Back to Blog
Compliance 8 min read

HIPAA Compliance for Audiometric Data: What You Need to Know

Audiometric test results are protected health information under HIPAA. Learn your obligations for storing, transmitting, and sharing hearing test records.

SW
Sarah Williams CTO & Co-Founder, AudiVault

If you're an occupational health clinic, hospital-based program, or physician's office conducting hearing tests, there's a good chance you're a HIPAA Covered Entity — and the audiometric data you collect is Protected Health Information (PHI). Yet in our experience, HIPAA compliance in hearing conservation programs often gets less attention than it deserves.

Here's what you need to know about HIPAA obligations when handling audiometric records.

Are Audiometric Records PHI?

Yes. Under HIPAA, Protected Health Information includes any individually identifiable health information created or received by a covered entity. Audiometric test results — hearing thresholds associated with a patient name, date of birth, employee ID, or other identifier — clearly qualify.

This includes:

  • Baseline and annual audiograms
  • STS determination results
  • OSHA notification letters (which contain patient-identifying information and clinical findings)
  • Physician review notes and sign-off records
  • Worker Risk Factor (WRF) questionnaire responses
  • Audio recordings from automated audiometry (if applicable)

Who Is a Covered Entity?

HIPAA applies to Covered Entities, which include:

  • Healthcare providers who transmit health information electronically (clinics, hospitals, physician practices)
  • Health plans
  • Healthcare clearinghouses

If your organization conducts hearing tests and bills for the service (or transmits claims electronically), you're almost certainly a Covered Entity. Even if you don't bill — for example, if you're an employer running an in-house hearing conservation program — you may still be subject to HIPAA if you engage healthcare providers who are Covered Entities.

The Privacy Rule: Who Can See the Data?

The HIPAA Privacy Rule governs how PHI can be used and disclosed. Key points for hearing conservation:

Minimum necessary standard

Only share the minimum amount of PHI needed for the purpose. When sending compliance reports to an employer, include only the information the employer needs (e.g., pass/fail, STS flag, work restrictions) — not the full clinical audiogram unless specifically required.

Employer vs. provider roles

This is where it gets nuanced. When an employer contracts with a healthcare provider to conduct audiometric testing:

  • The provider is the Covered Entity and must protect the PHI
  • The employer receives only the information needed for OSHA compliance (which OSHA itself authorizes)
  • The employer should not receive a copy of every employee's full clinical audiogram without a proper authorization or applicable exception

OSHA-required disclosures

HIPAA includes an exception for disclosures required by law. OSHA's hearing conservation standard requires that employers maintain audiometric records and notify employees of STS — these disclosures are permitted under HIPAA without patient authorization.

The Security Rule: Protecting the Data

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For audiometric data, this means:

Administrative safeguards

  • Designate a security officer responsible for HIPAA compliance
  • Conduct regular risk assessments of your audiometric data systems
  • Train all staff who handle audiometric records on HIPAA requirements
  • Implement policies for granting, modifying, and revoking access to records

Physical safeguards

  • Secure physical access to workstations and devices that contain audiometric data
  • Implement proper disposal procedures for devices and media
  • If using paper audiogram forms, secure storage with access controls

Technical safeguards

  • Encryption: Audiometric data should be encrypted at rest and in transit
  • Access controls: Unique user IDs, role-based permissions, automatic session timeouts
  • Audit logging: Track who accesses audiometric records, when, and what they did
  • Integrity controls: Mechanisms to ensure data hasn't been altered or destroyed improperly

If your audiometric data is stored in an unencrypted database on a desktop PC with a shared login and no audit trail — which is unfortunately common with legacy software — you have significant HIPAA gaps to address.

Business Associate Agreements

If you use a third-party software platform or cloud service to store audiometric records, that vendor is a Business Associate under HIPAA. You must have a signed Business Associate Agreement (BAA) in place before sharing any PHI with the vendor.

The BAA should specify:

  • What PHI the vendor will handle and for what purpose
  • The vendor's obligations for safeguarding the data
  • Breach notification procedures
  • Data return or destruction upon contract termination

If your audiometry software vendor won't sign a BAA, that's a red flag. Either they're not HIPAA-compliant, or they don't understand their obligations. Either way, you should look elsewhere.

Common HIPAA Gaps in Hearing Conservation

These are the most common HIPAA issues we see in hearing conservation programs:

  1. Unencrypted data storage: Legacy desktop software storing audiograms in plain-text database files
  2. Shared logins: Multiple staff members using the same username and password, making audit trails meaningless
  3. Email transmission: Sending audiogram results via unencrypted email
  4. No BAA with software vendor: Using cloud or hosted software without a Business Associate Agreement
  5. Insufficient access controls: Everyone in the office can see every patient's records, regardless of their role
  6. No audit logging: No way to determine who accessed which records
  7. Inadequate backup: No backup strategy, or backups stored on unencrypted portable drives

Practical Steps to Improve Compliance

  • Conduct a risk assessment: Identify where audiometric PHI is created, stored, and transmitted. Evaluate the risks at each point
  • Choose compliant software: Use a platform that offers encryption, role-based access, audit logging, and will sign a BAA
  • Train your team: Ensure everyone who handles audiometric data understands HIPAA requirements — not just the clinical staff, but also administrative and IT personnel
  • Encrypt everything: Data at rest, data in transit, data on backups. Full-disk encryption on any device that touches PHI
  • Limit access: Implement least-privilege access. A front-desk scheduler doesn't need to see audiogram thresholds
  • Document your policies: Have written policies for PHI handling and ensure staff acknowledge them

Built for HIPAA from Day One

AudiVault was designed from the ground up to meet HIPAA requirements. We offer BAAs at no additional cost, encrypt all data with AES-256, provide role-based access controls with comprehensive audit logging, and maintain SOC 2 Type II certification. Learn more about our HIPAA compliance program.

Ready to simplify your hearing conservation program?

See how AudiVault automates OSHA compliance, STS tracking, and audiometric testing workflows.

Request Demo Contact Sales