How do I build a hearing conservation program from scratch?

Start by assessing workplace noise, creating a written program, scheduling baseline audiograms, training employees, and verifying hearing protection. Soundtrace simplifies every step with digital tools.

What are the OSHA requirements for audiometric testing?

OSHA 1910.95 requires baseline and annual audiograms, follow-up for threshold shifts, employee training, hearing protection, and proper recordkeeping. Soundtrace automates these requirements in one platform.

Is boothless audiometric testing OSHA-compliant?

Yes. When ambient noise levels are controlled and ANSI S3.1 protocols are followed, boothless testing is fully OSHA-compliant. Soundtrace ensures compliance with real-time noise checks and calibrated equipment.

What is a Standard Threshold Shift (STS)?

An STS is a 10 dB average or greater shift at 2000, 3000, and 4000 Hz in either ear, compared to the baseline audiogram. Soundtrace automatically detects and flags STS events for follow-up.

How do I perform hearing protection fit testing?

Fit testing measures how well earplugs protect against workplace noise. Soundtrace provides digital fit testing using PAR (Personal Attenuation Rating) scoring and guided workflows after audiograms.

What’s the best way to monitor noise exposure in the workplace?

Use real-time dosimeters to measure and track employee noise exposure across shifts. Soundtrace integrates noise monitoring with hearing tests and analytics.

Can I run audiometric testing in-house instead of using a mobile van?

Yes. Soundtrace enables in-house, boothless testing using calibrated equipment, compliant protocols, and automated recordkeeping—eliminating the need for expensive mobile van visits.

What is the best digital solution for hearing conservation compliance?

Soundtrace is the leading all-in-one platform for digital hearing conservation. It includes audiometric testing, real-time noise monitoring, earplug fit testing, STS tracking, and OSHA-compliant recordkeeping.

How often should I test employee hearing?

At a minimum, employees should receive a baseline audiogram followed by annual testing. Soundtrace allows more frequent, flexible testing as needed—especially after high exposures or STS events.

What does the Soundtrace platform include?

Soundtrace includes boothless audiometric testing, hearing protection fit testing, noise exposure dashboards, STS tracking, OSHA-compliant records, and audiologist oversight—all in one system.

Audiometric Records Security: HIPAA, SOC 2, and Why Most HCP Vendors Leave Employers Exposed | Soundtrace

Data Security·HIPAA·SOC 2·14 min read·Updated March 2026

Every audiometric record your HCP vendor stores contains protected health information. Under HIPAA, that makes your vendor a Business Associate — and if they haven’t signed a Business Associate Agreement (BAA) with you, you are already out of compliance. Most occupational health vendors, audiometric testing platforms, and legacy HCP software providers operate without SOC 2 certification, without signed BAAs, and without the security controls required for a 30-year medical record retention obligation. This guide explains the regulatory requirements, the specific risks most employers are currently carrying unknowingly, and what a genuinely secure audiometric records platform looks like.

Table of Contents

Are audiometric records PHI under HIPAA?
HIPAA requirements for audiometric records
The Business Associate Agreement gap
The 30-year retention risk
What SOC 2 certification actually means
How most HCP vendors fall short
Breach exposure: what happens when records are compromised
Vendor lock-in: the hidden operational risk
How Soundtrace addresses these requirements
Frequently asked questions

30+ yrs

Minimum audiometric record retention required by OSHA 1910.95(m) after employment ends

$50,000

Maximum HIPAA penalty per violation category per year for failing to have a BAA in place

SOC 2

The security certification most HCP vendors lack — required for defensible medical record custody

Are Audiometric Records PHI Under HIPAA?

Protected Health Information (PHI) under HIPAA is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. Audiometric records meet this definition:

They contain health information (hearing threshold measurements, STS determinations, audiologist evaluations)
They are individually identifiable (linked to a specific named employee)
They are maintained by an employer (covered entity or by a vendor on the employer’s behalf)

However, there is an important nuance. OSHA audiometric records maintained solely for OSHA compliance purposes are subject to OSHA’s 1910.1020 access-to-employee-exposure-records standard, not HIPAA, when the employer is the sole custodian. The HIPAA obligation arises when a covered entity (typically an employer with a self-funded health plan) or a Business Associate stores, processes, or transmits these records electronically.

