PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free HPOC Practice Questions

Pass your HIPAA Privacy Officer Certified (AIHC) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Under HIPAA, which is the correct statement about 'verification' before disclosing PHI to a public official?

A
B
C
D
to track
Same family resources

Explore More AIHC Healthcare Compliance Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

AIHC CCRS Medicare Cost Report Specialist

Practice Questions

AIHC CHA Certified Healthcare Auditor

Practice Questions

AIHC CHCO Certified in HIPAA Compliance

Practice Questions

AIHC CHMSP Certified HIPAA Managed Service Provider

Practice Questions

AIHC CIFHA Certified Internal Forensic Healthcare Auditor

Practice Questions

AIHC CMDP Certified Medical Documentation Professional

Practice Questions
2026 Statistics

Key Facts: HPOC Exam

100

Practice Questions

OpenExamPrep 2026

12

AIHC CEUs from Course

AIHC

6

CEUs/Year for Renewal

AIHC

3 months

Window to Take Exam

AIHC

60 days

Breach Individual Notice

45 CFR 164.404

50 yrs

Decedent PHI Protection

45 CFR 164.502(f)

HPOC is AIHC's privacy-officer-focused HIPAA credential — distinct from the broader CHCO HIPAA-compliance credential. The exam is 100 multiple-choice questions, online proctored, open-note, and one attempt is included with the AIHC HIPAA Privacy course (12 AIHC CEUs awarded). Candidates must take the exam within 3 months of course completion. Maintenance: 6 CEUs annually.

