I follow a number of blogs and other online publications dealing with business, technology, and data privacy issues. I recently came across an interesting article on data retention practices on a blog called "Life as a Healthcare CIO". The article discusses a number of the issues that businesses (both within and outside the medical industry) who deal with sensitive data struggle with. Here is a link to the article:
This article gives a good sense of the importance of having well thought-out policies and procedures for data handling and retention, both from a purely technological standpoint and from a legal and risk-management standpoint.
Hopefully it will stir your thoughts on these issues.