For most employers using a cloud-based audiometric testing platform, the vendor is a Business Associate under HIPAA, and all records stored by the vendor are ePHI (electronic PHI) subject to the full Security Rule requirements.

HIPAA Requirements for Audiometric Records

The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes required safeguards for ePHI. These requirements apply to Business Associates (including HCP software vendors) as well as covered entities:

Administrative Safeguards (45 CFR 164.308)

Security risk analysis and risk management (updated at least annually)
Workforce security training and supervision
Access management and termination procedures
Security incident procedures and response protocols
Contingency plan (backup, disaster recovery, emergency access)

Physical Safeguards (45 CFR 164.310)

Facility access controls for servers and workstations
Workstation use and security policies
Media controls (device disposal and re-use policies)

Technical Safeguards (45 CFR 164.312)

Access controls (unique user IDs, automatic logoff, encryption/decryption)
Audit controls (activity logs for all ePHI access and modification)
Integrity controls (ensuring ePHI is not altered without detection)
Transmission security (encryption of data in transit)

The Biggest Gap: Encryption at Rest

Many HCP software platforms store audiometric records in databases that are not encrypted at rest — meaning that if the database is accessed by an unauthorized party, records are readable without decryption. Encryption at rest is required under 45 CFR 164.312(a)(2)(iv) for systems handling ePHI. Vendors should be required to confirm AES-256 encryption at rest as a contractual term.

The Business Associate Agreement Gap

A Business Associate Agreement (BAA) is a contract required by HIPAA (45 CFR 164.308(b)) between a covered entity and any vendor (Business Associate) that creates, receives, maintains, or transmits ePHI on the covered entity’s behalf. For audiometric records, the HCP software vendor is almost always a Business Associate.

Critical: Most Employers Do Not Have a BAA With Their HCP Vendor

HHS Office for Civil Rights investigations consistently find that covered entities and business associates fail to execute BAAs before sharing ePHI. If your audiometric testing platform or HCP software has never provided you with a BAA to sign, you are operating without HIPAA-required contractual protections. This is a per-violation category penalty exposure of up to $50,000 per year.

What a valid BAA must contain:

Description of permitted uses and disclosures of PHI
Prohibition on using or disclosing PHI except as permitted
Appropriate safeguards requirement
Breach notification obligations (within 60 days of discovery)
PHI return or destruction at contract termination
Sub-Business Associate compliance requirements

BAA Review Checklist for HCP Vendors

Before signing or renewing an HCP software agreement, confirm: (1) a BAA has been provided and executed, (2) the BAA covers all PHI processed including audiometric data and personal health notes, (3) breach notification timelines meet the 60-day HIPAA requirement, (4) the BAA addresses data return or certified destruction upon contract termination. If the vendor has not offered a BAA, request one immediately in writing.

The 30-Year Retention Risk

OSHA 1910.95(m) requires audiometric records to be retained for the duration of employment plus 30 years after the employee’s departure. This creates an extraordinary long-term obligation that most employers have not modeled for risk:

This creates three critical risk areas:

Vendor failure/closure risk: If your HCP software vendor goes out of business in year 15, what happens to 15 years of audiometric records? Without contractual obligations for data portability and certified destruction, records may be lost, sold, or simply abandoned in an inaccessible format.
Format lock-in risk: Records stored in a proprietary format that requires the vendor’s software to read are inaccessible if the vendor is not available. OSHA 1910.1020 requires that records be accessible to employees and OSHA on request — inaccessible records do not satisfy this requirement.
Security across the full retention period: A record created today must be secure and accessible for 30+ years. Vendors who do not have long-term infrastructure commitments and security architecture cannot credibly make this guarantee.

