Understanding invoice storage and retention rules in the U.S.

Keeping the right invoice records for the right length of time is a critical part of tax compliance in the U.S. The challenge for businesses is there’s no single nationwide standard. Businesses must navigate a patchwork of federal, state, industry-specific, and judicial rules — many of which overlap or conflict.

This article highlights key invoice retention requirements, explains how broader corporate and industry laws apply, reviews the role of frameworks such as the Streamlined Sales and Use Tax Agreement (SSUTA) and the Digital Business Networks Alliance (DBNAlliance), and considers how U.S. courts view invoice records.

• U.S. invoice retention is governed by a mix of federal, state, and industry-specific rules.
• Federal rules vary — the IRS generally requires 3 years, FAR requires 3–4 years, and SOX requires 7 years for audit evidence. 
• Healthcare invoices differ. If invoices include Protected Health Information, HIPAA rules apply — often requiring 6–10 years of secure retention. 
• Frameworks don’t set retention rules: SSUTA and DBNAlliance streamline tax and e-invoicing processes but leave storage/archiving requirements to state and federal law.

Several U.S. federal agencies and statutes establish how long invoices and related financial records must be stored:

• Federal Acquisition Regulation (FAR): Contractors must retain accounts receivable and payable invoices and related documents for four years. Federal grant recipients must keep all award-related financial records — including invoices — for three years from the date of the final financial report, with exceptions for litigation or property management. 
• Internal Revenue Service (IRS): Businesses are generally required to keep invoices and other records supporting tax filings for three years. Specific cases extend the timeline — seven years if claiming a loss for bad debt or worthless securities, six years if underreporting more than 25% of income, and indefinitely in cases of fraud or failure to file. 
• Consumer protection and electronic records laws: Various federal regulations require businesses to retain compliance documentation, often between two and five years, depending on the statute. The E-Sign Act provides that electronic records have the same legal effect as paper records if they remain accurate, accessible, and reproducible. 
• Industry-specific statutes: Regulations like HIPAA, federal labour laws, and Sarbanes-Oxley (detailed below) impose additional retention and control obligations, in some cases extending retention to seven years or longer.

The Sarbanes-Oxley Act (SOX) was passed after corporate scandals at Enron and WorldCom. While not an “invoice law,” SOX has a major impact on how invoices must be stored and controlled by public companies and their auditors.

Scope of SOX

SOX applies to public companies registered with the SEC, their auditors, and often subsidiaries. Its purpose is to protect investors by ensuring the accuracy and integrity of financial reporting. Invoices fall under SOX because they are primary evidence of revenues and expenses. 

Key provisions affecting invoices

• Section 802: Criminalises altering or destroying records, including invoices, with intent to impede investigations. Requires auditors to retain audit workpapers and supporting records (invoices included) for seven years. 
• Section 404: Requires management and auditors to certify the effectiveness of internal controls. Since invoices drive revenue and expense recognition, companies must ensure they are securely stored, retained, and accessible for compliance testing.
• Section 103: The Public Company Accounting Oversight Board (PCAOB) requires auditors to test whether companies retain sufficient documentation to support financial statements. Invoices are routinely sampled during audits.

Practical requirements

The retention period is at least seven years for invoices forming part of the audit evidence trail. Many companies extend this to all invoices to simplify compliance. E-invoices are a valid format if they are secure, accessible, and tamper-resistant.

The following controls are required: 

• Access restrictions for authorised personnel only
• Audit trails tracking creation, modification, or deletion
• Backups and disaster recovery measures
• Integrity safeguards (e.g., write-once storage, encryption)

Bottom line under SOX

The location of storage is flexible — invoices don’t have to be kept in the U.S. What matters is how they are stored: securely, unalterably, and with guaranteed accessibility for audits and investigations.

Healthcare providers, insurers, and their business associates face additional obligations when invoices include Protected Health Information (PHI), such as patient names, treatment codes, insurance IDs, or service dates. While the Health Insurance Portability and Accountability Act (HIPAA) does not regulate invoices as accounting documents, it does regulate any invoice that contains PHI, such as patient billing statements or insurance claim summaries.

Scope of HIPAA

HIPAA does not apply to ordinary vendor invoices. If an invoice includes PHI, it becomes subject to HIPAA’s Privacy and Security Rules. 

Core HIPAA requirements for invoices with PHI

• Privacy Rule (45 CFR §164.530): Requires billing invoices to include only the minimum necessary PHI, restricts access to authorised staff, and mandates safeguards to protect confidentiality. 
• Security Rule (45 CFR §§164.302–318): Applies to electronic PHI (ePHI). Requires:
  • Access controls (unique logins, role-based permissions)
  • Audit controls (logs of who accessed invoices and when)
  • Integrity controls (preventing improper alteration or deletion)
  • Transmission security (encryption when sharing invoices electronically) 

Retention requirements

HIPAA requires covered entities to retain HIPAA-related policies and procedures for six years. For medical billing records, HIPAA defers to state law and federal programme rules: 

• Many states require 6–10 years of retention; some extend retention for minors until adulthood plus several years. 
• Medicare/Medicaid rules require hospitals to keep billing/financial records for at least five years.

