Effective date: 2026-06-25. Last reviewed: 2026-06-25. Owner: Goliath Dynamics, Inc. — Security Officer.
This document records DocPost’s workforce HIPAA training program. It implements the Security Rule’s Security Awareness and Training standard at 45 C.F.R. § 164.308(a)(5), the Privacy Rule’s workforce-training standard at 45 C.F.R. § 164.530(b), and the documentation-retention obligation at 45 C.F.R. §§ 164.316(b)(2)(i) and 164.530(j).
It supplements the Information Security Policy, the HIPAA Risk Analysis, the HIPAA Administrative Safeguards, the HIPAA Physical Safeguards, and the HIPAA Technical Safeguards. Those documents establish the program’s scope, posture, administrative procedures, and operational safeguards; this document states the training program that teaches the workforce to operate them and the retention rule for the training records.
It is published as a Tier-0 (public) artifact so that covered-entity customers and their auditors can verify the workforce-training side of DocPost’s HIPAA posture before signing a Business Associate Agreement (“BAA”).
The Security Rule specifications addressed by this document include: § 164.308(a)(5)(i) (Security Awareness and Training — Standard); § 164.308(a)(5)(ii)(A) (Security Reminders — Addressable); § 164.308(a)(5)(ii)(B) (Protection from Malicious Software — Addressable); § 164.308(a)(5)(ii)© (Log-in Monitoring — Addressable); § 164.308(a)(5)(ii)(D) (Password Management — Addressable); § 164.308(a)(3)(ii)(B) (Workforce Clearance Procedure — Addressable) for the ePHI-access pre-condition; § 164.530(b) (Privacy Rule workforce training); and § 164.316(b)(2)(i) / § 164.530(j) (six-year retention of the training records).
The Security Officer designated under §1 of the HIPAA Administrative Safeguards owns this document and the training program it describes. The Privacy Officer designated under the same section co-owns the Privacy Rule portion of the curriculum (§4(b) below). The Security Officer reviews this document at least annually under §9 and on each material change to the curriculum, the role catalog, the threat environment, or applicable law.
(a) Who is in scope. Every workforce member of Goliath Dynamics, Inc. — employees, contractors, and authorized representatives — is required to complete the training program described below. “Workforce” has the meaning given in 45 C.F.R. § 160.103 and is consistent with the Workforce Security definition used in §2.1 of the HIPAA Administrative Safeguards.
(b) Workforce members who handle ePHI. Workforce members whose role grants, or may grant, access to a system or data path that contains ePHI complete the additional HIPAA Security Rule and HIPAA Privacy Rule curriculum in §4(a) and §4(b) below before access is granted. This pre-condition implements § 164.308(a)(3)(ii)(B) (Workforce Clearance Procedure) and the §2.3(a) provisioning gate in the HIPAA Administrative Safeguards.
© Workforce members who do not handle ePHI. Workforce members whose role does not grant access to ePHI still complete the baseline training in §4© below on hire and at the annual refresh.
(d) Out of scope. Customers, signers, and other end users of the DocPost service are not subject to this program. Customer-side workforce members are governed by their own employer’s program; the operational guidance DocPost surfaces to them lives in the public-facing legal artifacts (the Privacy Policy, the Information Security Policy, the E-Sign Act & Data-Processing Disclosure).
The training program has three components.
(a) Trigger. A workforce member’s onboarding training is triggered on hire (for employees) or on contract execution (for contractors and authorized representatives).
(b) Completion gate for ePHI roles. For a workforce member whose role will grant access to ePHI, completion of the §4(a) HIPAA Security Rule curriculum and the §4(b) HIPAA Privacy Rule curriculum is a hard pre-condition for the §2.3 provisioning step in the HIPAA Administrative Safeguards. Provisioning does not proceed until the training record exists.
© Timing for non-ePHI roles. For a workforce member whose role does not grant access to ePHI, the §4© baseline curriculum is completed within fifteen business days of the start date.
(d) Acknowledgement. The workforce member’s acknowledgement under §2.3(e) of the HIPAA Administrative Safeguards is captured at the close of onboarding training and retained with the training record under §8 below.
(a) Cadence. Every workforce member completes a refresh of the training program at least once each calendar year, on a schedule the Security Officer publishes to the workforce. The refresh covers any material changes to the curriculum since the last cycle and re-asserts the existing curriculum.
(b) Late-completion handling. Where a workforce member does not complete the annual refresh within thirty days of the published deadline, the Security Officer suspends production access until the refresh is completed. The suspension is recorded as an access-management event under §2.4 of the HIPAA Administrative Safeguards.
(a) Trigger. Where a material change occurs — a change to the role catalog or to the production architecture that creates a new ePHI-access path; a change to applicable law that affects workforce obligations; an incident under §5 of the HIPAA Administrative Safeguards whose post-incident review identifies a training gap — the Security Officer issues targeted training to the affected workforce members.