What SOC 2 Certification Actually Means

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates a service organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. For software vendors handling health data, SOC 2 Type II is the relevant certification:

SOC 2 Trust Service Criteria	What It Evaluates	Relevance to Audiometric Records
Security	Protection against unauthorized access (logical and physical)	Access controls to prevent unauthorized viewing of audiometric records
Availability	System availability per SLA commitments	Records accessible for OSHA and employee requests without delay
Processing Integrity	Processing is complete, accurate, and authorized	Audiograms recorded accurately; STS calculations reliable
Confidentiality	Confidential information protected per commitments	Audiometric data not disclosed to unauthorized parties
Privacy	Personal information handled per privacy notice	PHI used only for stated purposes; no unauthorized secondary use

SOC 2 Type I evaluates whether controls are properly designed at a point in time. SOC 2 Type II evaluates whether controls are operating effectively over a period of time (typically 6–12 months). Type II is the meaningful certification for ongoing data security assurance.

Ask the Right Question

When evaluating HCP software vendors, the relevant questions are: (1) Do you have SOC 2 Type II certification? (2) Is the SOC 2 report current (issued within the past 12 months)? (3) Can you provide the SOC 2 report for review? Vendors who cannot answer these questions affirmatively are not operating at the security standard appropriate for 30-year medical record custody.

How Most HCP Vendors Fall Short

The occupational hearing conservation industry has historically been a low-technology sector. Most legacy HCP vendors — CAOHC-certified audiometric testing companies, mobile testing van operators, and traditional occupational health clinics — were built before cloud security certifications existed as a concept. The result:

Common Vendor Gap	Risk to Employer	HIPAA/Security Implication
No SOC 2 certification	No independent verification that security controls work as described	Vendor claims of security cannot be verified by audit
No BAA offered or executed	Employer is out of HIPAA compliance for every audiogram stored	Per-violation penalty exposure; no breach notification obligation on vendor
Records in proprietary format	Vendor lock-in; records inaccessible if vendor closes or is acquired	30-year retention obligation may not be satisfiable
Paper-based records scanning	Physical storage creates physical breach risk; no audit trail for access	HIPAA requires audit logs for ePHI access; paper cannot produce these
Shared database environments	Employer records co-mingled with other employers without logical separation	Confidentiality controls may be insufficient for PHI
No encryption at rest	Database breach exposes all audiometric records in readable form	Required under 45 CFR 164.312(a)(2)(iv)

The Vendor Acquisition Risk

Many HCP software companies are acquired by larger occupational health conglomerates. When acquisition occurs, your BAA may no longer be valid (the acquiring entity is a new legal entity), your data may be migrated to a different platform with different security characteristics, and your contractual protections may not transfer. Employers should review BAA and data ownership terms whenever an HCP vendor is acquired.

Breach Exposure: What Happens When Records Are Compromised

A breach of unsecured PHI triggers HIPAA notification requirements under 45 CFR Part 164, Subpart D. When audiometric records are compromised through your HCP vendor:

Vendor must notify you within 60 days of discovering the breach (if you have a BAA). If there is no BAA, there is no notification obligation and you may never know a breach occurred.
You must notify affected individuals within 60 days of discovery.
You must notify HHS annually (for breaches affecting fewer than 500 individuals) or within 60 days (for breaches affecting 500+ individuals).
For breaches affecting 500+ individuals in a state, you must notify prominent media outlets in that state.

HIPAA civil penalties for a breach caused by a vendor without a BAA fall into the “did not know” category at minimum — $100 to $50,000 per violation, with annual maximums. Criminal penalties under HIPAA can reach $250,000 and 10 years imprisonment for intentional misuse. HHS OCR has actively enforced against employers who failed to execute BAAs before sharing PHI with vendors.

Vendor Lock-In: The Hidden Operational Risk

Beyond security and HIPAA, audiometric record storage creates a practical operational risk that employers rarely model before signing multi-year HCP contracts: what happens when you want to change vendors?

