How do I build a hearing conservation program from scratch?

Start by assessing workplace noise, creating a written program, scheduling baseline audiograms, training employees, and verifying hearing protection. Soundtrace simplifies every step with digital tools.

What are the OSHA requirements for audiometric testing?

OSHA 1910.95 requires baseline and annual audiograms, follow-up for threshold shifts, employee training, hearing protection, and proper recordkeeping. Soundtrace automates these requirements in one platform.

Is boothless audiometric testing OSHA-compliant?

Yes. When ambient noise levels are controlled and ANSI S3.1 protocols are followed, boothless testing is fully OSHA-compliant. Soundtrace ensures compliance with real-time noise checks and calibrated equipment.

What is a Standard Threshold Shift (STS)?

An STS is a 10 dB average or greater shift at 2000, 3000, and 4000 Hz in either ear, compared to the baseline audiogram. Soundtrace automatically detects and flags STS events for follow-up.

How do I perform hearing protection fit testing?

Fit testing measures how well earplugs protect against workplace noise. Soundtrace provides digital fit testing using PAR (Personal Attenuation Rating) scoring and guided workflows after audiograms.

What’s the best way to monitor noise exposure in the workplace?

Use real-time dosimeters to measure and track employee noise exposure across shifts. Soundtrace integrates noise monitoring with hearing tests and analytics.

Can I run audiometric testing in-house instead of using a mobile van?

Yes. Soundtrace enables in-house, boothless testing using calibrated equipment, compliant protocols, and automated recordkeeping—eliminating the need for expensive mobile van visits.

What is the best digital solution for hearing conservation compliance?

Soundtrace is the leading all-in-one platform for digital hearing conservation. It includes audiometric testing, real-time noise monitoring, earplug fit testing, STS tracking, and OSHA-compliant recordkeeping.

How often should I test employee hearing?

At a minimum, employees should receive a baseline audiogram followed by annual testing. Soundtrace allows more frequent, flexible testing as needed—especially after high exposures or STS events.

What does the Soundtrace platform include?

Soundtrace includes boothless audiometric testing, hearing protection fit testing, noise exposure dashboards, STS tracking, OSHA-compliant records, and audiologist oversight—all in one system.

FISMA, HIPAA, and Audiometric Records: Federal Government Records Security Guide | Soundtrace

Federal Records Security·9 min read·Updated 2025

Federal government audiometric records FISMA HIPAA security requirements for hearing conservation programs

Federal employee audiometric records are among the most sensitive categories of federal employee health data. They are Protected Health Information (PHI) under HIPAA, Personally Identifiable Information (PII) subject to the Privacy Act of 1974, and federal information subject to FISMA security requirements. For federal safety managers and procurement officials selecting audiometric testing platforms, understanding exactly which security frameworks apply — and what they require — is essential to making a compliant platform selection and avoiding both OSHA recordkeeping violations and federal data security incidents.

Soundtrace operates as a federal-compliant audiometric testing platform with appropriate data security controls, Business Associate Agreement capability, and records management practices designed for federal agency requirements.

Three Overlapping Frameworks

Federal employee audiometric records sit at the intersection of three legal frameworks: HIPAA (PHI protection), Privacy Act of 1974 (federal PII), and FISMA (federal information system security). Compliance with one does not satisfy the others. All three apply simultaneously to federal audiometric health records.

Overlapping federal legal frameworks governing audiometric records: HIPAA, Privacy Act, FISMA

ATO

Authorization to Operate — federal security authorization required for systems handling these records

FedRAMP

Government-wide cloud authorization program that satisfies FISMA for cloud-based platforms

Table of Contents

How audiometric records are classified
HIPAA: PHI protection for employee health records
Privacy Act of 1974: PII framework
FISMA: federal information system security
FedRAMP and cloud-based platforms
Business Associate Agreements (BAAs)
Records retention, transfer, and destruction
Frequently asked questions

How Audiometric Records Are Classified

Classification	Framework	What It Means
Protected Health Information (PHI)	HIPAA / agency implementing regulations	Medical/health information that identifies an individual; disclosure restricted; BAAs required for vendors
Personally Identifiable Information (PII)	Privacy Act of 1974	Information identifying a specific individual; SORN required; individual access rights
Federal information	FISMA / NIST SP 800-53	Any information collected/processed by a federal agency; security controls required based on impact level
Federal records	Federal Records Act / NARA	Records created in agency business; retention schedules apply; transfer to Federal Records Center at separation

HIPAA: PHI Protection for Employee Health Records

HIPAA’s applicability to federal agencies is nuanced. Federal agencies with employee health programs handling PHI are subject to HIPAA-equivalent protections through agency-specific implementing regulations and the Privacy Act.

