Where Audiograms Actually Live — And Why Most HCP Vendors Fail Today's Security Standards
Share article
Compliance·Data Security·HIPAA·12 min read·Updated March 2026
Ask most safety managers where their employees’ audiometric records are stored and you’ll get a vague answer: “with our hearing test vendor” or “in their system somewhere.” Ask whether that vendor has a Business Associate Agreement in place, whether they’re SOC 2 certified, or how records are protected if the vendor is acquired or goes out of business — and the conversation usually stops. Audiometric records are protected health information. They must be retained for up to 35 years under OSHA. They are subpoenable in workers’ compensation litigation. And the vast majority of occupational audiometry vendors storing them today have never been asked to demonstrate security compliance by their employer clients. This guide explains what HIPAA, SOC 2, and OSHA together require for audiometric record security — and why the gap between those requirements and current industry practice is a liability most employers are unknowingly carrying.
Soundtrace is SOC 2 certified and HIPAA compliant, with Business Associate Agreements in place for every client. Audiometric records, noise exposure data, and worker health profiles are stored in a system built to meet the security standards that federal law and sound risk management require.
30 yrs
OSHA required retention for audiometric records after employment ends
$50K+
Minimum HIPAA civil penalty per violation category — rising to $1.9M for willful neglect
BAA
Required by HIPAA with any vendor handling protected health information — most HCP vendors have never offered one
The Question Most Employers Haven’t Asked
Your audiometric vendor is storing medical records for your employees. Do you have a signed Business Associate Agreement? Are records encrypted at rest and in transit? Is the vendor SOC 2 certified? Can you export your complete records if you change vendors? If you don’t know the answers, you’re carrying exposure you haven’t assessed.
Audiometric test records collected as part of an occupational hearing conservation program under 29 CFR 1910.95 are medical records. They document an employee’s hearing thresholds at specific frequencies over time, the progression of any hearing loss, the presence of Standard Threshold Shifts, and the employer’s follow-up actions. They are maintained in the context of an employment relationship for the purpose of monitoring occupational health.
Under HIPAA, individually identifiable health information maintained by a covered entity or its business associates is protected health information (PHI). When an employer uses a third-party vendor to conduct and store audiometric testing, that vendor is a business associate under HIPAA — and the medical records they hold are PHI subject to HIPAA’s Security Rule requirements.
Under OSHA 1910.95(m), these records must be retained for the duration of the employee’s employment plus 30 years — and must be accessible to employees upon request, producible during OSHA inspections, and intact for use as evidence in workers’ compensation proceedings that may arrive decades after the original exposure.
Audiometric records are medical records with long legal tails
A worker exposed to noise today, who develops hearing loss over the next 20 years, who files a workers’ compensation claim at age 58, is going to need those audiometric records from their early career to establish baseline, progression, and the employer’s program response. If those records are inaccessible, corrupted, or held by a vendor that no longer exists, the employer loses their primary WC defense document.
Where Most Audiometric Records Actually Sit
Mobile van programs: Records are stored in the van vendor’s proprietary system. The employer typically has no direct access to the database, cannot export records in a portable format without the vendor’s cooperation, and has no visibility into the vendor’s security infrastructure.
Occupational health clinic programs: Records may be stored in an EMR system designed for clinical use. The employer typically receives paper reports or PDFs rather than structured electronic records. Long-term retention and access depend entirely on the clinic’s operational continuity.
Software-as-a-service audiometric platforms: Records are stored in a cloud environment operated by the vendor. Security posture varies enormously. SOC 2 certification is rare. HIPAA BAAs are rarely in place.
HCP Vendor Security Posture: Where Most Programs Actually Fall
The security capabilities of audiometric record storage vary enormously across vendor types. Most employers have never assessed where their vendor sits on this spectrum.
HIPAA Requirements for Audiometric Records
HIPAA’s Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). For audiometric records stored electronically by a vendor, the relevant requirements include:
Access controls: Unique user identification, automatic log-off, encryption, audit controls logging who accesses records and when
Encryption at rest and in transit: ePHI must be encrypted when stored and when transmitted across networks
Audit logs: Systems must maintain records of access, modification, and deletion of ePHI
Business continuity and backup: Procedures for recovering ePHI in the event of an emergency or system failure
Business Associate Agreements: Written contracts with every vendor that creates, receives, maintains, or transmits ePHI
▶ Bottom line: If your audiometric testing vendor stores employee audiograms electronically, they are handling ePHI. HIPAA requires a signed BAA. Most occupational audiometry vendors do not proactively offer one.