Sample HPOC Practice Questions

Try these sample questions to test your HPOC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which federal regulation contains the HIPAA Privacy Rule's substantive requirements for permitted uses and disclosures of PHI?
A.45 CFR Part 160
B.45 CFR Part 162
C.45 CFR Part 164, Subpart E
D.42 CFR Part 2
Explanation: The HIPAA Privacy Rule's substantive uses-and-disclosures provisions live in 45 CFR Part 164, Subpart E (Privacy of Individually Identifiable Health Information). 45 CFR Part 160 contains the general administrative and enforcement requirements, while Part 162 addresses transactions and code sets. Exam Tip: When the test asks 'where is X in HIPAA,' Subpart E = Privacy substantive rules; Subpart C = Security; Subpart D = Breach Notification.
2A patient asks the privacy officer how long after their death HIPAA continues to protect their health information. What is the correct answer?
A.10 years
B.25 years
C.50 years
D.Indefinitely; HIPAA never sunsets after death
Explanation: Under 45 CFR 164.502(f), the Privacy Rule protects a decedent's identifiable health information for 50 years following the date of death. After 50 years the information is no longer considered PHI for HIPAA purposes. Exam Tip: The 50-year period is a definitional sunset, not a record-retention requirement; state law governs how long records must actually be kept.
3Under the HIPAA Privacy Rule, which of the following uses or disclosures generally does NOT require an authorization from the individual?
A.Sale of PHI to a marketing firm
B.Use of psychotherapy notes for marketing
C.Disclosure for treatment, payment, or health care operations (TPO)
D.Use of PHI in a research database without an IRB waiver
Explanation: 45 CFR 164.506 permits a covered entity to use or disclose PHI for its own treatment, payment, and health care operations (TPO) without an authorization. Sale of PHI, marketing using psychotherapy notes, and most research uses generally require a HIPAA authorization (or, for research, an IRB/Privacy Board waiver). Exam Tip: TPO is the central authorization-free pathway; memorize what falls inside and outside its boundaries.
4Which statement BEST describes the HIPAA minimum necessary standard?
A.Covered entities must always disclose the entire medical record on request
B.Covered entities must make reasonable efforts to limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose
C.Minimum necessary applies only to electronic PHI
D.Minimum necessary applies to disclosures for treatment between providers
Explanation: Per 45 CFR 164.502(b), covered entities and business associates must make reasonable efforts to limit PHI use, disclosure, and requests to the minimum amount necessary to accomplish the intended purpose. The standard does NOT apply to disclosures to or requests by a provider for treatment, to the individual, under a valid authorization, to HHS for compliance, or as required by law. Exam Tip: 'Treatment' is the most commonly tested exception to minimum necessary.
5A covered hospital must provide its Notice of Privacy Practices (NPP) to a new direct-treatment patient at what point?
A.Within 30 days after the patient's first appointment
B.No later than the date of first service delivery
C.Only when the patient asks for it
D.Within 60 days after admission
Explanation: 45 CFR 164.520(c)(2)(i) requires direct-treatment providers to provide the NPP no later than the date of first service delivery (and to make a good-faith effort to obtain a written acknowledgment of receipt). In an emergency, the notice may be provided as soon as reasonably practicable after the emergency. Exam Tip: 'First service delivery' is the trigger phrase OCR uses repeatedly.
6Under 45 CFR 164.524, how long does a covered entity have to act on an individual's request for access to their PHI in a designated record set?
A.10 calendar days
B.30 calendar days, with one possible 30-day extension
C.60 calendar days
D.90 calendar days
Explanation: Covered entities must act on an access request no later than 30 calendar days after receipt. One 30-day extension is allowed if the entity gives the individual a written statement of the reasons for delay and the date by which it will complete action, all within the original 30-day window. Exam Tip: '30 + 30' is the right-of-access timeline; OCR's Right of Access Initiative has imposed dozens of penalties for missing it.
7A covered entity that maintains PHI electronically chooses the OCR flat-rate option for charging an individual for an electronic copy of PHI. What is the maximum permitted flat fee?
A.$1.00
B.$6.50
C.$25.00
D.Whatever state law allows
Explanation: OCR's 2016 access guidance permits a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage) for an electronic copy of PHI maintained electronically. The $6.50 figure is an option, not a cap on all access fees; entities may instead calculate actual or average allowable costs. Exam Tip: $6.50 is the most commonly tested figure on right-of-access fees.
8Which of the following disclosures must be included in an accounting of disclosures provided to an individual under 45 CFR 164.528?
A.Disclosures for treatment, payment, or health care operations
B.Disclosures pursuant to the individual's signed authorization
C.A disclosure of PHI to a state health department for mandated public health reporting
D.Disclosures to the individual themselves
Explanation: Public health disclosures under 45 CFR 164.512(b) must be included in the accounting. Excluded from the accounting are disclosures for TPO, those made to the individual, those made under authorization, incidental disclosures, those for the facility directory, and disclosures before the compliance date. The accounting period is six years prior to the request. Exam Tip: If a disclosure required an authorization, it is excluded from the accounting.
9How far back must an accounting of disclosures cover, measured from the date of the individual's request?
A.1 year
B.3 years
C.6 years
D.10 years
Explanation: 45 CFR 164.528(a)(1) requires covered entities to provide an accounting of disclosures made during the six years prior to the date of the request (or the period during which the entity has been required to comply with HIPAA, if shorter). Exam Tip: 6 years is the same retention period as documentation under 45 CFR 164.530(j) — easy to confuse.
10Under the HIPAA Breach Notification Rule, when must individual notice be sent for a breach of unsecured PHI?
A.Within 10 calendar days of discovery
B.Without unreasonable delay and in no case later than 60 calendar days after discovery
C.Within 6 months of discovery
D.Only if the breach affects 500+ individuals
Explanation: Per 45 CFR 164.404, individual notice must be provided without unreasonable delay and in no case later than 60 calendar days following the discovery of a breach of unsecured PHI. Exam Tip: 'Without unreasonable delay' means earlier may be required; 60 days is the outside limit, not a target.

About the HPOC Exam

The HPOC (HIPAA Privacy Officer Certified) credential, awarded by the American Institute of Healthcare Compliance (AIHC), validates a privacy officer's mastery of the HIPAA Privacy Rule (45 CFR Part 164 Subpart E), the Breach Notification Rule, 42 CFR Part 2 SUD-record confidentiality, individual rights, OCR enforcement, and state-law preemption. AIHC is a 501(c)(3) non-profit and CMS Licensing/Certification Partner.

Questions

100 scored questions

Time Limit

Online proctored single sitting

Passing Score

Set by AIHC; open-note format

Exam Fee

$625 non-member / $450 member (includes course + 1 exam attempt) (AIHC)

HPOC Exam Content Outline

~25%

HIPAA Privacy Rule Fundamentals

45 CFR Part 164 Subpart E, covered entity and business associate definitions, PHI scope, designated record set, minimum necessary, deidentification, and 6-year documentation retention.

~20%

Individual Rights & Notice of Privacy Practices

Right of access (30+30, $6.50 flat-fee option, electronic copies), amendment, accounting of disclosures, restrictions (including HITECH out-of-pocket-paid), confidential communications, and NPP content/delivery.

