Compliance Responsibility Guide

This Compliance Responsibility Guide ("Guide") is provided by Patterns in Design, LLC ("Company," "we," "us," or "our"), the operator of the Job Training Academy platform ("Platform"). It is intended for compliance officers, practice managers, and other stakeholders who need to understand the boundary between what the Platform provides and what your organization is responsible for.

This Guide is informational. It does not create, modify, or supersede any contractual obligations. The Terms of Service remain the governing agreement between you and the Company.

1. What Job Training Academy Is

Job Training Academy is a compliance training management platform built for healthcare practices—including dental offices, medical clinics, ambulatory surgery centers, and specialty care facilities—that handle protected health information and face workforce training obligations under federal and state law. The Platform provides tools for assigning training to workforce members, tracking completion, generating certificates of completion with independent verification, collecting signed attestations, managing role-based administrative oversight, and organizing training records for documentation and reporting purposes.

The Platform is not:

• A compliance consulting firm. We do not evaluate, design, or manage your compliance program. Compliance program design, implementation, and oversight remain your organization's responsibility. See the OIG Compliance Program Guidance for Individual and Small Group Physician Practices (65 Fed. Reg. 59,434 (Oct. 5, 2000)) for foundational guidance on compliance program elements.
• A certification or accreditation body. No federal or state agency has authorized the Company to certify or accredit organizations, individuals, or compliance programs. HHS has stated that there is no standard or implementation specification under HIPAA that requires a covered entity to "certify" compliance (HHS FAQ on Certification). Certificates issued by the Platform document course completion only (see Section 3).
• A covered entity or Business Associate under HIPAA. Through ordinary use of the Platform, the Company does not create, receive, maintain, or transmit protected health information on behalf of a covered entity and does not perform or assist in the performance of a function or activity regulated by HIPAA. The Platform is operated as a non-PHI environment (see Terms of Service, Section 7).
• A provider of legal, regulatory, medical, or other professional advice. No attorney-client, consultant-client, or other professional relationship is created through use of the Platform. Training content is provided for general educational purposes. Organizations should consult qualified legal counsel for advice on regulatory obligations specific to their operations.

2. Responsibility Matrix

The following table outlines the division of responsibilities between the Platform and your organization ("Customer"). This is not exhaustive but covers the areas most relevant to compliance program operations.

Training Content and Delivery

Records, Documentation, and Audit Readiness

Platform Operations and Security

3. What Our Certificates Mean

What a certificate contains

When a learner completes training through the Platform, a certificate of completion may be generated. Each certificate documents:

• The full name of the individual who completed the training;
• The title of the course completed;
• The date of completion;
• The assessment score achieved, where applicable;
• A unique verification code that can be used to independently authenticate the certificate through the Platform's public verification system.

A certificate is a training artifact. It documents that a specific individual completed specific training content on a specific date. It may serve as one component of your organization's documentation of workforce training activities.

What a certificate does not mean

The healthcare training industry frequently uses terms like "certified," "HIPAA certified," or "certification" in ways that create confusion about what training completion actually establishes. To be clear:

• A certificate of completion is not a professional certification, licensure, or accreditation. No federal agency—including HHS, OCR, or CMS—operates a "HIPAA certification" program for covered entities or their workforce members. HHS has expressly stated that there is no standard or implementation specification that requires a covered entity to "certify" compliance (HHS FAQ on Certification).
• A certificate does not establish that the recipient is compliant with any specific regulation. Compliance under HIPAA is determined by the totality of an organization's safeguards, policies, procedures, training, documentation, and operational practices—not by any single training event or document (see 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.530).
• A certificate does not guarantee that any regulatory body will accept the underlying training as satisfying a specific requirement. Whether particular training content satisfies a particular regulatory obligation depends on the organization's circumstances, the applicable regulation, and the regulatory body's evaluation of the organization's overall compliance posture.
• A certificate does not substitute for your organization's compliance program. The OIG Compliance Program Guidance for Individual and Small Group Physician Practices identifies training and education as one of seven recommended compliance program elements—alongside written standards, a designated compliance officer, reporting mechanisms, disciplinary guidelines, auditing, and corrective action (65 Fed. Reg. 59,434 (Oct. 5, 2000)). Training completion addresses one element; it does not replace the others.
• A certificate does not represent a professional opinion. The Company does not evaluate whether your organization's training selections satisfy any particular regulatory obligation. That determination belongs to your organization and its legal counsel.

