HIPAA Compliant

HIPAA Compliance

How AudiVault protects patient health information and supports your compliance obligations

Our Commitment to HIPAA

As a platform that handles Protected Health Information (PHI) including audiometric test results, patient demographics, and physician correspondence, AudiVault takes HIPAA compliance seriously. It's not an afterthought — it's foundational to how we build and operate the platform.

AudiVault operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities. We execute Business Associate Agreements (BAAs) with all customers and maintain a comprehensive compliance program that meets or exceeds HIPAA requirements.

BAA Available

We provide Business Associate Agreements to all customers at no additional cost

SOC 2 Type II

Our infrastructure and processes are independently audited annually

End-to-End Encryption

AES-256 at rest and TLS 1.2+ in transit for all PHI

HIPAA Safeguards

AudiVault implements all three categories of safeguards required by the HIPAA Security Rule

Administrative Safeguards

  • Designated HIPAA Privacy and Security Officers
  • Comprehensive workforce training program with annual refreshers
  • Documented policies and procedures for all PHI handling
  • Regular risk assessments and gap analysis
  • Incident response plan with defined escalation procedures
  • Business Associate Agreement management program

Physical Safeguards

  • SOC 2 Type II certified cloud infrastructure (AWS)
  • Data center physical access controls and monitoring
  • Geographic redundancy across multiple availability zones
  • Secure disposal of hardware and media
  • Environmental controls (fire suppression, climate control, power backup)

Technical Safeguards

  • AES-256 encryption at rest for all PHI
  • TLS 1.2+ encryption in transit
  • Multi-factor authentication (MFA) support
  • Role-based access controls with least-privilege enforcement
  • Comprehensive audit logging of all PHI access
  • Automatic session timeout and account lockout policies
  • Regular vulnerability scanning and penetration testing

PHI We Process

Types of Protected Health Information handled within the AudiVault platform

Patient Demographics

  • Names and employee identifiers
  • Dates of birth
  • Company and department assignments
  • Job titles and noise exposure history

Clinical Data

  • Audiometric test results (hearing thresholds)
  • Baseline and annual audiogram records
  • Standard Threshold Shift calculations
  • OSHA recordability determinations

Compliance Records

  • OSHA letters and notifications
  • Physician review and sign-off records
  • Worker Risk Factor forms
  • Audit trails and access logs

Breach Notification

In the unlikely event of a security breach involving PHI, AudiVault follows the HIPAA Breach Notification Rule (45 CFR 164.400-414):

1

Immediate Response

Our incident response team investigates and contains the breach within hours of detection

2

Risk Assessment

We perform a thorough risk assessment to determine the nature and scope of the breach

3

Notification

Affected customers are notified without unreasonable delay, and no later than 60 days after discovery

4

Remediation

Root cause analysis and implementation of measures to prevent recurrence

HIPAA FAQ

Common questions about our compliance program

Can I get a BAA before signing up?

Yes. We provide our standard BAA during the onboarding process. If you need to review it before committing, contact our sales team at contact us and we'll share it with you.

Where is my data stored?

All data is stored in AWS data centers located in the United States, across multiple availability zones for redundancy. We do not store or process data outside the US.

Who at AudiVault can access my PHI?

Access to customer PHI is limited to authorized support personnel on a need-to-know basis, and all access is logged. Our engineering team uses de-identified data for development and testing.

How do you handle HIPAA training?

All AudiVault employees complete HIPAA training upon hire and annually thereafter. Role-specific training is provided for employees who may have access to PHI.

Can I get a copy of your SOC 2 report?

Yes. We share our SOC 2 Type II report under NDA with current and prospective customers. Contact our sales team to request a copy.

Ready to go HIPAA-compliant?

Schedule a demo to see how AudiVault protects your patients' data while simplifying your workflow.

Request Demo Contact Sales