Effective date: 2026-06-25. Last reviewed: 2026-06-25. Owner: Goliath Dynamics, Inc. — Security Officer.

This document records DocPost’s workforce HIPAA training program. It implements the Security Rule’s Security Awareness and Training standard at 45 C.F.R. § 164.308(a)(5), the Privacy Rule’s workforce-training standard at 45 C.F.R. § 164.530(b), and the documentation-retention obligation at 45 C.F.R. §§ 164.316(b)(2)(i) and 164.530(j).

It supplements the Information Security Policy, the HIPAA Risk Analysis, the HIPAA Administrative Safeguards, the HIPAA Physical Safeguards, and the HIPAA Technical Safeguards. Those documents establish the program’s scope, posture, administrative procedures, and operational safeguards; this document states the training program that teaches the workforce to operate them and the retention rule for the training records.

It is published as a Tier-0 (public) artifact so that covered-entity customers and their auditors can verify the workforce-training side of DocPost’s HIPAA posture before signing a Business Associate Agreement (“BAA”).

The Security Rule specifications addressed by this document include: § 164.308(a)(5)(i) (Security Awareness and Training — Standard); § 164.308(a)(5)(ii)(A) (Security Reminders — Addressable); § 164.308(a)(5)(ii)(B) (Protection from Malicious Software — Addressable); § 164.308(a)(5)(ii)© (Log-in Monitoring — Addressable); § 164.308(a)(5)(ii)(D) (Password Management — Addressable); § 164.308(a)(3)(ii)(B) (Workforce Clearance Procedure — Addressable) for the ePHI-access pre-condition; § 164.530(b) (Privacy Rule workforce training); and § 164.316(b)(2)(i) / § 164.530(j) (six-year retention of the training records).

1. Owner

The Security Officer designated under §1 of the HIPAA Administrative Safeguards owns this document and the training program it describes. The Privacy Officer designated under the same section co-owns the Privacy Rule portion of the curriculum (§4(b) below). The Security Officer reviews this document at least annually under §9 and on each material change to the curriculum, the role catalog, the threat environment, or applicable law.

2. Audience and scope

(a) Who is in scope. Every workforce member of Goliath Dynamics, Inc. — employees, contractors, and authorized representatives — is required to complete the training program described below. “Workforce” has the meaning given in 45 C.F.R. § 160.103 and is consistent with the Workforce Security definition used in §2.1 of the HIPAA Administrative Safeguards.

(b) Workforce members who handle ePHI. Workforce members whose role grants, or may grant, access to a system or data path that contains ePHI complete the additional HIPAA Security Rule and HIPAA Privacy Rule curriculum in §4(a) and §4(b) below before access is granted. This pre-condition implements § 164.308(a)(3)(ii)(B) (Workforce Clearance Procedure) and the §2.3(a) provisioning gate in the HIPAA Administrative Safeguards.

© Workforce members who do not handle ePHI. Workforce members whose role does not grant access to ePHI still complete the baseline training in §4© below on hire and at the annual refresh.

(d) Out of scope. Customers, signers, and other end users of the DocPost service are not subject to this program. Customer-side workforce members are governed by their own employer’s program; the operational guidance DocPost surfaces to them lives in the public-facing legal artifacts (the Privacy Policy, the Information Security Policy, the E-Sign Act & Data-Processing Disclosure).

3. Program structure

The training program has three components.

3.1 Onboarding training (before ePHI access)

(a) Trigger. A workforce member’s onboarding training is triggered on hire (for employees) or on contract execution (for contractors and authorized representatives).

(b) Completion gate for ePHI roles. For a workforce member whose role will grant access to ePHI, completion of the §4(a) HIPAA Security Rule curriculum and the §4(b) HIPAA Privacy Rule curriculum is a hard pre-condition for the §2.3 provisioning step in the HIPAA Administrative Safeguards. Provisioning does not proceed until the training record exists.

© Timing for non-ePHI roles. For a workforce member whose role does not grant access to ePHI, the §4© baseline curriculum is completed within fifteen business days of the start date.

(d) Acknowledgement. The workforce member’s acknowledgement under §2.3(e) of the HIPAA Administrative Safeguards is captured at the close of onboarding training and retained with the training record under §8 below.

3.2 Annual refresher

(a) Cadence. Every workforce member completes a refresh of the training program at least once each calendar year, on a schedule the Security Officer publishes to the workforce. The refresh covers any material changes to the curriculum since the last cycle and re-asserts the existing curriculum.