Your responsibility regarding certificates

Organizations are responsible for determining whether training completed through the Platform—and the certificates that document that completion—meet the requirements of their compliance programs and applicable regulations. Organizations should not represent certificates of completion as "HIPAA certification," regulatory certification, or evidence of organizational compliance unless they can independently support such a representation through their broader compliance program.

4. What the Platform Does Not Do

To avoid ambiguity, the following describes activities and functions that fall outside the scope of the Platform and the Company's services. These exclusions are consistent with the limitations described in the Terms of Service, Sections 7, 10, and 11.

The Platform does not:

• Provide legal, regulatory, compliance, medical, or other professional advice. Training content is provided for general educational purposes. No attorney-client, consultant-client, or other professional relationship is created through use of the Platform or its content.
• Determine which training your organization or its workforce members need. Under the HIPAA Privacy Rule, covered entities must train each member of the workforce on policies and procedures as necessary and appropriate for that member to carry out their function (45 C.F.R. § 164.530(b)(1)). Under the Security Rule, covered entities must implement a security awareness and training program for all members of the workforce, including management (45 C.F.R. § 164.308(a)(5)(i)). The decision about what training is appropriate for each workforce member belongs to the organization.
• Evaluate whether your compliance program is adequate. The Platform does not perform compliance assessments, gap analyses, or program evaluations. Organizations subject to HIPAA are required to conduct their own risk analysis as part of their security management process (45 C.F.R. § 164.308(a)(1)(ii)(A)). The OIG Compliance Program Guidance further recommends periodic auditing and monitoring as a core compliance program element (65 Fed. Reg. 59,434).
• Monitor regulatory changes on your behalf. Federal and state regulations applicable to healthcare organizations change over time. The Platform does not track, interpret, or notify customers of changes to HIPAA, Medicare requirements, state privacy laws, licensing board requirements, or any other regulatory framework. Customers are responsible for monitoring developments from HHS, CMS, OIG, OCR, and applicable state agencies.
• Act as a Business Associate under HIPAA. The Platform is operated as a non-PHI environment. Through ordinary use, the Company does not create, receive, maintain, or transmit protected health information on behalf of a covered entity (see Terms of Service, Section 7). If your organization requires a Business Associate Agreement for a particular use case, contact us to discuss whether such an arrangement is appropriate.
• Guarantee that training completed on the Platform satisfies any specific regulatory requirement. Whether a particular course satisfies a particular requirement depends on the organization's policies, the applicable regulation, and the regulatory body's evaluation of the organization's compliance program as a whole.
• Certify or accredit organizations, individuals, or programs. The Company is not a certification or accreditation body. No certificate issued through the Platform constitutes regulatory certification, professional licensure, or organizational accreditation (see Section 3).
• Conduct risk analyses or security assessments. HIPAA requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (45 C.F.R. § 164.308(a)(1)(ii)(A)). Risk analysis is the organization's responsibility and falls outside the scope of the Platform.
• Replace your organization's obligation to design, implement, and oversee its own compliance program. Training is one component of a compliance program. It does not substitute for written policies and procedures, a designated compliance officer, internal reporting mechanisms, disciplinary standards, auditing and monitoring, or corrective action processes.

5. Recommended Customer Actions

The following recommendations are informed by HIPAA regulatory requirements and the OIG Compliance Program Guidance for Individual and Small Group Physician Practices (65 Fed. Reg. 59,434 (Oct. 5, 2000)). They are not legal advice. Organizations should consult qualified legal counsel to determine which actions are required or appropriate for their specific circumstances.

Compliance Program Foundations

• Designate a compliance officer or responsible party. The OIG Compliance Program Guidance recommends that even small practices designate an individual responsible for compliance oversight (65 Fed. Reg. at 59,438). This individual should have authority and visibility into the organization's training program, including assignment status, completion rates, overdue training, and upcoming renewals. The Platform's role-based access controls support this function.
• Maintain written policies and procedures. HIPAA requires covered entities to implement and maintain reasonable and appropriate policies and procedures (45 C.F.R. §§ 164.316(a), 164.530(i)). Training should be linked to these policies. Document which training courses correspond to which organizational policies so the connection is clear during an audit or investigation.
• Conduct and document a risk analysis. The HIPAA Security Rule requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic protected health information (45 C.F.R. § 164.308(a)(1)(ii)(A)). Risk analysis results should inform your training selections—for example, identifying areas where workforce members need additional security awareness training. The Platform does not perform risk analyses; this is your organization's responsibility.

