PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CRAS Practice Questions

Pass your HIPAA Right of Access / Release of Information Specialist (AIHC) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which of the following disclosures is EXCLUDED from the accounting required under 164.528?

A
B
C
D
to track
Same family resources

Explore More AIHC Healthcare Compliance Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

AIHC CCRS Medicare Cost Report Specialist

Practice Questions

AIHC CHA Certified Healthcare Auditor

Practice Questions

AIHC CHCO Certified in HIPAA Compliance

Practice Questions

AIHC CHMSP Certified HIPAA Managed Service Provider

Practice Questions

AIHC CIFHA Certified Internal Forensic Healthcare Auditor

Practice Questions

AIHC CMDP Certified Medical Documentation Professional

Practice Questions
2026 Statistics

Key Facts: CRAS Exam

30 days

Standard access timeline

45 CFR 164.524(b)(2)

+30 days

One written extension

45 CFR 164.524(b)(2)(ii)

$6.50

Optional flat-fee safe harbor

OCR 2016 guidance

2020

Ciox v. Azar ruling

D.D.C.

6 CEUs

Annual renewal

AIHC

3 hours

Open-note exam time

AIHC

CRAS is AIHC's operational ROI/right-of-access specialist credential. The exam is open-note and timed at 3 hours, taken within 3 months of completing the AIHC training course. The course awards 12 AHIMA and 12 AIHC CEUs; renewal requires 6 CEUs annually. Content focuses on the 45 CFR 164.524 framework, post-Ciox v. Azar implications for third-party directives and fees, and ROI workflow execution.

