Record-Keeping Obligations for Licensees
Record-keeping obligations define what documents, data, and transactional histories a licensed entity must create, retain, and make available to regulators. These requirements span federal and state licensing frameworks, covering professions from healthcare and financial services to construction and transportation. Failure to maintain compliant records is a standalone violation in most regulatory schemes — independent of whether the underlying licensed activity was performed correctly — making documentation discipline a core element of compliance audit procedures for licensed entities.
Definition and scope
Record-keeping obligations are the legally mandated requirements imposed on licensees to document their activities, maintain those documents for prescribed periods, and produce them upon regulatory request. These obligations derive from multiple sources simultaneously: enabling statutes, agency regulations, licensing board rules, and in some cases contractual requirements imposed by accreditation bodies.
The scope varies by license type but typically encompasses four categories of records:
- Licensure records — original applications, examination results, credential verification documents, and renewal filings
- Transaction or service records — documentation of each regulated act performed (patient encounters, financial transactions, construction permits pulled, etc.)
- Personnel and supervision records — credentials of supervised employees, delegation logs, and training certifications tied to continuing education compliance for licensees
- Compliance and incident records — complaint logs, self-reported violations, corrective action plans, and any communications with the licensing authority
The federal baseline for many industries is set by statute. Under 26 U.S.C. § 6001, the IRS requires all persons liable for any tax to maintain sufficient records to establish that liability (IRS Publication 583). The HIPAA Privacy Rule at 45 C.F.R. § 164.530(j) requires covered entities to retain documentation of policies and procedures for six years from the date of creation or last effective date, whichever is later (HHS OCR HIPAA Regulations).
How it works
Record-keeping compliance operates as a continuous lifecycle rather than a point-in-time obligation. Regulators and licensing boards typically structure expectations across three phases:
Phase 1 — Creation. Records must be generated at or near the time of the regulated event. Back-dated or reconstructed records are treated as falsified documents in enforcement proceedings. The Securities and Exchange Commission's Rule 17a-4, for example, requires broker-dealers to preserve records in a non-rewriteable, non-erasable format, a requirement that has direct implications for electronic systems (SEC Rule 17a-4, 17 C.F.R. § 240.17a-4).
Phase 2 — Retention. Minimum retention periods differ by record type, jurisdiction, and industry. A comparison of two common frameworks illustrates the range:
| Framework | Record Type | Minimum Retention Period |
|---|---|---|
| HIPAA (45 C.F.R. § 164.530) | Privacy policies and procedures | 6 years |
| OSHA 29 C.F.R. § 1910.1020 | Employee medical and exposure records | 30 years |
| SEC Rule 17a-4 | Broker-dealer blotters | 6 years |
| DOT 49 C.F.R. § 390.31 | Driver qualification files | Duration of employment + 3 years |
Phase 3 — Production and access. Licensing boards hold statutory authority to inspect records during routine audits, complaint investigations, or targeted enforcement actions. Under the Federal Motor Carrier Safety Administration's regulations at 49 C.F.R. Part 390, carriers must make records available to authorized personnel upon request, with no advance notice required in roadside inspections (FMCSA Regulations).
Common scenarios
Healthcare providers. A licensed physician in a state with a 10-year medical records retention statute must maintain patient charts for that period even after a patient relationship ends. The state medical board — not the federal government — typically sets this floor, but HIPAA establishes a federal minimum for privacy documentation independent of clinical record rules.
Financial services licensees. A registered investment adviser under SEC jurisdiction must retain client contracts, powers of attorney, and account statements under the Investment Advisers Act of 1940, Section 204 (SEC Investment Advisers Act). State-registered advisers face parallel obligations under individual state securities statutes.
Contractors and tradespeople. General contractors holding state construction licenses are often required to retain lien waivers, subcontractor agreements, and permit documentation for a minimum of three to five years, with the exact window set by state contractor licensing boards. These records become critical in enforcement actions and disciplinary records proceedings when disputes arise post-project.
Transportation and logistics. Motor carriers licensed under the FMCSA must retain hours-of-service logs under 49 C.F.R. § 395.8(k) for six months from the date of receipt. Electronic logging device (ELD) data carries the same retention window.
Decision boundaries
Understanding which retention rule applies requires resolving three threshold questions:
-
Federal or state jurisdiction? When both apply, the stricter requirement governs unless federal law explicitly preempts the field. The state vs. federal licensing jurisdiction analysis is the starting point.
-
Which record type is implicated? Licensure records (credentials, applications) are distinct from operational records (transaction logs) and compliance records (incident reports). Each category may carry a different retention period under the same regulatory scheme.
-
Has a trigger event extended the standard period? Litigation holds, regulatory investigations, and administrative complaints suspend normal destruction schedules. Once a licensee receives notice of a complaint through the complaint and investigation process for licensees, records destruction — even of documents past their standard retention window — may constitute obstruction.
Electronic records are now subject to the same legal standards as paper under the Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001, provided they are stored in a manner that ensures accuracy and accessibility for the required period (FTC E-SIGN guidance).
References
- HHS OCR — HIPAA Privacy Rule Regulations (45 C.F.R. § 164.530)
- SEC Rule 17a-4 — Records to be Preserved by Certain Exchange Members (17 C.F.R. § 240.17a-4)
- OSHA — Access to Employee Exposure and Medical Records Standard (29 C.F.R. § 1910.1020)
- FMCSA — Federal Motor Carrier Safety Regulations (49 C.F.R. Parts 390–395)
- IRS Publication 583 — Starting a Business and Keeping Records
- SEC — Investment Advisers Act of 1940, Section 204
- FTC — Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001