$1.9M
Maximum HIPAA penalty per violation category for willful neglectHIPAA penalties are tiered by culpability. Willful neglect — knowingly failing to have a BAA in place after being made aware — carries a minimum of $50,000 and a maximum of $1.9 million per violation category. For employers whose audiometric vendors have no BAA, discovery during litigation or an audit is the moment that negligence becomes willful.
The BAA Gap: Why Most HCP Vendors Don’t Have One
A Business Associate Agreement is a HIPAA-mandated contract between a covered entity and any vendor that handles PHI on its behalf. The BAA specifies how the vendor may use and disclose the PHI, requires the vendor to implement appropriate security safeguards, and obligates the vendor to report breaches.
Most occupational audiometry vendors have never offered a BAA to their employer clients for a simple reason: they have never been asked. The occupational health space has historically operated with informal security assumptions — that the records are “just safety compliance data” rather than medical records — that do not hold up to legal scrutiny.
Contract Language — What Most Vendors Say vs. What It Should Say
⚠ Typical vendor agreement
“Vendor will store Client data on secure servers and take reasonable steps to protect data from unauthorized access. Client data remains available for the duration of the service agreement.”
No BAA • No encryption spec • No portability rights • No breach SLA • Records lost if contract ends
✓ What it should say
“Vendor agrees to serve as a HIPAA Business Associate. All ePHI is encrypted AES-256 at rest and TLS 1.2+ in transit. Client retains ownership of all records and may export complete data in structured format at any time. Vendor will notify Client of any breach within 60 days. Upon contract termination, Client records will be exported and delivered within 30 days.”
BAA ✓ • Encryption spec ✓ • Export rights ✓ • Breach SLA ✓ • Termination rights ✓
HIPAA Requirement
What It Means for Audiometric Records
Typical HCP Vendor Status
Business Associate Agreement
Signed contract defining PHI handling obligations before records are stored
Rarely offered or in place
Encryption at rest
Employee audiogram files encrypted in the vendor’s database
Not consistently implemented or verifiable
Encryption in transit
Records encrypted when transmitted between systems
Basic TLS common; full compliance varies
Access audit logging
Log of who accessed which records and when, retained for 6 years
Rare in occupational audiometry platforms
Breach notification procedures
Process to identify, respond to, and report breaches within 60 days
Undefined in most vendor contracts
Minimum necessary access
Access to PHI limited to what is required for the specific task
Often not enforced in legacy systems
What SOC 2 Means and Why It Matters for Long-Term Record Storage
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates whether a vendor’s security controls meet the Trust Services Criteria. A SOC 2 Type II report covers a defined period — typically 6–12 months — during which an independent auditor reviews whether the vendor’s stated security controls actually operated effectively, not just whether they exist on paper.
For employers storing audiometric records that must remain secure and accessible for up to 35 years, a vendor’s SOC 2 certification provides the only independent, audited verification that their security infrastructure is real. Self-attestations, marketing claims, and “enterprise-grade security” language in vendor materials are not substitutes for an audited SOC 2 report.
SOC 2 Type II vs. Vendor Self-Attestation: What Each Actually Verifies
Most vendors claim security compliance. SOC 2 Type II is the only verification that involves independent auditors testing actual controls over time.
The 30-Year Retention Problem
OSHA 1910.95(m)(2)(ii) requires that audiometric test records be retained for the duration of each affected employee’s employment, plus 30 years. For a worker hired today at age 25 who works for 35 years and retires at 60, the employer must maintain their audiometric records until the worker is 90. This retention horizon creates compounding risk at every vendor transition:
Vendor acquisition: Records may be transferred to a system with different security controls without your knowledge or consent
Vendor failure: If the vendor goes out of business, records may become inaccessible — an OSHA violation regardless of why
Platform migration: Historical threshold data, calibration records, and ambient noise data may not survive with full fidelity
Data portability gaps: Many vendors do not provide a contractual right to export complete records in a standard format
The 30-Year Retention Timeline: Events That Arrive Long After Exposure
Audiometric records created today must remain secure, accessible, and legally defensible across this entire horizon. Vendor failures, acquisitions, and platform migrations all create risk along the way.
The 30-year problem is structural, not theoretical
The occupational audiometry vendor landscape has already seen acquisitions, platform consolidations, and business failures. An employer with 10 years of audiometric data in a vendor system that gets acquired has no guarantee that data will be intact, accessible, and portable in year 30 — unless they have contractual protections specifying exactly what happens to their records.
Failure Mode Risk Matrix
Not all security gaps carry the same probability or consequence. This matrix maps the most common audiometric record failures by likelihood and business impact — so employers can prioritize what to address first.