Sample CRAS Practice Questions

Try these sample questions to test your CRAS exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under 45 CFR 164.524, what is the maximum number of days a covered entity has to act on an individual's request for access to PHI before any extension?
A.15 calendar days
B.30 calendar days
C.60 calendar days
D.90 calendar days
Explanation: The HIPAA Privacy Rule at 45 CFR 164.524(b)(2) requires covered entities to act on a request for access no later than 30 calendar days after receipt. The 2013 Omnibus Rule eliminated the prior 60-day timeline for off-site records. Exam Tip: The clock starts on receipt of the request, not when ROI staff review it.
2A covered entity needs more time to respond to an access request. Under HIPAA, what must it do to lawfully extend the deadline?
A.Notify OCR of the delay within 10 days
B.Provide the individual a written statement of the reasons for the delay and the date the request will be completed, with only one 30-day extension permitted
C.Obtain the individual's verbal agreement to wait an additional 60 days
D.Document the delay internally; no notice to the individual is required
Explanation: 45 CFR 164.524(b)(2)(ii) permits only one 30-day extension, and only if the covered entity provides the individual a written statement of the reasons for the delay and the date by which it will complete action. Exam Tip: Verbal extensions and silent delays are top OCR enforcement targets.
3Which of the following is included within the HIPAA designated record set as defined at 45 CFR 164.501?
A.Quality assurance peer-review files used only for committee improvement
B.Medical and billing records used to make decisions about the individual
C.Psychotherapy notes maintained separately by a mental health professional
D.Information compiled in reasonable anticipation of litigation
Explanation: The designated record set comprises medical and billing records about individuals, enrollment/payment/claims systems, and other records used to make decisions about the individual. Psychotherapy notes maintained separately and information compiled for litigation are excluded by 164.524(a)(1). Exam Tip: 'Used to make decisions about the individual' is the litmus test for designated record set inclusion.
4Per the 45 CFR 164.501 definition, which of the following best describes psychotherapy notes that are excluded from the right of access?
A.Any note documenting a patient's mental health diagnosis or medication
B.Notes recorded by a mental health professional documenting or analyzing the contents of a counseling session, kept separate from the rest of the medical record
C.Any progress note written by a psychiatrist
D.All records produced during any therapy or counseling encounter
Explanation: Psychotherapy notes are notes recorded by a mental health professional that document or analyze the contents of a counseling session and are separated from the rest of the medical record. Medication, diagnosis, treatment plan, symptoms, prognosis, session start/stop times, and modalities are explicitly excluded from this definition and remain accessible. Exam Tip: 'Separated from the rest of the record' is the operational test ROI staff must apply.
5What did the 2020 federal court decision in Ciox Health, LLC v. Azar vacate?
A.The entire HIPAA Privacy Rule
B.OCR's 2013/2016 expansion of the third-party directive beyond electronic copies of EHR-maintained PHI, and the Patient Rate fee cap as applied to third-party requests
C.The 30-day access timeline
D.The right of an individual to access their own records
Explanation: On January 23, 2020, the D.D.C. ruled in Ciox Health, LLC v. Azar that HHS exceeded its authority by expanding the HITECH third-party directive to all PHI formats and by applying the Patient Rate fee cap to third-party requests. The court limited the third-party directive to electronic copies of PHI maintained in an EHR and held the Patient Rate fee cap does not apply to third-party transmissions. Exam Tip: Individual access (and its fee cap) was undisturbed by Ciox.
6Post-Ciox v. Azar, when an individual exercises a third-party directive, that directive is enforceable under HIPAA only when the request is for:
A.Any PHI in any format the covered entity maintains
B.An electronic copy of PHI maintained in an electronic health record
C.Paper records mailed to the third party
D.Verbal disclosure to the third party
Explanation: After Ciox, the HITECH third-party directive at 42 USC 17935(e) and 45 CFR 164.524(c)(3)(ii) applies only to requests for an electronic copy of PHI maintained in an EHR. For other formats, the individual may still receive a copy and forward it themselves, but the covered entity is not required to honor a third-party directive. Exam Tip: For non-EHR PHI, route the requester through a HIPAA authorization, not a third-party directive.
7Under 45 CFR 164.524(c)(4), which of the following CANNOT be included in the reasonable cost-based fee charged to an individual for a copy of their PHI?
A.Labor for copying the PHI requested
B.Cost of supplies such as a USB drive when requested by the individual
C.Costs of searching for and retrieving the PHI
D.Postage when the individual requests mail delivery
Explanation: OCR explicitly prohibits charging individuals for searching for, retrieving, or otherwise handling/processing the PHI. Permissible costs are limited to labor for copying, supplies for portable media (if requested), postage, and preparing an explanation/summary if the individual agrees. Exam Tip: 'Search and retrieval' fees are the most common ROI billing error and a frequent OCR enforcement finding.
8Per OCR guidance, which of the following best describes the $6.50 flat fee option for HIPAA right of access?
A.A regulatory cap on every right-of-access request
B.An optional flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage) for electronic copies of PHI maintained electronically when the entity does not want to calculate actual or average costs
C.The maximum fee for any third-party directive
D.A required fee for all paper records
Explanation: OCR's 2016 guidance permits a covered entity, at its option, to charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage) for electronic copies of PHI maintained electronically. It is not a cap on all access requests and is not required. Actual cost or average cost methods are also permitted. Exam Tip: $6.50 is a safe-harbor option, not a regulatory ceiling.
9Per OCR guidance on HIPAA fees, are per-page fees permitted for paper or electronic copies of PHI maintained electronically?
A.Yes, per-page fees are always permitted
B.No, OCR does not consider per-page fees reasonable for copies of PHI maintained electronically (whether output is paper or electronic)
C.Yes, but only up to $1.00 per page
D.Only when the individual requests more than 100 pages
Explanation: OCR has stated that per-page fees are not considered reasonable under 45 CFR 164.524(c)(4) when the PHI is maintained electronically, regardless of whether the output is paper or electronic. Per-page fees may still be allowed for PHI maintained only on paper, but state law often limits these. Exam Tip: When PHI is in the EHR, ROI staff cannot apply a state per-page schedule under HIPAA.
10An individual requests a copy of their PHI in CSV format and the EHR can readily export to CSV. What does HIPAA require?
A.The covered entity may provide PDF only because that is its standard format
B.The covered entity must provide the copy in the form and format requested if readily producible, or in a readable alternative format agreed to by the individual
C.The covered entity may decline because CSV is not a clinical format
D.The covered entity must convert to HL7 FHIR before release
Explanation: 45 CFR 164.524(c)(2)(ii) requires the covered entity to provide a copy in the electronic form and format requested if readily producible, or in a readable alternative electronic format agreed to by the individual. 'Readily producible' is a question of capability, not preference. Exam Tip: If the EHR can export it in one click, it is readily producible.

About the CRAS Exam

The AIHC CRAS credential validates operational expertise in HIPAA right of access (45 CFR 164.524) and release of information workflow — covering designated record set scope, the 30-day timeline, post-Ciox third-party directives, reasonable cost-based fees, denials and reviews, personal representatives, and sensitive records (psychotherapy notes, 42 CFR Part 2, HIV, genetic).