(b) Late-completion handling. Where a workforce member does not complete the annual refresh within thirty days of the published deadline, the Security Officer suspends production access until the refresh is completed. The suspension is recorded as an access-management event under §2.4 of the HIPAA Administrative Safeguards.

3.3 Material-change training

(a) Trigger. Where a material change occurs — a change to the role catalog or to the production architecture that creates a new ePHI-access path; a change to applicable law that affects workforce obligations; an incident under §5 of the HIPAA Administrative Safeguards whose post-incident review identifies a training gap — the Security Officer issues targeted training to the affected workforce members.

(b) Cadence. Material-change training is completed within thirty days of issuance, or within a shorter window the Security Officer specifies for an incident-driven update.

© Recording. Each material-change training event is recorded with the same fields as onboarding and annual training (§8 below) so the training record reflects the actual curriculum each workforce member has completed.

4. Curriculum

4.1 HIPAA Security Rule curriculum (workforce members who handle ePHI)

The HIPAA Security Rule curriculum covers, at minimum:

• the Security Rule’s three categories of safeguard (administrative, physical, technical) and the implementation specifications most directly applicable to the workforce member’s role;
• DocPost’s HIPAA Risk Analysis and the risks it identifies (R1–R20 in §3 of that document), with emphasis on R1 (unauthorized access via stolen workforce credentials), R5 (workforce mistake), R8 (workforce-device compromise), R11 (phishing / social engineering), R14 (sub-processor incident), and R18 (audit-chain tampering);
• the role-based, least-privilege baseline in §2.2 of the HIPAA Administrative Safeguards and the workforce member’s specific role in that catalog;
• the workforce-device baseline in §5 and §6 of the HIPAA Physical Safeguards: full-disk encryption, the documented inactivity-lock threshold, MFA-gated production access, the lost / stolen device procedure, and the surroundings rule;
• the no-local-persistence rule in §5(e) of the HIPAA Physical Safeguards: workforce members do not download production customer content to local workstation storage;
• the technical safeguards in the HIPAA Technical Safeguards — the audit pipeline (§3), the integrity controls (§4), the authentication posture (§5), the transmission-security posture (§6), and the encryption-at-rest posture (§7) — at the level needed for the role to operate the controls correctly;
• the contingency / disaster-recovery posture in §4 of the HIPAA Administrative Safeguards, including the workforce member’s role in declaration, restoration, and emergency-mode operation; and
• the no-AI-training rule on customer content / ePHI: customer document content does not flow into any LLM training-eligible channel (§6(i) and §10 of the Information Security Policy; §10 of the Privacy Policy).

4.2 HIPAA Privacy Rule curriculum (workforce members who handle ePHI)

The HIPAA Privacy Rule curriculum is co-owned with the Privacy Officer and covers, at minimum:

• the role of the BAA in defining DocPost’s permitted uses and disclosures of ePHI on behalf of a covered-entity customer, and the prohibition on uses or disclosures the BAA does not permit;
• the minimum-necessary principle (45 C.F.R. § 164.502(b)) as it applies to DocPost’s processor role;
• handling of an individual’s exercise of HIPAA rights routed through the controller (the covered-entity customer): the workforce member’s role is to support the covered entity, not to determine the request on its own;
• recognition and reporting of a potential breach to the Security Officer at security@goliathdynamics.com under §5 of the HIPAA Administrative Safeguards; and
• the prohibition on retaliation under §3.4 of the HIPAA Administrative Safeguards against a workforce member who reports a violation in good faith.

4.3 Baseline security curriculum (all workforce members)

The baseline curriculum is completed by every workforce member, regardless of whether the role handles ePHI:

• this document, the Information Security Policy, and the Privacy Policy;
• phishing, social-engineering, and credential-handling hygiene — implementing § 164.308(a)(5)(ii)(A) (Security Reminders) at the workforce-member level — including: do not reuse production credentials on third-party services; do not approve an unfamiliar OAuth grant; do not surrender a session to a caller; do not disclose a secret over an unauthorized channel; report a suspected phishing attempt to the Security Officer;
• protection from malicious software — implementing § 164.308(a)(5)(ii)(B) — including: keep the workforce-device operating system and applications current; enable endpoint anti-malware where available for the operating system in use; do not disable the workforce-device baseline controls; report a suspected malware event to the Security Officer;
• log-in monitoring — implementing § 164.308(a)(5)(ii)© — including: review the workforce member’s own sign-in history through the workforce identity provider on the Security Officer’s published cadence; report an unfamiliar sign-in event to the Security Officer; understand that workforce production-access sign-ins are audit-logged under §3 of the HIPAA Technical Safeguards and reviewed under §2.6 of the HIPAA Administrative Safeguards;
• password and credential management — implementing § 164.308(a)(5)(ii)(D) — including: do not share workforce credentials (an explicit prohibition under §3.2 of the HIPAA Administrative Safeguards and §6(a) of the Information Security Policy); use the workforce identity provider’s password-rotation and complexity policy; use the second factor on every production sign-in; report a lost or compromised credential to the Security Officer;
• the secrets-handling rule in §9(e) of the Information Security Policy: production secrets do not enter source control, are not transmitted over an unauthorized channel, and are not stored outside the managed secret store; and
• the incident-response runbook (§12 of the Information Security Policy) and the public reporting channel security@goliathdynamics.com.

5. Periodic security reminders (§ 164.308(a)(5)(ii)(A))

In addition to the annual refresher in §3.2, the Security Officer publishes periodic security reminders to the workforce. Security reminders are short, topical updates issued on a documented cadence (at least quarterly) and on demand when the threat environment or the production architecture changes.

(a) Topics. Security reminders address phishing campaigns observed in the wild against companies in DocPost’s segment; threat-actor TTPs that the Security Officer judges relevant; recent updates to the workforce-device baseline; recent updates to the role catalog; and lessons learned from post-incident reviews under §5 of the HIPAA Administrative Safeguards.

(b) Channel. Security reminders are delivered through the workforce communication channel the Security Officer designates and are archived under version control so the published reminders are auditable.

© Recording. The publication of a security reminder is recorded against the training program (date, topic, audience). Security reminders do not require individual completion confirmation; the workforce is responsible for reading them when published.

6. Delivery method

(a) Format. Training is delivered as documented written material, supplemented by live walkthroughs and tabletop exercises where the Security Officer judges them necessary (for example, the disaster-recovery testing under §4.5 of the HIPAA Administrative Safeguards, where workforce participation is itself a form of training).

(b) Curriculum versioning. The current curriculum is maintained under version control. Each material change to the curriculum is versioned; the version a given workforce member completed is captured on the training record (§8 below).

© External providers. Where DocPost incorporates external training material (for example, a vendor’s phishing-awareness module) the external provider is evaluated under §5(d) of the Information Security Policy before use, and the training record names the external module so the source is auditable.

7. Completion verification

(a) Standard. Completion of a training module is verified by the workforce member’s acknowledgement that the workforce member has read the material and understands the workforce member’s obligations under it. For modules that include an assessment, the assessment must be passed at the threshold the Security Officer publishes.

(b) Failure handling. Where a workforce member does not pass an assessment, the workforce member retakes the assessment within a window the Security Officer specifies. Where the workforce member fails the retake, the Security Officer may, depending on the role and the failure, (i) provide one-to-one coaching and reassess, (ii) reassign the workforce member to a non-ePHI role pending completion, or (iii) escalate under §3 (Sanction policy) of the HIPAA Administrative Safeguards where the failure indicates a pattern.

© No back-dating. A training record is dated to the date the workforce member actually completed the training. The Security Officer does not back-date a training record under any circumstance; if a workforce member’s training is late, the record reflects the actual completion date.

8. Records and retention

This section is the retention rule for the workforce-training program and supports the documentation obligations at §§ 164.316(b)(2)(i), 164.316(b)(2)(iii), and 164.530(j).

8.1 What is recorded

For each workforce member, the training record captures, at minimum:

• the workforce member’s identifier (employee or contractor record id; not a free-text name) and the role catalog entry under §2.2 of the HIPAA Administrative Safeguards the workforce member held at the time of training;
• the training module the workforce member completed (the version-controlled curriculum id and the version);
• the completion date;
• the assessment outcome where the module includes one;
• the acknowledgement captured at §3.1(d) (for onboarding training) and any subsequent acknowledgement renewed at the annual refresh; and
• the actor who verified completion (the Security Officer, or a delegated approver acting under a written delegation).

