CHPC Tests Healthcare Privacy Compliance Work, Not Just HIPAA Definitions
The Certified in Healthcare Privacy Compliance (CHPC) credential is offered by the Compliance Certification Board through HCCA. It is designed for professionals who manage healthcare privacy obligations, including HIPAA Privacy Rule operations, policy management, training, monitoring, investigations, discipline, vendor oversight, breach response, and program reporting.
The current SERP is split between the official HCCA pages, generic HIPAA summaries, flashcard sets, and paid practice banks. The gap is practical exam framing. CHPC questions are built around compliance work experience. You need to know privacy law, but you also need to know how a privacy officer runs a program.
Exam Snapshot
| Item | 2026 detail |
|---|---|
| Credential | Certified in Healthcare Privacy Compliance |
| Exam owner | Compliance Certification Board / HCCA |
| Questions | 120 multiple-choice questions: 100 scored and 20 pretest |
| Time limit | 2 hours |
| Fee | $350 HCCA/SCCE member; $450 non-member |
| Delivery | PSI test center or remote proctored testing |
| Eligibility | Compliance experience plus CCB-approved CEUs, or approved student pathway |
| Renewal | Every 2 years with 40 CCB CEUs, including 20 live CEUs |
| Best next step | Free CHPC practice and CHPC study guide |
Eligibility: Do Not Skip the CEU Gate
Most candidates qualify as compliance professionals. The 2025 handbook says this means at least 1 year in a full-time compliance position or 1,500 hours of direct compliance duties earned in the 2 years before application, with duties tied to the CHPC Detailed Content Outline.
You also need 20 CCB-approved CEUs earned within the 12 months before the exam date. At least 10 must be live CEUs. CCB-accredited university certificate students may satisfy some requirements through that pathway, but they still need to follow the handbook timing rules.
Official CHPC Domain Weights
| Domain | Scored items | Weight |
|---|---|---|
| Privacy Standards, Policies, and Procedures | 17 | 17% |
| Privacy Compliance Program Oversight | 16 | 16% |
| Screening and Evaluation of Employees, Physicians, Vendors, and Other Agents | 9 | 9% |
| Communication, Education, and Training on Compliance Issues | 17 | 17% |
| Privacy Monitoring, Auditing, and Internal Reporting Systems | 17 | 17% |
| Discipline for Non-Compliance | 9 | 9% |
| Investigations and Remedial Measures | 15 | 15% |
No single domain dominates. The exam is broad, and 80 of the 100 scored items are application or analysis rather than simple recall in the detailed outline totals.
High-Yield Topic Map
HIPAA privacy foundations: Know PHI, covered entities, business associates, minimum necessary, permitted uses and disclosures, authorizations, patient rights, Notice of Privacy Practices, accounting of disclosures, amendments, restrictions, confidential communications, and complaint rights. Use HHS as your baseline source for the HIPAA Privacy Rule.
Breach response: Know the four-factor risk assessment, when an impermissible use or disclosure is presumed to be a breach, and notification expectations. HHS explains the federal Breach Notification Rule, including notification without unreasonable delay and no later than 60 days after discovery for affected individuals.
Program oversight: Study annual work plans, risk assessments, internal controls, privacy officer authority, governance reporting, regulatory interpretation, emerging technology review, and when to involve legal counsel or outside expertise.
Training and communication: CHPC questions often ask what a privacy officer should do after a regulatory change, audit finding, repeated employee mistake, or targeted department risk. Role-based training, tracking, documentation, and culture matter.
Monitoring and investigations: Know audit plans, hotline or reporting mechanisms, non-retaliation, confidentiality, independent investigation structure, corrective action plans, trend analysis, and regulator interactions.
Vendors and BAAs: Be able to distinguish business associate agreements, data use agreements, vendor due diligence, subcontractor flow-down expectations, and privacy clauses in contracts.
Study Plan for Working Compliance Professionals
| Phase | Focus | Hours |
|---|---|---|
| 1 | HIPAA privacy basics, patient rights, PHI, permitted uses, authorizations | 25 |
| 2 | Privacy program governance, policies, annual work plans, risk assessments | 25 |
| 3 | Vendor screening, BAAs, training, communication, discipline | 20 |
| 4 | Monitoring, auditing, reporting systems, investigations, breach response | 30 |
| 5 | Timed CHPC practice questions, error log, handbook review | 20 |
If you work in privacy compliance every day, 8 to 10 weeks is realistic. If your compliance background is broader than privacy, plan 12 to 16 weeks and spend extra time on HIPAA patient rights, BAAs, breach response, and OCR expectations.
Practice Strategy
For each practice question, ask which role you are playing: privacy officer, compliance committee, investigator, trainer, vendor manager, or governance reporter. Then choose the answer that best preserves independence, documentation, consistency, legal privilege where appropriate, non-retaliation, and corrective action.
Buy on Amazon