Audiometric records occupy the intersection of two regulatory frameworks: OSHA 29 CFR 1910.95’s records requirements and HIPAA’s privacy protections for individually identifiable health information. Most employers operating hearing conservation programs do not have a clear understanding of how these frameworks interact — specifically, who can access audiometric records, what third-party vendors can do with them, and what a Business Associate Agreement must cover. According to CDC/NIOSH, approximately 22 million U.S. workers undergo occupational audiometric testing annually, generating health records that carry both OSHA retention obligations and HIPAA privacy requirements.
OSHA’s Access and Retention Requirements
OSHA 1910.95(m) and 1910.1020 establish two distinct sets of rights regarding audiometric records:
- Employee access: Workers have a right to access their own audiometric records within 15 days of request under 29 CFR 1910.1020.
- Employer retention: Employers must retain audiometric records for employment duration plus 30 years.
- OSHA access: OSHA compliance officers have the right to access audiometric records during inspections.
- Representative access: Authorized employee representatives may access audiometric records under certain conditions.
Under HIPAA, audiometric records may not be shared with parties who do not have a legal basis for access. Supervisors who want to see a worker’s threshold data, HR personnel managing performance issues, workers’ compensation insurers (without proper release), and other third parties generally do not have access rights to underlying audiometric data. The employer can take OSHA-required actions (HPD refitting, notification, etc.) without disclosing underlying audiometric data to supervisory or HR personnel who don’t need it.
The Business Associate Agreement Requirement
When employers contract with audiometric testing vendors that handle, store, or transmit audiometric records, those vendors are business associates under HIPAA. The employer must have an executed Business Associate Agreement (BAA) with the vendor covering the specific data handling activities. Key BAA elements for audiometric testing vendors:
- Scope of permitted data uses (audiometric testing, OSHA compliance reporting, research if applicable)
- Prohibition on unauthorized secondary uses or disclosures
- Security safeguards and breach notification requirements
- Return or destruction of data upon contract termination
- Compliance with applicable HIPAA requirements throughout the relationship
Soundtrace, as a SOC 2 Type II certified and HIPAA-compliant audiometric testing platform, executes Business Associate Agreements with all employer clients. This is a prerequisite of our service relationship, not an optional add-on. Employers who currently use audiometric testing vendors without an executed BAA should request one immediately and evaluate whether the vendor’s security practices actually support HIPAA compliance.
Frequently Asked Questions
HIPAA Compliant + OSHA Required: Both Handled
Soundtrace executes BAAs with all clients, stores audiometric records in a SOC 2 certified platform, and maintains the 30-year OSHA retention architecture — satisfying both regulatory frameworks from a single program.
Get a Free Quote