8.2 Where it is stored

The training record is maintained under version control alongside the other §8 records identified in the HIPAA Administrative Safeguards: access-review records (§2.6), sanction determinations (§3.5), disaster-recovery test records (§4.5), incident records (§5.9), and the designation record (§1(e)). The store is the canonical evidence of completion for every workforce member and for every published curriculum version.

8.3 Retention period

Each training record is retained for at least six years from the date of the training, in accordance with 45 C.F.R. §§ 164.316(b)(2)(i) and 164.530(j). Superseded curriculum versions, security-reminder publications under §5, and the materials a workforce member completed are likewise retained for at least six years from the date the version was last in effect so the actual material the workforce member completed remains auditable for the full retention window.

8.4 Availability

The training record is made available to the Security Officer on demand, to the workforce member whose record it is on demand, and to a covered-entity customer or its auditor on request through security@goliathdynamics.com (subject to redaction of personnel-confidential fields not relevant to the HIPAA inquiry).

8.5 Off-boarding

When a workforce member separates from Goliath Dynamics under §2.5 of the HIPAA Administrative Safeguards, the workforce member’s training record is not deleted on off-boarding. The record is retained for the six-year window in §8.3 above. This is the documentation-retention rule HIPAA imposes; off-boarding revokes access to systems, not the historical evidence of training.

9. Annual review

This document is reviewed by the Security Officer at least once every twelve months and on each material change to the controls, the role catalog, or the curriculum cited above. A material change includes any of:

• a change to the role catalog under §2.2 of the HIPAA Administrative Safeguards that creates a new ePHI-access path;
• a change to the workforce-device baseline cited in §5 and §6 of the HIPAA Physical Safeguards;
• a change to the technical safeguards in the HIPAA Technical Safeguards that affects workforce-operator behavior;
• a change in any HIPAA Security Rule or Privacy Rule standard or implementation specification this document implements;
• a change in the LLM provider posture in §6(i) or §10 of the Information Security Policy that affects the no-AI-training rule cited at §4.1; or
• a post-incident review under §5 of the HIPAA Administrative Safeguards that identifies a training gap.

The “Effective date” at the top records the date of the current version.

10. Cross-references

• Information Security Policy — parent policy. §3 designates the Security Officer as the owner of the workforce training program at the policy level; §5(e) names the program; §11 is the summary-level statement of the training program — this document is the operational source of truth.
• HIPAA Risk Analysis — risk register and Security Rule spec-by-spec walkthrough. §5 walks the administrative safeguards at § 164.308 including § 164.308(a)(5) Security Awareness and Training, and references this document as the operational source of truth.
• HIPAA Administrative Safeguards — designated Security Officer and Privacy Officer (§1), workforce access-management procedure including the ePHI-access pre-condition at §2.3(a) (§2), sanction policy (§3), contingency / disaster-recovery plan (§4), and breach-notification procedure with timelines (§5).
• HIPAA Physical Safeguards — operational physical-safeguard controls at § 164.310 (facility access controls, workstation use, workstation security, and device-and-media controls), structured as a cloud-provider (GCP) attestation reference under the DocPost control framework. §5 and §6 are the workforce-device baseline this program teaches.
• HIPAA Technical Safeguards — operational technical-safeguard controls at § 164.312 (access control, audit controls, integrity, person-or-entity authentication, transmission security, and encryption at rest), each citing the implementing code in the DocPost service. §3 (Audit Controls) and §5 (Person or Entity Authentication) are the technical safeguards this program teaches workforce members to operate.
• Incident-Response Runbook — operational runbook codifying the detect → contain → eradicate → recover → review lifecycle and the breach-notification timelines for covered-entity customers under § 164.410, GDPR / UK GDPR Article 33, PIPEDA, and applicable U.S. state laws. §4©(d) of this document teaches workforce members the reporting channel that opens an incident; §3.1(a)(i) and §3.6 of the runbook reciprocally cite this program.
• Privacy Policy — public-facing description of how DocPost handles personal information; §9 references HIPAA artifacts including this one.
• E-Sign Act & Data-Processing Disclosure — processing notice surfaced to signers at signing time.

11. Contact

For HIPAA, ePHI, or BAA inquiries:

Goliath Dynamics, Inc. Attn: Security Officer 7901 4th St N, STE 300 St. Petersburg, FL 33702 United States Email: security@goliathdynamics.com

For privacy questions or rights requests, contact privacy@goliathdynamics.com and see the Privacy Policy.

---

History

• 2026-06-25 — v1 published.