Audiometric Records Security: HIPAA, SOC 2, and Why Most HCP Vendors Leave Employers Exposed

Audiometric test records are medical records. They contain individually identifiable health information protected under HIPAA — and they must be retained for employment duration plus 30 years under OSHA 29 CFR 1910.95. Most audiometric testing vendors in the occupational health market were not built with these requirements in mind. The result: employers are routinely storing worker health records in systems that are neither HIPAA compliant nor capable of 30-year retention. According to CDC/NIOSH, approximately 22 million U.S. workers are exposed to hazardous noise annually — and the audiometric records generated for each of those workers represent a HIPAA and OSHA records obligation that most employers have not audited.

Why Audiometric Records Are HIPAA-Covered PHI

Protected health information (PHI) under HIPAA includes individually identifiable health information that relates to an individual’s physical condition. An audiometric test record that contains a named worker’s hearing thresholds, STS determinations, and medical referral history is PHI. When an employer contracts with a vendor to conduct, store, or transmit that data, the vendor is a business associate and must sign a Business Associate Agreement (BAA).

The compliance failure that is routine in the occupational audiometry market: employers contract with testing services that store records in local databases, on technician laptops, in consumer cloud storage, or in legacy systems with no formal security controls — and never execute a BAA. The employer is exposed to HIPAA liability for the vendor’s data handling practices.

The 30-Year Retention Challenge

OSHA 29 CFR 1910.95(m) requires audiometric records to be retained for employment duration plus 30 years. For a worker hired at age 22 who works until 62 and lives to 85, the audiometric records from their first year of employment must be accessible for over 60 years from when they were created. This retention horizon exceeds the life of most software platforms, HR systems, and vendor business relationships.

The practical failure modes:

• Paper audiogram files that are destroyed in building moves, floods, or when records management oversight fails
• Legacy audiometric software whose vendor has gone out of business or discontinued the product
• Records stored on retired hardware that was disposed of without data extraction
• Vendor transitions where prior vendor records were not migrated to the new system

What Employers Should Require From Vendors

• Signed BAA that covers the specific data handling activities the vendor performs
• SOC 2 Type II certification from an independent auditor covering security and availability controls
• Encryption at rest and in transit for all audiometric record data
• Role-based access controls limiting data access to authorized personnel
• Audit logging of all record access and modification events
• Data export capability that allows the employer to obtain all records in a portable format if the vendor relationship ends
• 30-year retention architecture — not just a policy statement, but a confirmed technical capability

Frequently Asked Questions