Drug and alcohol testing companies — and the Consortium/Third-Party Administrators (C/TPAs) that manage programs on behalf of DOT-regulated employers — operate in a compliance environment where paperwork failures carry the same weight as testing failures. Under 49 CFR §382.401, carriers must maintain specific records for defined retention periods ranging from one to five years. Miss a record during an FMCSA compliance review, and the gap is treated as a violation — not an administrative oversight. Fines can reach $16,000 per violation, and auditors evaluate whether records exist, how long they've been retained, and whether they can be produced on demand.
For C/TPAs managing programs across dozens or hundreds of employer clients, the recordkeeping burden multiplies. Each client's records must be maintained separately, accessible on demand, and protected against unauthorized disclosure. The October 2024 DOT proposed rule — which would formally authorize electronic signatures and electronic storage for drug testing forms — is accelerating the shift away from paper and local servers. The question is no longer whether to go digital. It's whether the digital infrastructure you're using can actually survive an audit.
What records must be kept and for how long?
The retention requirements under 49 CFR §382.401 vary by record type. The most consequential records — positive tests, refusals, and alcohol results at or above 0.02 BAC — carry a five-year retention requirement. Negative tests require only one year. Training and policy documentation must be retained for the duration of employment plus two additional years.
| Record Type | Retention Period | CFR Reference |
|---|---|---|
| Verified positive drug tests | 5 years | §382.401(b)(1) |
| Alcohol test results ≥ 0.02 BAC | 5 years | §382.401(b)(1) |
| Refusals to test | 5 years | §382.401(b)(1) |
| SAP evaluations and RTD records | 5 years | §382.401(b)(1) |
| Annual MIS summary reports | 5 years | §382.401(b)(2) |
| Random pool selection records | 5 years | §382.401(b)(2) |
| Negative and cancelled drug tests | 1 year | §382.401(b)(3) |
| Alcohol test results below 0.02 BAC | 1 year | §382.401(b)(3) |
| Education and training records | Employment + 2 years | §382.401(b)(4) |
| Supervisor reasonable suspicion training | Employment + 2 years | §382.401(b)(4) |
| Written policy acknowledgments | Employment + 2 years | §382.401(b)(4) |
Return-to-duty (RTD) cases carry expanded requirements. When a driver violates testing rules and goes through the RTD process, the employer must retain the SAP initial evaluation, the SAP follow-up evaluation confirming compliance, the negative RTD test result, the follow-up testing schedule, and all follow-up test results — all under the five-year requirement. Missing any single element of the RTD documentation chain is a standalone violation.
Mixing up retention timelines is one of the most common FMCSA audit findings. A positive test stored for only one year — instead of five — is a violation even if the test itself was handled correctly.
What is the real FMCSA audit risk?
FMCSA compliance reviews — both scheduled and unannounced — evaluate a carrier's drug and alcohol program against the full requirements of 49 CFR Part 382. Auditors do not distinguish between a record that was never created and one that was created but lost. Both are violations. The fine structure under 49 CFR Part 386 allows penalties up to $16,000 per violation, and a single audit can surface multiple violations across multiple record types.
The FMCSA's own data shows that Clearinghouse violations — including failures to query, failures to report, and failures to maintain query history — have been cited in nearly 10% of all audits since 2021. As Clearinghouse enforcement matures, the documentation trail around queries and consent management is becoming a primary audit focus alongside the underlying test records.
Common FMCSA Audit Violations in Drug Testing Programs
- Records not retained for the required period
- Records stored in general personnel files instead of a separate, controlled location
- Missing random pool selection documentation
- Incomplete RTD documentation chain
- Clearinghouse query records not maintained for 3 years
- No written drug and alcohol testing policy on file
What are C/TPA-specific obligations?
A C/TPA operating under 49 CFR Part 40 Section 40.351 must follow all confidentiality and records retention requirements applicable to employers. When a C/TPA manages a program on behalf of an employer, the employer retains ultimate compliance responsibility — but the C/TPA's own records, including the records it maintains on behalf of clients, must meet the same standards.
For C/TPAs managing programs across multiple employer clients, this creates a layered obligation. Each client's records must be maintained separately, with access controls that prevent one client's data from being visible to another. The C/TPA must also maintain its own records of random selection processes, MIS reporting, and Clearinghouse activity — separate from the employer-level records it manages on behalf of clients.
Why paper files and local storage fail C/TPAs
Paper-based recordkeeping and local server storage share the same fundamental vulnerabilities: they are difficult to search, easy to lose, and nearly impossible to audit at scale. For a C/TPA managing programs for 20 or 50 employer clients, the operational burden of maintaining compliant paper records — organized by client, by record type, by retention period — is substantial. The risk of a misfiled document or a lost folder is real, and the consequence during an FMCSA audit is a violation regardless of intent.
Local server storage introduces a different set of risks. Hardware failure, ransomware, and physical damage can destroy years of records with no recovery path. A C/TPA that loses five years of positive test records in a server failure cannot reconstruct them — and cannot produce them during an audit. The FMCSA does not accept "our server crashed" as a defense.
How compliant cloud storage solves the problem
A compliant cloud storage platform addresses each of these vulnerabilities directly. Encrypted storage protects records at rest and in transit. Role-based access controls ensure that only authorized individuals can access specific client folders. Audit logs create a tamper-evident record of every access and modification — exactly what an FMCSA auditor needs to see. Automated retention policies prevent records from being deleted before their required period expires.
For C/TPAs specifically, the ability to organize records by client — with separate access credentials for each employer client — transforms a compliance burden into a manageable workflow. When an employer client needs to produce records for their own FMCSA audit, the C/TPA can provide access to that client's folder without exposing any other client's data.
AXIS CloudSync provides encrypted file storage and sharing with role-based access controls, full audit logging, and a signed Business Associate Agreement — the same infrastructure that healthcare organizations use for HIPAA compliance, applied to the DOT compliance environment. Plans start at $18 per user per month, with no long-term contract required.
Protect Your DOT Records Before the Next Audit
AXIS CloudSync provides encrypted, audit-ready cloud storage for C/TPAs and DOT-regulated employers. Role-based access, full audit logs, and a signed BAA — starting at $18/user/month.
Start Free TrialFrequently Asked Questions
How long must C/TPAs keep DOT drug testing records?
Positive drug tests, alcohol results at or above 0.02 BAC, refusals, SAP evaluations, and random pool selection records must be retained for 5 years under 49 CFR §382.401. Negative tests are retained for 1 year. Training and policy records are kept for the duration of employment plus 2 years.
Can DOT drug testing records be stored electronically?
Yes. DOT's proposed rule from October 2024 would formally authorize electronic storage and electronic signatures for drug testing forms. Records stored electronically must still meet confidentiality and controlled-access requirements under 49 CFR Part 40.
What happens if records are missing during an FMCSA audit?
Missing records are treated as violations, not administrative oversights. Fines can reach $16,000 per violation. FMCSA auditors evaluate what records exist, how long they've been retained, and whether they can be produced on demand.
Does a C/TPA share liability for its employer clients' recordkeeping?
C/TPAs are responsible for their own records and for the accuracy of what they report. When a C/TPA manages a program on behalf of an employer, the employer retains ultimate compliance responsibility — but a C/TPA's failure to maintain required records can expose both parties.