Practical requirements

E-invoices are allowed but must meet HIPAA Security Rule standards (encryption, audit trails, access controls). Paper invoices must be physically secured, with restricted access.

The required retention period is at least six years but aligns with stricter state or Medicare/Medicaid rules (often 6–10 years). At the end of retention, PHI invoices must be securely destroyed. 

Key difference from other industries

The required retention period for general business invoices is usually 3–7 years under IRS/state rules. For healthcare invoices with PHI, retention is often 6–10 years and subject to HIPAA privacy/security safeguards.

Every U.S. state establishes its own rules for sales and use tax records, and invoice retention is a core part of those rules. For example, California requires businesses to maintain sales and use tax records, including invoices, for at least four years. Washington requires that e-invoices include the same detail as paper invoices, with an adequate audit trail covering vendor name, date, description, price, tax, and shipment information. Other states set different retention periods and documentation standards, often administered by state tax departments or archives.

New York

• Retention period: Three years after filing the return; longer if required by the Tax Department. 
• What must be kept: True copies of invoices, receipts, statements, and records of payments and tax payable. 
• Electronic storage: Explicitly allowed under 20 NYCRR §2402.2 and the Electronic Signatures and Records Act (ESRA). 
• Location: No requirement to store in-state; must be accessible to the Tax Department on request.

Texas

• Retention period: Four years, and longer if an audit, refund, or assessment is pending. 
• What must be kept: Records showing gross receipts, purchases, and all tax collected, including invoices and exemption certificates.
• Electronic storage: Allowed in any format the Comptroller can examine.
• Location: No requirement to store in-state; must be produced on request.

The Streamlined Sales and Use Tax Agreement (SSUTA) — often called Streamlined Sales Tax — is a voluntary compact among member states designed to simplify and standardise sales and use tax rules.

What SSUTA does

• Creates uniform definitions of taxable terms
• Centralises registration and filing processes
• Standardises exemption certificate handling
• Promotes simplified remittances and sourcing rules 

What SSUTA does not do

• Establish rules for invoice storage or retention
• Override state law

Member states continue to apply their own retention rules (e.g., NY’s three years, TX’s four years).

DBNAlliance is a U.S. initiative to bring order to a fragmented e-invoicing environment by creating an interoperable framework for exchanging invoices and business documents across multiple networks. 

What DBNAlliance does

• Defines interoperability standards so businesses can exchange e-invoices securely across different platforms
• Enables a “network of networks” approach to connect participants
• Promotes standardised formats to accelerate adoption

What DBNAlliance does not do

• Set retention or storage rules

Businesses must still comply with federal, state, and industry-specific retention laws.

Bottom line

DBNAlliance addresses how invoices move, not how long they are stored.

Case law: How courts view invoice records

Unlike tax codes and regulations, U.S. case law does not create invoice-specific storage or location mandates. Courts treat invoices — whether paper or electronic — as ordinary electronically stored information (ESI).

Duty to preserve and spoliation (FRCP 37(e))

If e-invoices are lost because preservation steps weren’t taken, courts may impose remedies or sanctions. Severe sanctions (like adverse inference) require intent to deprive; otherwise, remedies are tailored to cure prejudice.

Admissibility of e-invoices

U.S. courts do not favour paper over electronic records. Under FRE 803(6) and FRE 902(11), digital invoices can be admitted if reliability is shown.

Invoices in discovery disputes

Courts regularly assess invoice authenticity and completeness in litigation. For example, in the case of ComLab Corp. v. Kal Tire, where contested invoices raised spoliation questions. 

Procurement networks and auto-deletion risks

Platforms like Ariba or SAP Business Network may auto-delete records after set periods.

No legal carve-out applies: during litigation, companies must suspend auto-deletes and preserve the full invoice trail (PO → invoice → payment).

Practical checklist

• Before disputes: Maintain a written retention schedule; ensure metadata/audit logs are retrievable.
• When disputes loom: Issue litigation holds, pause auto-deletes, capture attachments.
• In court: Prepare certifications under FRE 902(11) and show system reliability. 

Bottom line

Courts apply general ESI rules, not invoice-specific ones. Preservation, authenticity, and accessibility are key.

With multiple overlapping requirements, recordkeeping is more than just a paperwork exercise. Retaining invoices properly helps businesses: support IRS, SEC, HIPAA, and state tax audits; demonstrate compliance with grant, contract, or regulatory obligations; and provide a defensible record in case of disputes, litigation, or investor inquiries

How Avalara can help

Managing invoice retention across multiple federal, state, and industry rules can feel overwhelming. Avalara E-Invoicing and Live Reporting (ELR) helps businesses: automate compliance with global e-invoicing mandates; standardise storage and archiving across U.S. jurisdictions; ensure invoices are accessible, secure, and audit-ready; and keep pace with evolving interoperability standards, including frameworks like DBNAlliance.

As a Certified DBNAlliance Access Point to the B2B digital highway, Avalara enables secure and interoperable e-invoice exchange. For U.S. businesses, Avalara also ensures that U.S. e-invoices are stored within the U.S., meeting regulatory and audit expectations.

Avalara ELR is designed to give businesses confidence that their invoices are not just exchanged correctly — but also stored and retained in line with compliance obligations. Speak with Avalara today to learn more.