100+ Free CHPC Practice Questions

Pass your Certified in Healthcare Privacy Compliance exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65-75% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

A breach of unsecured PHI affects 600 individuals in a single state. Which notifications are required?

Only notification to HHS

Individual notification, HHS notification, and notification to prominent media outlets in the state

Individual notification letters and notification to HHS

Only individual notification letters

to track

2026 Statistics

Key Facts: CHPC Exam

120

Exam Questions (100 scored)

CCB/HCCA

2 hours

Exam Time Limit

CCB/HCCA

$350-$450

Exam Fee

CCB 2026 fee schedule

7 domains

Content Areas

CHPC Detailed Content Outline

2 years

Certification Validity

CCB renewal policy

40 CEUs

Renewal Requirement

CCB (20 must be live)

The CHPC exam has 120 multiple-choice questions (100 scored) with a 2-hour time limit. The exam fee is $350 for HCCA members and $450 for non-members. Candidates need 1 year of compliance experience and 20 CCB CEUs. The exam covers 7 domains: privacy standards and policies, program oversight, vendor screening, training and education, monitoring and auditing, discipline, and investigations. Certification is valid for 2 years with 40 CEU renewal requirement.

Sample CHPC Practice Questions

Try these sample questions to test your CHPC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the HIPAA Privacy Rule, which of the following is considered protected health information (PHI)?

A.De-identified health data that cannot be linked to an individual

B.A patient's name combined with their diagnosis in a medical record

C.Aggregate statistical data about hospital admissions

D.Employment records held by a covered entity in its role as employer

Explanation: PHI is individually identifiable health information held or transmitted by a covered entity or its business associate. A patient's name combined with a diagnosis in a medical record meets this definition. De-identified data, aggregate statistics, and employment records held by a covered entity in its capacity as employer are excluded from the definition of PHI under HIPAA.

2Which of the following is NOT one of the 18 HIPAA identifiers that must be removed to de-identify health information under the Safe Harbor method?

A.Patient's name

B.Dates related to an individual (except year for individuals over 89)

C.Blood type

D.Social Security number

Explanation: The HIPAA Safe Harbor method requires removal of 18 specific identifiers to de-identify health information. Blood type is not one of the 18 identifiers. The 18 identifiers include names, geographic data, dates, phone numbers, fax numbers, email addresses, SSN, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying number.

3A hospital privacy officer discovers that a nurse accessed the medical records of a celebrity patient without a treatment, payment, or operations reason. What type of violation does this represent?

A.An incidental disclosure permitted under HIPAA

B.A permitted use for healthcare operations

C.An unauthorized access or 'snooping' violation

D.A routine quality assurance review

Explanation: Accessing patient records without a legitimate treatment, payment, or healthcare operations purpose constitutes unauthorized access, commonly called 'snooping.' This is a HIPAA violation regardless of whether the information is further disclosed. Healthcare organizations must implement access controls, audit trails, and sanctions for unauthorized access. Celebrity and VIP records are frequently targeted and require additional safeguards and monitoring.

4Under HIPAA, a patient has the right to request an accounting of disclosures of their PHI. Which of the following disclosures must be included in the accounting?

A.Disclosures for treatment purposes

B.Disclosures made to the individual themselves

C.Disclosures to a public health authority for disease reporting

D.Disclosures made pursuant to a valid patient authorization

Explanation: Disclosures to public health authorities for disease reporting must be included in the accounting of disclosures. HIPAA exempts several types of disclosures from the accounting requirement, including disclosures for treatment, payment, and healthcare operations; disclosures made to the individual; disclosures pursuant to an authorization; disclosures for national security purposes; and disclosures to correctional institutions. The accounting must cover the 6 years prior to the request.

5What is the primary purpose of a Notice of Privacy Practices (NPP) under HIPAA?

A.To obtain patient consent for all medical procedures

B.To inform individuals about how a covered entity may use and disclose their PHI and their privacy rights

C.To serve as a business associate agreement

D.To document all prior disclosures of patient information

Explanation: The Notice of Privacy Practices (NPP) is required by the HIPAA Privacy Rule to inform individuals about how a covered entity may use and disclose their PHI, the individual's rights regarding their information, and the covered entity's legal duties with respect to PHI. The NPP must be provided at the first service delivery and made available upon request. It is not a consent form, BAA, or disclosure log.

6Which federal law strengthened HIPAA enforcement and extended privacy requirements to business associates?

A.The Affordable Care Act (ACA)

B.The HITECH Act (part of ARRA 2009)

C.The Genetic Information Nondiscrimination Act (GINA)

D.The Family Educational Rights and Privacy Act (FERPA)

Explanation: The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, significantly strengthened HIPAA enforcement by increasing penalties, requiring breach notification, extending certain HIPAA requirements directly to business associates, and mandating periodic audits. HITECH also established the meaningful use program for electronic health records.

7A covered entity receives a valid subpoena for patient records that is not accompanied by a court order. Under HIPAA, what must the covered entity verify before disclosing the records?

A.That the requesting attorney is licensed in the state

B.That the patient has been notified or that a qualified protective order has been obtained

C.That the records are less than 5 years old

D.That the subpoena was issued by a federal court

Explanation: When a covered entity receives a subpoena without a court order, HIPAA requires verification that the individual whose records are sought has been given notice and an opportunity to object, or that a qualified protective order has been obtained. This protects patient privacy rights while permitting legitimate legal processes. A court order itself would be sufficient authorization, but a subpoena alone requires these additional safeguards.