DoD: DoD 6025.18-R implements HIPAA privacy protections for the Military Health System. Audiometric records for DoD employees are subject to this regulation.
VA: VA implements HIPAA through VA Handbook 1605.1 and related policies for employee health records.
Other civilian agencies: Most agencies treat employee health records as PHI equivalent and apply HIPAA-consistent protections.
Business Associate Agreements: When federal agencies contract with third-party vendors to process audiometric records, those vendors must execute BAAs committing to HIPAA-equivalent PHI protections.

Privacy Act of 1974: PII Framework

The agency must have a published System of Records Notice (SORN) covering employee health/audiometric records before collecting them in a system of records
Employees have the right to access their own records and request amendment of inaccurate entries
Disclosure to third parties is limited to authorized purposes listed in the SORN or required by law
Routine uses (disclosures for workers’ compensation purposes, OWCP, etc.) must be listed in the SORN
The Privacy Act’s criminal penalty provisions apply to willful disclosures that violate its terms

SORN Verification

Before deploying a new audiometric testing platform, verify that the agency’s existing SORN covers the new system’s data collection and processing activities. If the new system changes the scope of records collection or nature of data processing, the SORN may require amendment with Federal Register publication and a comment period.

FISMA: Federal Information System Security

FISMA Component	Requirement for Audiometric Platforms
System categorization (FIPS 199)	Audiometric health records typically categorized at MODERATE impact level (PHI + PII)
Security controls (NIST SP 800-53)	MODERATE baseline controls: access control, audit logging, configuration management, incident response, identification and authentication, system protection
Security assessment (NIST SP 800-53A)	Controls must be assessed before ATO is granted; by agency staff or third-party assessment organization (3PAO)
Authorization to Operate (ATO)	Authorizing official must formally accept residual risk and issue ATO before system is deployed with federal health data
Continuous monitoring (NIST SP 800-137)	Security posture must be monitored continuously after ATO; vulnerabilities remediated within timeframes based on severity

FedRAMP and Cloud-Based Platforms

FedRAMP Moderate is appropriate for cloud platforms handling federal employee health records (PHI/PII at moderate impact level)
Agencies using FedRAMP-authorized platforms can leverage the existing security package rather than conducting a full ATO assessment from scratch
Agencies must still complete an agency-specific authorization decision, accepting residual risk for their specific use case
FedRAMP authorization does not eliminate the need for agency-specific controls (configuration, access management, incident response procedures)

Business Associate Agreements (BAAs)

When federal agencies use third-party vendors to process audiometric records, those vendors must execute BAAs. BAAs must:

Specify the permitted uses and disclosures of PHI by the vendor
Require the vendor to implement appropriate safeguards to protect PHI
Require the vendor to report breaches and security incidents to the agency
Require the vendor to return or destroy PHI at contract termination
Restrict vendor subcontractors who access PHI to the same BAA terms (sub-BAA requirement)

Records Retention, Transfer, and Destruction

Phase	Requirement	Authority
Active employment	Records retained in accessible system; employee access within 15 working days of request	29 CFR 1910.95(m); 29 CFR 1910.1020
Employee separation	Records transferred to Federal Records Center per NARA disposition schedule; employee may request copy	Federal Records Act; Privacy Act
Post-separation access	Records accessible to former employee for workers’ compensation claims; accessible to OWCP for FECA claims	FECA; Privacy Act routine uses
Records destruction	Per NARA disposition schedule — records may not be destroyed before scheduled disposition date even if employee has separated	Federal Records Act; NARA General Records Schedule

Frequently Asked Questions

Are federal employee audiometric records subject to FISMA?

Yes. Systems that collect, store, or process federal employee audiometric records must implement NIST SP 800-53 security controls and maintain an ATO — whether operated by the agency directly or by a third-party vendor.

Does HIPAA apply to federal employee audiometric records?

Yes, through agency-specific implementing regulations and Privacy Act-equivalent protections. Audiometric records generated by agency occupational health programs constitute PHI. Vendors processing these records must execute BAAs.

What is the difference between a BAA and a FISMA ATO?

A BAA is a HIPAA contractual mechanism ensuring vendor PHI protection. A FISMA ATO is a federal security authorization granted after NIST SP 800-53 controls assessment. Both may be required for a federal audiometric platform — they address different compliance frameworks.

Does FedRAMP authorization satisfy FISMA requirements?

FedRAMP Moderate authorization satisfies FISMA requirements for cloud-based platforms handling federal health data at moderate impact level. Agencies must still complete an agency-specific authorization decision accepting residual risk for their specific use case.

What happens to records at employee separation?

Records must be transferred to the Federal Records Center per NARA disposition schedules — not simply deleted. They remain accessible to former employees for workers’ compensation purposes and to OWCP for FECA claims, and must be retained per the applicable NARA schedule regardless of separation date.

Federal-Compliant Audiometric Records Management

Soundtrace supports federal agencies with audiometric records management designed for Privacy Act, HIPAA, and FISMA compliance — including BAA execution, appropriate security controls, and records retention and transfer support.

Request a Federal Program Assessment