Failure Mode
Likelihood
Business Impact
No BAA with audiometric vendor — HIPAA violation if PHI is breached or discovered in audit
Very High
Critical — $50K–$1.9M per category
No record export rights — records inaccessible if vendor is acquired or fails
High
Critical — OSHA violation + WC defense lost
No breach notification clause — employer unaware of PHI exposure for months
High
Critical — HIPAA penalty + reputational damage
No encryption at rest — database breach exposes audiometric + personal data
Encryption: Encryption at rest and in transit as standard infrastructure
Access audit logs: Full audit trail maintained per HIPAA Security Rule requirements
Record portability: Employer records are the employer’s — accessible and exportable at any time
Breach notification: Defined breach response procedures per HIPAA requirements
30-year continuity: Cloud-native architecture with employer-controlled data access
35+
Years your audiometric records must remain secure, accessible, and legally defensibleA worker hired at 25 retires at 60. OSHA requires records 30 years after separation — potentially until the worker is 90. Your vendor security posture today is your security posture for their entire claim window.
Vendor Audit Checklist: 5 Questions to Ask Before You Sign
Most employers have never had this conversation with their audiometric testing vendor. Run through this checklist — the answers reveal security posture in under 10 minutes.
Do we have a signed Business Associate Agreement?
If the vendor stores audiometric records electronically and you do not have a signed BAA, you have a HIPAA compliance gap. A vendor who doesn’t know what a BAA is, or who says one isn’t needed, is a significant red flag. Right answer: “Yes — here it is.”
HIPAA required
Are you SOC 2 certified, and can we see the report?
“We follow SOC 2 principles” or “we’re working toward SOC 2” is not certification. A legitimate SOC 2 Type II certification produces an audit report the vendor can provide on request. Right answer: “Yes — here is our most recent Type II report.”
SOC 2 verification
Are our records encrypted at rest and in transit?
Ask for the encryption standard by name. The answer should specify AES-256 at rest and TLS 1.2+ in transit. Vague answers indicate security is not built into the architecture. Right answer: specific encryption standards named.
HIPAA Security Rule
Can we export our complete audiometric records at any time, in a portable format?
The answer should be yes, with a defined format (CSV, HL7, or equivalent) preserving all threshold values, dates, calibration records, and ambient noise data. If the answer is no or “it depends,” your records are locked in their system. Right answer: “Yes, on demand, in [specific format].”
OSHA 30-yr retention
What happens to our records if you are acquired or go out of business?
This must be addressed in your contract. Request an addendum specifying your rights upon contract termination, acquisition, or business cessation. Without this, your 30-year retention obligation is exposed to someone else’s business decisions. Right answer: written contractual commitment with a specific timeline.
OSHA 30-yr retention
Frequently asked questions
Are audiometric records protected health information under HIPAA?
Yes. Audiometric records collected as part of an occupational health program are medical records and constitute protected health information when handled by a covered entity or business associate. Employers using a third-party vendor to conduct and store audiometric testing must have a signed BAA with that vendor.
What is a Business Associate Agreement and do I need one with my audiometric vendor?
A BAA is a HIPAA-required contract with any vendor that handles protected health information on your behalf. If your audiometric testing vendor stores employee audiograms electronically, they are a business associate under HIPAA and you must have a signed BAA. Most occupational audiometry vendors have never offered one to their clients.
What is SOC 2 and why does it matter for audiometric record storage?
SOC 2 is an independently audited security certification covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II means auditors tested the vendor’s actual controls over a multi-month period. For records that must remain secure and accessible for 30+ years, SOC 2 certification is the only independent verification that a vendor’s security infrastructure is real.
How long must audiometric records be retained under OSHA?
OSHA 1910.95(m)(2)(ii) requires audiometric test records to be retained for the duration of the employee’s employment plus 30 years. Records must be accessible to employees upon request and producible during OSHA inspections. Failure to produce records during an inspection is a violation, regardless of the reason they are unavailable.
What happens to audiometric records if my testing vendor goes out of business?
Without contractual protections specifying your rights to records upon vendor failure, those records may become inaccessible. This creates an OSHA violation and eliminates the audiometric history needed for STS calculations and WC defense. Confirm record portability rights in writing with any vendor before contracting.
SOC 2 Certified. HIPAA Compliant. Your Records, Your Control.
Soundtrace is the only automated audiometric testing platform built with SOC 2 certification, HIPAA compliance, and Business Associate Agreements as standard — not afterthoughts. Your employees’ records are encrypted, audited, and portable for the full 30-year retention horizon OSHA requires.