Training Program Operations

• Conduct a training needs assessment. Before assigning courses, evaluate what training is required for each workforce member based on their job function, access to PHI, and your organization's policies. The Privacy Rule requires training that is "necessary and appropriate" for each workforce member to carry out their function (45 C.F.R. § 164.530(b)(1)). Document your basis for selecting specific training content.
• Train new workforce members within a reasonable period. The Privacy Rule requires that new workforce members receive training within a reasonable period of time after joining the organization (45 C.F.R. § 164.530(b)(2)(i)). Establish an onboarding policy that specifies training timelines and use the Platform's assignment tools to enforce those timelines.
• Retrain when policies or procedures change. The Privacy Rule requires retraining within a reasonable period of time after material changes to policies or procedures affecting a workforce member's functions or duties (45 C.F.R. § 164.530(b)(2)(ii)). Monitor for material changes—such as new privacy practices, updated security procedures, or operational changes—and reassign training accordingly.
• Review training selections at least annually. Regulations, enforcement priorities, and organizational operations change over time. Review your training selections against current regulatory requirements, recent enforcement actions, and any updates from HHS, CMS, OIG, OCR, and applicable state agencies. Do not assume that last year's training program remains adequate this year.
• Verify training aligns with job functions. Not all workforce members need the same training. Administrative staff who handle scheduling may need different training than clinical staff with direct access to patient records. The Platform supports differentiated course assignment; use it to match training to actual job responsibilities.

Documentation and Record-Keeping

• Export and back up records on a regular schedule. Do not rely on the Platform as your sole repository for compliance records. Use the Platform's export tools to maintain your own copies of completion records, certificates, attestations, and reports. Store exported records in a location accessible to your compliance officer and legal counsel.
• Integrate Platform records with your broader compliance documentation. Training records are one component of your compliance program documentation. Ensure that your training records can be cross-referenced with your written policies, risk analysis documentation, incident reports, and other compliance artifacts. A regulator or auditor will evaluate your program holistically, not in isolation.
• Retain records for the required periods. HIPAA requires covered entities to retain documentation of policies, procedures, and related actions for six (6) years from the date of creation or the date last in effect, whichever is later (45 C.F.R. §§ 164.316(b)(2)(i), 164.530(j)(2)). Some state laws, accreditation standards, or contractual obligations may require longer retention. The Platform retains training records for seven (7) years, but your organization should independently determine and satisfy its own retention obligations.

Ongoing Oversight

• Establish internal reporting and disciplinary mechanisms. The OIG Compliance Program Guidance recommends that organizations maintain procedures for reporting compliance concerns and impose appropriate disciplinary action for violations (65 Fed. Reg. at 59,438–39). Training completion alone does not address workforce members who fail to follow the policies they were trained on.
• Apply sanctions for policy violations. The HIPAA Privacy Rule requires covered entities to have and apply appropriate sanctions against workforce members who fail to comply with the organization's privacy policies and procedures (45 C.F.R. § 164.530(e)(1)). Document your sanctions policy and ensure it is communicated to all workforce members.
• Audit your training program periodically. Review whether training is being completed on time, whether completion records are accurate, and whether the training content remains aligned with your policies and regulatory obligations. The Platform's reporting tools can support this review, but the evaluation itself is your organization's responsibility.
• Consult qualified legal counsel. For questions about regulatory requirements, compliance program design, enforcement developments, or legal obligations specific to your organization, seek advice from an attorney with experience in healthcare regulatory compliance. The Platform and this Guide do not substitute for legal advice.

6. Related Documents

This Guide should be read together with the following documents, which govern your use of the Platform:

• Terms of Service — The governing agreement between you and the Company, including the PHI boundary (Section 7), disclaimer of warranties (Section 10), and limitation of liability (Section 11)
• Privacy Policy — Describes how personal data is collected, used, retained, and protected, including data ownership, retention periods, and your privacy rights
• Acceptable Use Policy — Defines prohibited conduct, including PHI upload restrictions, account security obligations, and token usage restrictions
• Refund and Licensing Policy — Describes token license terms, refund eligibility, and payment terms

7. Regulatory References

The following regulations and guidance documents are referenced in this Guide. These citations are provided for reference purposes only and do not constitute legal advice or a comprehensive list of regulations that may apply to your organization.