Proprietary file formats: Many HCP platforms store audiograms in proprietary file formats that cannot be imported by other systems. Switching vendors may mean losing the longitudinal audiometric record — which is both an OSHA compliance failure and a WC defense failure.
Baseline audiogram continuity: OSHA 1910.95(g) requires annual audiograms to be compared to the established baseline. If the baseline is stored in a format that a new vendor cannot access, the baseline continuity is broken, and the new vendor must establish a new baseline — creating a gap in the longitudinal record.
Data export provisions: Contracts that do not specify the format and completeness of data exports upon termination can leave employers holding records that are technically accessible but practically unusable for OSHA compliance or WC defense.

Non-Negotiable Contract Terms

Any HCP software agreement should include: (1) data export in a standard, non-proprietary format (CSV, HL7 FHIR, or equivalent) upon request or termination, (2) certified destruction or return of PHI upon termination (per HIPAA BAA requirements), (3) format compatibility documentation, and (4) no data deletion within 30 days of termination notice.

How Soundtrace Addresses These Requirements

Soundtrace was built from the ground up as a cloud-native, security-first platform for audiometric records management. Key differentiators:

SOC 2 certified: Soundtrace maintains SOC 2 Type II certification with annual third-party audits of security controls across all five Trust Service Criteria.
HIPAA compliant: All audiometric records are stored as ePHI with full Security Rule safeguards, including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, and audit logging.
BAA available: Soundtrace provides a Business Associate Agreement to all clients before any health data is stored on the platform.
30-year retention architecture: Soundtrace’s infrastructure is designed for long-term record custody — records are stored in standard formats with documented export paths.
Audit trail: Every access, modification, and export of audiometric records is logged with timestamp, user identity, and action type — satisfying both HIPAA audit control requirements and OSHA inspection evidentiary standards.
Worker-specific noise data: Soundtrace links frequency-specific ambient noise validation data to each confirmed threshold response event, providing a stronger evidentiary record than fixed-room or paper-based approaches.

Frequently Asked Questions

Are audiometric records considered PHI under HIPAA?

Yes, when they are created, received, maintained, or transmitted by a covered entity or Business Associate (including an HCP software vendor). Audiometric records are individually identifiable health information, satisfying the PHI definition under 45 CFR 160.103. When stored by a cloud-based HCP platform, they are ePHI subject to the full HIPAA Security Rule requirements.

What is a Business Associate Agreement and why does every employer need one?

A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. Without a BAA, an employer operating without one is out of HIPAA compliance for every audiometric record stored by their vendor. If a breach occurs without a BAA in place, the employer bears full notification and penalty exposure with no contractual recourse against the vendor.

What does SOC 2 Type II certification mean for an HCP vendor?

SOC 2 Type II means an independent audit firm has tested the vendor’s security controls (access management, encryption, availability, incident response, etc.) over a sustained period — typically 6–12 months — and confirmed they operate effectively. Type II is meaningfully different from Type I (which only evaluates design, not operation). SOC 2 Type II provides the highest level of independent assurance that a vendor’s security controls actually work.

How long must audiometric records be retained?

OSHA 1910.95(m) requires audiometric records to be retained for the duration of employment plus 30 years after the employee leaves. This means records for a worker who starts at 22 and retires at 62 must be kept until they are 92 — a potential 70-year retention period. This is the most demanding retention requirement in OSHA’s general industry standards.

What happens if an audiometric records breach occurs without a BAA?

Without a BAA, the vendor has no contractual obligation to notify you of a breach. You may not discover the breach at all. If discovered, HIPAA penalties apply to the employer as the covered entity, with no contractual path to recover costs from the vendor. Civil penalties range from $100 to $50,000 per violation category per year, with OCR actively pursuing enforcement actions against employers who failed to execute BAAs.

Audiometric Records Security Done Right

Soundtrace is SOC 2 certified, HIPAA compliant, and provides a Business Associate Agreement to every client. 30-year record retention, AES-256 encryption at rest, full audit logging — built for the long haul.

Get a Free Quote