention beyond twelve months in their primary state
• Payroll records and W-2 documentation kept in three separate systems with inconsistent file naming, making audit retrieval a multi-hour manual exercise
• Physical I-9 forms stored in an unlocked filing cabinet in an HR office accessible to non-HR staff
• No documented disposal procedure for any record type

The pending federal audit focused on wage-and-hour records under FLSA — a three-year retention requirement for payroll records and two-year requirement for time-and-pay records. The team had the records. They could not produce them efficiently, and they could not demonstrate that nothing had been improperly altered or deleted. That combination — records present but governance absent — is exactly the kind of gap that turns a routine audit into a prolonged investigation.

SHRM guidance is explicit: retention schedules must specify both the retention period and the disposal method for each record category. Sarah’s team had neither for most of their data types.

Step 1 — Legal and Regulatory Audit

Before touching a single file, the team needed to know what the law actually required. This step is not optional and it is not something HR should do alone.

Sarah engaged outside employment counsel to produce a jurisdiction-specific retention matrix covering all three states where the organization employed people. The matrix documented:

• Federal baseline requirements (FLSA, ADEA, HIPAA, ERISA, Title VII, ADA) with specific retention periods by record type
• State-specific extensions — two of their three states extended payroll record requirements beyond the federal three-year minimum
• GDPR applicability for any data collected from employees who were EU nationals on work authorization
• HIPAA-specific requirements for health-related benefit records and medical leave documentation, which carry a six-year retention floor under the Privacy Rule

The legal audit took three weeks. It surfaced two immediate surprises: one state required performance review records to be kept for four years post-termination — not the one year the team had assumed — and HIPAA created a separate, longer retention track for a subset of records the team had been filing alongside standard personnel records without differentiation.

The output of this step was a legal requirements matrix: a spreadsheet with record type, applicable law, retention period, start-date anchor, and the name of the counsel who confirmed the requirement. That matrix became the source of truth for every subsequent step.

Step 2 — Data Inventory Across All Systems and Formats

A retention schedule governs data you have mapped. Data you have not mapped governs itself — which means it accumulates indefinitely.

Sarah’s team conducted a full inventory across:

• The primary HRIS (active employee records, benefit enrollment, performance data)
• The applicant tracking system (candidate applications, interview notes, offer letters, pre-employment screening results)
• The payroll platform (pay stubs, tax filings, garnishment records)
• Email archives (termination correspondence, accommodation requests, disciplinary communications)
• Shared drives (performance improvement plans, exit interview notes, policy acknowledgments)
• Physical files (I-9 forms, signed offer letters, benefits enrollment paper forms)

The inventory required four weeks and surfaced 23 distinct record categories — nearly double what the team had estimated. McKinsey Global Institute research consistently finds that organizations manage far more data than they have mapped; Sarah’s team was not an outlier.

Each record category was tagged with: system of record, format (digital or physical), current custodian, and estimated volume. This inventory became the row structure for the retention schedule in Step 3.

Step 3 — Define Retention Periods with Explicit Start-Date Anchors

This is where most retention schedules fail. A rule that says “keep payroll records for seven years” is not operational. A rule that says “keep payroll records for seven years from the end of the fiscal year in which the record was created” is operational — because it creates a calculable end date.

For each of the 23 record categories, the team defined:

• Retention period: The legal minimum, plus any business-justified extension (documented and time-limited)
• Start-date anchor: The specific event that starts the clock (date of hire, date of termination, date of last payroll transaction, date the position was filled, end of plan year)
• Calculated end date: Start date + retention period = disposition date, which could be mapped to a field in the HRIS
• Legal basis: Reference to the specific law or regulation driving the period, linked to the legal matrix from Step 1

The team also made a deliberate decision: where there was no legal or documented business requirement to keep records beyond the legal minimum, the retention period would equal the legal minimum — not “until further notice.” That decision directly addressed data minimization in HR records, a GDPR principle that also reduces breach exposure for any organization regardless of whether GDPR applies to them.

This step produced the core retention schedule: a 23-row matrix with legally defensible periods and calculable end dates for every record category the team managed.

Step 4 — Develop Archiving and Disposal Protocols

Retention ends in one of two ways: archive or destroy. The team defined both paths for every record category, with specific methods for digital and physical formats.

Archiving protocol: Records that had met their active retention period but remained within their total retention window moved to a designated archive environment — a separate folder structure in their document management system with restricted access — with a documented retrieval process. HIPAA-covered records moved to a HIPAA-compliant cloud archive with encryption at rest and in transit.

Disposal protocol: At end-of-retention, digital records were permanently deleted using the platform’s secure deletion function, with a system-generated confirmation log. Physical records were shredded by a certified third-party vendor who issued a certificate of destruction for each batch. No record was disposed of without a logged entry specifying: record category, date of disposal, method, and the name of the person who authorized the action.

The audit trail requirement is not optional. Gartner research on data governance consistently identifies undocumented disposal as a primary regulatory exposure point — regulators do not accept verbal confirmation that records were deleted.

Legal hold procedures were also documented at this stage: a written legal hold notice process, a system flag in the HRIS to exempt flagged records from automated disposition, and a hold-release procedure requiring written sign-off from legal counsel.