~20%

Permitted Uses & Disclosures

TPO, marketing and fundraising rules, psychotherapy-notes authorization, research and IRB waivers, public health, law enforcement, judicial proceedings, decedent records, and abuse/neglect reporting.

~12%

Breach Notification & Incident Response

Subpart D Breach Notification Rule, four-factor risk assessment, 60-day individual notice, 500+ media and OCR notice, small-breach annual log, encryption safe harbor, and ransomware presumption.

~8%

42 CFR Part 2 (SUD Records)

Federally assisted SUD program rules, 2024 TPO consent, redisclosure prohibition, court order requirements, and interaction with HIPAA.

~5%

Business Associates

BA definition, BAA required content under 45 CFR 164.504(e), subcontractor flow-down, BA direct liability under HITECH, and cloud/tracking-technology vendors.

~10%

OCR Enforcement & State Law Preemption

OCR audit protocols, HITECH four-tier penalty structure, criminal HIPAA penalties, corrective action plans, Right of Access Initiative, and state laws (CMIA, SHIELD).

How to Pass the HPOC Exam

What You Need to Know

  • Passing score: Set by AIHC; open-note format
  • Exam length: 100 questions
  • Time limit: Online proctored single sitting
  • Exam fee: $625 non-member / $450 member (includes course + 1 exam attempt)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

HPOC Study Tips from Top Performers

1Memorize the citation map: 45 CFR Part 160 = administrative/enforcement, Part 164 Subpart C = Security, Subpart D = Breach Notification, Subpart E = Privacy. Most HPOC questions cite a specific section (e.g., 164.524 for access).
2Master individual-rights timelines: 30 days + 30-day extension for access, 6 years for accounting of disclosures, 60 days + 30 days for amendment decisions. The numbers appear directly on the exam.
3Drill the breach four-factor risk assessment verbatim: nature/extent of PHI, unauthorized recipient, actually acquired or viewed, mitigation. Know that ransomware on unsecured ePHI is a presumed breach until rebutted.
4Study 42 CFR Part 2 separately from HIPAA. The 2024 final rule introduced TPO consent and aligned redisclosure with HIPAA, but legal-proceedings-against-the-patient still requires Part 2 court orders.
5Build a quick-reference cheat sheet for state preemption (CMIA, SHIELD), marketing/fundraising rules, and the 7 individual rights described in the NPP — the open-note format rewards organized references.

Frequently Asked Questions

What is the HPOC exam format?

The HPOC exam is a multiple-choice exam administered online with a professional proctor. It is open-note, meaning you may reference your AIHC course materials during the exam. The exam is taken remotely from your home or office by appointment. AIHC's HPOC is the privacy-officer-focused credential — distinct from AIHC's CHCO (HIPAA compliance officer) credential.

What does the HPOC certification cover?

HPOC focuses on HIPAA Privacy Officer responsibilities: the Privacy Rule (45 CFR Part 164 Subpart E), individual rights, Notice of Privacy Practices, permitted uses and disclosures, breach response, 42 CFR Part 2 substance use disorder confidentiality, OCR audits and enforcement, and state-law preemption (CMIA, SHIELD, etc.).

What are the prerequisites for the HPOC certification?

You must complete the AIHC HIPAA Privacy online course before sitting for the exam. AIHC recommends the certification for experienced HIPAA Privacy Officers, Practice Administrators, Office Managers, Compliance Officers, and Executives at covered entities or business associates. The exam must be taken within 3 months of completing the course.

How much does the HPOC certification cost?

The AIHC HIPAA Privacy course tuition is $625 for non-members or $450 for AIHC members. One certification exam attempt is included in tuition. Up to 2 additional attempts may be purchased within 1 year of enrollment, for a maximum of 3 attempts.

How is HPOC different from AIHC's CHCO credential?

HPOC (HIPAA Privacy Officer Certified) focuses specifically on privacy-officer responsibilities — Notice of Privacy Practices, individual rights, breach response, OCR audits, 42 CFR Part 2, and state-law preemption. CHCO (Certified in HIPAA Compliance) covers the broader HIPAA compliance program, including the Security Rule and risk management. Privacy officers usually pursue HPOC; broader compliance officers often choose CHCO or both.

How do I maintain the HPOC credential?

You must earn 6 Continuing Education Units (CEUs) annually to maintain the HPOC credential. AIHC offers free and low-cost CEU programs for members. The HIPAA Privacy course itself awards 12 AIHC CEUs.