(b) Cadence. Material-change training is completed within thirty days of issuance, or within a shorter window the Security Officer specifies for an incident-driven update.
© Recording. Each material-change training event is recorded with the same fields as onboarding and annual training (§8 below) so the training record reflects the actual curriculum each workforce member has completed.
The HIPAA Security Rule curriculum covers, at minimum:
The HIPAA Privacy Rule curriculum is co-owned with the Privacy Officer and covers, at minimum:
security@goliathdynamics.com under §5 of the HIPAA Administrative Safeguards; andThe baseline curriculum is completed by every workforce member, regardless of whether the role handles ePHI:
security@goliathdynamics.com.In addition to the annual refresher in §3.2, the Security Officer publishes periodic security reminders to the workforce. Security reminders are short, topical updates issued on a documented cadence (at least quarterly) and on demand when the threat environment or the production architecture changes.
(a) Topics. Security reminders address phishing campaigns observed in the wild against companies in DocPost’s segment; threat-actor TTPs that the Security Officer judges relevant; recent updates to the workforce-device baseline; recent updates to the role catalog; and lessons learned from post-incident reviews under §5 of the HIPAA Administrative Safeguards.
(b) Channel. Security reminders are delivered through the workforce communication channel the Security Officer designates and are archived under version control so the published reminders are auditable.
© Recording. The publication of a security reminder is recorded against the training program (date, topic, audience). Security reminders do not require individual completion confirmation; the workforce is responsible for reading them when published.
(a) Format. Training is delivered as documented written material, supplemented by live walkthroughs and tabletop exercises where the Security Officer judges them necessary (for example, the disaster-recovery testing under §4.5 of the HIPAA Administrative Safeguards, where workforce participation is itself a form of training).
(b) Curriculum versioning. The current curriculum is maintained under version control. Each material change to the curriculum is versioned; the version a given workforce member completed is captured on the training record (§8 below).
© External providers. Where DocPost incorporates external training material (for example, a vendor’s phishing-awareness module) the external provider is evaluated under §5(d) of the Information Security Policy before use, and the training record names the external module so the source is auditable.
(a) Standard. Completion of a training module is verified by the workforce member’s acknowledgement that the workforce member has read the material and understands the workforce member’s obligations under it. For modules that include an assessment, the assessment must be passed at the threshold the Security Officer publishes.
(b) Failure handling. Where a workforce member does not pass an assessment, the workforce member retakes the assessment within a window the Security Officer specifies. Where the workforce member fails the retake, the Security Officer may, depending on the role and the failure, (i) provide one-to-one coaching and reassess, (ii) reassign the workforce member to a non-ePHI role pending completion, or (iii) escalate under §3 (Sanction policy) of the HIPAA Administrative Safeguards where the failure indicates a pattern.
© No back-dating. A training record is dated to the date the workforce member actually completed the training. The Security Officer does not back-date a training record under any circumstance; if a workforce member’s training is late, the record reflects the actual completion date.
This section is the retention rule for the workforce-training program and supports the documentation obligations at §§ 164.316(b)(2)(i), 164.316(b)(2)(iii), and 164.530(j).
For each workforce member, the training record captures, at minimum:
The training record is maintained under version control alongside the other §8 records identified in the HIPAA Administrative Safeguards: access-review records (§2.6), sanction determinations (§3.5), disaster-recovery test records (§4.5), incident records (§5.9), and the designation record (§1(e)). The store is the canonical evidence of completion for every workforce member and for every published curriculum version.
Each training record is retained for at least six years from the date of the training, in accordance with 45 C.F.R. §§ 164.316(b)(2)(i) and 164.530(j). Superseded curriculum versions, security-reminder publications under §5, and the materials a workforce member completed are likewise retained for at least six years from the date the version was last in effect so the actual material the workforce member completed remains auditable for the full retention window.
The training record is made available to the Security Officer on demand, to the workforce member whose record it is on demand, and to a covered-entity customer or its auditor on request through security@goliathdynamics.com (subject to redaction of personnel-confidential fields not relevant to the HIPAA inquiry).
When a workforce member separates from Goliath Dynamics under §2.5 of the HIPAA Administrative Safeguards, the workforce member’s training record is not deleted on off-boarding. The record is retained for the six-year window in §8.3 above. This is the documentation-retention rule HIPAA imposes; off-boarding revokes access to systems, not the historical evidence of training.
This document is reviewed by the Security Officer at least once every twelve months and on each material change to the controls, the role catalog, or the curriculum cited above. A material change includes any of:
The “Effective date” at the top records the date of the current version.
For HIPAA, ePHI, or BAA inquiries:
Goliath Dynamics, Inc. Attn: Security Officer 7901 4th St N, STE 300 St. Petersburg, FL 33702 United States Email: security@goliathdynamics.com
For privacy questions or rights requests, contact privacy@goliathdynamics.com and see the Privacy Policy.
History