Step 5 — Formalize the Schedule as a Written Policy

The retention matrix and protocols from Steps 1–4 were formalized into a single written policy document. That document included:

• Scope statement (what record types and systems are covered)
• Roles and responsibilities (who owns each record category, who authorizes disposition, who manages legal holds)
• The 23-category retention matrix with periods, anchors, and legal basis
• Archiving and disposal procedures for digital and physical records
• Legal hold process
• Review cadence (quarterly check-in, annual full review)
• Approval signatures from HR Director, General Counsel, and CFO

The policy was stored in the document management system with version control enabled. Every subsequent update would be tracked with a date and description of the change — a requirement for demonstrating compliance history to regulators.

This is also where the policy was connected to the team’s broader HR tech data governance audit checklist, ensuring that annual technology audits would include a review of whether the retention schedule was being implemented correctly across all systems.

Step 6 — Automate Archive and Disposal Triggers

A written policy is not a working system. Sarah’s team had a written policy before this engagement — it just was not enforced because enforcement depended on someone remembering to run a manual review every quarter. No one did.

The automation work connected calculated disposition dates from the retention schedule to workflow triggers in the HR automation platform. For each record category with a calculable end date anchored to an HRIS field, an automated workflow was configured to:

1. Fire a review notification to the record custodian 90 days before disposition date
2. Check for any active legal hold flag on the record
3. If no hold: route the record to the appropriate archive path or flag it for disposal authorization
4. Generate a disposition log entry upon completion

Physical records were handled with a modified version of the same process: the automation triggered a notification to the physical records custodian with a batch list for that quarter’s shredding cycle.

Automating HR data governance workflows at this level requires clean date fields in the HRIS — which the team did not fully have at the start. A data-cleaning sprint before automation build was necessary to ensure that termination dates, hire dates, and plan-year-end fields were populated consistently. Parseur research estimates manual data handling overhead at roughly $28,500 per employee per year when errors and rework are included — the data-cleaning cost paid for itself in the first quarter of automated operation.

For a deeper look at how automation applies across the broader governance stack, the automating HR data governance workflows guide covers the full architecture.

Step 7 — Train, Communicate, and Establish a Review Cadence

A policy no one knows about is not a policy. Sarah’s team conducted three training sessions: one for all HR staff covering what the policy required of them, one for managers covering their obligations around record creation and retention for department-level documents, and one for IT covering the technical implementation and their role in supporting the archive and disposal workflows.

Training was documented with attendance records and a brief knowledge check — not because the organization expected a quiz, but because demonstrating that training occurred is itself a compliance artifact.

The quarterly review cadence was added to the HR governance calendar as a recurring agenda item — not a separate project. Each quarterly check-in covered:

• Any regulatory changes published in the prior 90 days affecting any jurisdiction where the organization employs people
• Any new record categories created by new HR technology or business processes
• Disposition log review to confirm automated workflows had fired correctly
• Legal hold status review

Harvard Business Review research on data governance consistently identifies the absence of ownership and review cadence — not the absence of policy — as the primary reason governance programs fail. Sarah’s team built the cadence into the calendar before the policy was published, not after.

Results: What Changed After Twelve Months

The audit outcome was the most immediate validation. The team did not just survive the audit — they produced records with enough metadata integrity that the reviewing investigator noted the organization appeared to have “robust records management practices.” That language mattered when the investigator’s report was filed.

Lessons Learned: What We Would Do Differently

Transparency about what did not go perfectly is how case studies become useful rather than promotional.

Start the data inventory before engaging legal counsel. We ran both in parallel, which created rework when the legal matrix required record categories the inventory had not yet surfaced. The inventory should be complete — or at least 80% complete — before the legal audit begins, so counsel can provide guidance on categories that actually exist in your environment.

Budget for HRIS data cleaning before automation build. The disposition date calculations depended on clean date fields. We underestimated the cleaning effort by approximately two weeks. Organizations with older HRIS implementations or recent migrations should add a data-quality sprint to the project plan before committing to an automation build timeline. The HR data quality guide covers this in detail.

Physical records need their own workflow, not a footnote. The physical records process was treated as secondary throughout most of the project and required a separate sprint to operationalize properly. If your organization retains any physical HR records — and most do, particularly I-9 forms — design the physical workflow with the same rigor as the digital workflow from day one.

The review cadence needs an owner, not just a calendar entry. Quarterly reviews work when someone is accountable for running them. Assign a named owner — not “HR leadership” — who is responsible for preparing the agenda and tracking action items. Diffuse ownership is the same as no ownership.

Applying This to Your Organization

Sarah’s team operated in a regulated healthcare environment with multi-state complexity. The seven steps apply regardless of industry or organization size — the legal matrix will look different, the number of record categories will vary, and the automation tooling will depend on your existing tech stack — but the sequence is the same.

The critical insight is the one that runs through every step: a retention schedule is not a document. It is an automated operational system backed by a document. The document creates accountability. The automation creates consistency. Neither works without the other.

For organizations building this capability from scratch, the mastering HR data retention requirements guide provides the regulatory reference framework. For organizations looking at the broader governance architecture that retention fits into, the HRIS data governance policy guide covers the structural layer above the retention schedule. And if you have not yet quantified what unmanaged data costs — in breach risk, regulatory exposure, and operational overhead — the analysis in hidden costs of poor HR data governance will make the business case for you.

The organizations that get this right are not the ones with the most sophisticated technology. They are the ones that treated the seven steps as an operational project — not a compliance exercise — and built the review cadence before they needed it.