Questions

100 scored questions

Time Limit

3 hours

Passing Score

Set by AIHC (verify in handbook)

Exam Fee

Included in tuition (American Institute of Healthcare Compliance (AIHC))

CRAS Exam Content Outline

~30%

Right of Access Fundamentals

Scope of access under 45 CFR 164.524, designated record set definition, 30-day timeline with one 30-day extension, form/format requirements (readily producible electronic copies), and the post-Ciox surviving third-party directive limited to electronic copies of EHR-maintained PHI.

~25%

ROI Workflow and Operations

Intake, verification of identity and authority, scope determination, fee estimation, retrieval, lawful redaction, secure delivery (including unencrypted email per OCR guidance after risk warning), logging, and choosing the right legal lane (164.524 access vs. 164.508 authorization vs. 164.512 compelled disclosure).

~15%

Fees and Billing

Reasonable cost-based fees limited to labor for copying, supplies (when individual requests portable media), and postage; the optional $6.50 flat-fee safe harbor for electronic copies of electronic PHI; OCR's prohibition on per-page fees for electronically maintained records and on search/retrieval/verification fees; and post-Ciox treatment of third-party directives.

~15%

Personal Representatives and Sensitive Records

Adult POA, court-appointed guardians, minors and emancipated minors (state minor-consent law), deceased patient executors and the 50-year decedent rule; psychotherapy notes definition and the separate authorization rule; 42 CFR Part 2 SUD records (consent, redisclosure prohibition notice, 2024 final rule); HIV/AIDS, GINA/genetic, and other state-specific protections.

~15%

Denials, Reviews, and Legal Process

Reviewable vs. unreviewable denial grounds at 164.524(a)(2)-(3), licensed-reviewer process, subpoenas vs. court orders and qualified protective orders under 164.512(e), law-enforcement disclosures under 164.512(f), and OCR Right of Access Initiative enforcement themes.

How to Pass the CRAS Exam

What You Need to Know

  • Passing score: Set by AIHC (verify in handbook)
  • Exam length: 100 questions
  • Time limit: 3 hours
  • Exam fee: Included in tuition

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CRAS Study Tips from Top Performers

1Memorize the difference between unreviewable and reviewable denial grounds under 164.524(a)(2) and (a)(3) — and who must review reviewable denials.
2Know the post-Ciox four-part test for third-party directives: written, signed, designates recipient/location, and electronic copy from an EHR.
3Master fee allowables (labor for copying, supplies if portable media, postage) versus prohibitions (search, retrieval, verification, system-maintenance costs) under OCR's 2016 guidance.
4Drill personal-representative scenarios across minors, emancipation, deceased patients (executor and 50-year rule), and adverse-interest situations triggering 164.524(a)(3)(iii).
5Practice the authorization (164.508) vs. access (164.524) vs. compelled disclosure (164.512) lane analysis on every fact pattern.

Frequently Asked Questions

What does the AIHC CRAS credential validate?

CRAS validates operational competency in HIPAA right of access and release-of-information workflow. It focuses on 45 CFR 164.524, post-Ciox v. Azar third-party directives, reasonable cost-based fees, denials and reviews, personal representatives, and sensitive records like psychotherapy notes and 42 CFR Part 2.

What is the format of the AIHC CRAS exam?

The CRAS exam is open-note and timed at 3 hours. It can be taken online (proctored) or in person by appointment. Candidates must take the exam within 3 months of completing the AIHC training course.

How is the AIHC CRAS exam scored, and what is the passing score?

AIHC sets the passing score and details its scoring methodology in the certification handbook. Verify the current passing score directly with AIHC.

How do I maintain the CRAS credential?

AIHC requires 6 CEUs per year to maintain the credential. The training course itself awards 12 AHIMA and 12 AIHC CEUs on successful completion.

How is CRAS different from AIHC's CHCO and HPOC credentials?

CHCO (Certified in HIPAA Compliance) and HPOC (HIPAA Privacy Officer Certification) cover broad HIPAA Privacy and Security topics for compliance and privacy officers. CRAS is the specialized operational credential focused on the day-to-day right-of-access and release-of-information workflow within 45 CFR 164.524.

What did Ciox Health v. Azar (2020) change for ROI staff?

The D.D.C. vacated OCR's expansion of the third-party directive beyond electronic copies of EHR-maintained PHI and held that the Patient Rate fee cap does not apply to third-party requests. Individual access (and its fee cap) was undisturbed. ROI specialists must therefore route non-EHR or non-electronic third-party requests through HIPAA authorization, where state copy-fee schedules typically apply.