Audiometric Records Security: HIPAA, SOC 2, and the 30-Year Retention Gap Most Employers Miss

Audiometric records are medical records. They contain individually identifiable hearing threshold data protected under HIPAA — and they must be retained for employment duration plus 30 years under OSHA 29 CFR 1910.95. Most audiometric testing vendors in the occupational health market were not built with these dual requirements in mind. The result: employers are routinely storing worker health records in systems that are neither HIPAA compliant nor capable of 30-year retention. According to CDC/NIOSH, approximately 22 million U.S. workers face hazardous noise annually — generating audiometric records that represent significant HIPAA and OSHA obligations most employers have not audited.

Why Audiometric Records Are HIPAA-Covered PHI

Protected health information (PHI) under HIPAA includes individually identifiable health information that relates to an individual’s physical condition. An audiometric test record containing a named worker’s hearing thresholds, STS determinations, and medical referral history is PHI. When an employer contracts with a vendor to conduct, store, or transmit that data, the vendor is a business associate and must sign a Business Associate Agreement (BAA).

The compliance failure routine in the occupational audiometry market: employers contract with testing services that store records in local databases, on technician laptops, in consumer cloud storage, or in legacy systems with no formal security controls — and never execute a BAA. The employer is exposed to HIPAA liability for the vendor’s data handling practices.

The 30-Year Retention Challenge

OSHA 29 CFR 1910.95(m) requires audiometric records to be retained for employment duration plus 30 years. For a worker hired at age 22 who works until 62 and lives to 85, the audiometric records from their first year of employment must be accessible for over 60 years from creation. This retention horizon exceeds the life of most software platforms, HR systems, and vendor business relationships.

The practical failure modes:

• Paper audiogram files destroyed in building moves, floods, or when records management oversight fails
• Legacy audiometric software whose vendor has gone out of business or discontinued the product
• Records stored on retired hardware that was disposed of without data extraction
• Vendor transitions where prior vendor records were not migrated to the new system

What SOC 2 Type II Certification Actually Means

SOC 2 Type II certification means an independent auditor has tested a vendor’s security controls over a sustained period (typically 6–12 months) and confirmed they meet the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Unlike a point-in-time assessment, Type II examines whether controls were operating effectively over time.

For audiometric records storage, SOC 2 Type II provides independent verification that the vendor’s data handling practices meet established security standards — unlike self-certifications or HIPAA attestations without independent audit. Soundtrace is SOC 2 Type II certified and HIPAA compliant.

The Breach Exposure Employers Carry

A HIPAA breach involving audiometric records triggers notification requirements, potential OCR investigation, and civil monetary penalties. Penalties range from $100 to $50,000 per violation depending on culpability, with annual maximums of $1.9 million per violation category. For a 200-worker facility where audiometric records spanning 10 years are breached, the exposure is substantial. The employer is liable for the vendor’s breach when no BAA was executed or when the vendor’s security practices were inadequate and the employer failed to conduct reasonable due diligence.

Frequently Asked Questions