8The minimum necessary standard under HIPAA requires covered entities to:

A.Disclose all available patient information for any legitimate request

B.Limit PHI uses, disclosures, and requests to the minimum amount needed to accomplish the intended purpose

C.Provide the complete medical record only to physicians

D.Restrict all PHI disclosures to law enforcement

Explanation: The minimum necessary standard requires covered entities to make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the intended purpose. This applies to most uses and disclosures but does not apply to disclosures for treatment, disclosures to the individual, disclosures pursuant to an authorization, disclosures required by law, or disclosures to HHS for enforcement purposes.

9Which of the following situations requires a written patient authorization under HIPAA before PHI can be disclosed?

A.Disclosing PHI to another provider for treatment

B.Reporting suspected child abuse to a state agency

C.Using PHI in marketing communications to the patient

D.Disclosing PHI to a health plan for payment purposes

Explanation: HIPAA requires a valid written authorization before using or disclosing PHI for marketing purposes. Marketing is defined as a communication about a product or service that encourages the recipient to purchase or use it. Exceptions exist for face-to-face communications and promotional gifts of nominal value. Disclosures for treatment, payment, and required reporting (such as child abuse) do not require authorization.

10A privacy officer is developing a new organizational privacy program. Which element should be established FIRST?

A.A sanctions policy for privacy violations

B.A comprehensive risk assessment to identify privacy vulnerabilities

C.A marketing plan for privacy training materials

D.An employee newsletter about privacy awareness

Explanation: A comprehensive risk assessment should be the first step in developing a privacy program because it identifies the organization's privacy vulnerabilities, regulatory obligations, and areas of highest risk. The results of the risk assessment then inform the development of policies, procedures, training programs, and monitoring activities. Without understanding the organization's specific risks, other program elements cannot be effectively designed or prioritized.

About the CHPC Exam

The CHPC exam validates expertise in healthcare privacy compliance, including HIPAA Privacy Rule, HITECH Act, state privacy laws, patient rights, breach notification, and privacy program management. Administered by the Compliance Certification Board through HCCA, it is the leading credential for healthcare privacy officers and compliance professionals responsible for protecting patient information and managing organizational privacy programs.

Assessment

120 multiple-choice questions (100 scored, 20 pretest)

Time Limit

2 hours

Passing Score

Criterion-referenced scaled passing score

Exam Fee

$350 (member) / $450 (non-member) (Compliance Certification Board (CCB) / Health Care Compliance Association (HCCA))

CHPC Exam Content Outline

17%

Privacy Standards, Policies, and Procedures

Privacy program components, policy development and review, HIPAA/HITECH/FERPA/GINA regulatory requirements, governance policies, record retention, and stakeholder communications

16%

Privacy Compliance Program Oversight

Risk assessments, annual work plans, privacy officer role and authority, governance board reporting, regulatory interpretation, emerging technologies, and program evaluation

Screening/Evaluation of Employees, Physicians, Vendors and Other Agents

Privacy obligations in job descriptions, background checks, exit interviews, business associate agreements, vendor due diligence, and data use agreements

17%

Communication, Education, and Training on Compliance Issues

Role-based privacy training, employee and physician education, regulatory dissemination, organizational privacy culture, documentation obligations, and continuing education

17%

Privacy Monitoring, Auditing, and Internal Reporting Systems

Organizational risk assessments, auditing and monitoring plans, compliance monitoring tools, hotline and reporting systems, anonymity protections, and external audit management

Discipline for Non-Compliance

Disciplinary policies for privacy violations, corrective action coordination, proportionate disciplinary measures, organization-wide consistency, and documentation

15%

Investigations and Remedial Measures

Privacy investigations, breach response coordination, disclosure and notification requirements, corrective action plans, regulatory agency interactions, and harm mitigation

How to Pass the CHPC Exam

What You Need to Know

Passing score: Criterion-referenced scaled passing score
Assessment: 120 multiple-choice questions (100 scored, 20 pretest)
Time limit: 2 hours
Exam fee: $350 (member) / $450 (non-member)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CHPC Study Tips from Top Performers

1Master the HIPAA Privacy Rule fundamentals — permitted uses and disclosures, minimum necessary standard, and the distinction between consent and authorization

2Know all patient rights under HIPAA: access, amendment, accounting of disclosures, restriction requests, confidential communications, and the right to file complaints

3Study the 7 elements of an effective compliance program as outlined by the OIG and understand how each applies to a privacy compliance program

4Understand business associate agreement requirements, vendor due diligence, and when BAAs are required versus data use agreements

5Focus heavily on breach notification: the 4-factor risk assessment, notification timelines (60 days for individuals, annual for HHS), and state law variations

Frequently Asked Questions

What is the CHPC certification?

The CHPC (Certified in Healthcare Privacy Compliance) is a professional credential offered by the Compliance Certification Board (CCB) through the Health Care Compliance Association (HCCA). It validates expertise in healthcare privacy compliance, including HIPAA Privacy Rule, HITECH Act, state privacy laws, patient rights, breach notification, and privacy program management. It is the leading certification for healthcare privacy officers and compliance professionals.

How many questions are on the CHPC exam?

The CHPC exam consists of 120 multiple-choice questions, but only 100 are scored. The remaining 20 are unscored pretest questions used for exam development. You have 2 hours to complete all 120 questions. The pretest questions are randomly distributed throughout the exam and cannot be distinguished from scored questions, so you should answer every question carefully.

What are the eligibility requirements for CHPC certification?

To qualify for the CHPC exam, you must have at least 1 year of full-time compliance experience (or 1,500 hours of direct compliance duties within 2 years before your application). Your job duties must relate to the CHPC Detailed Content Outline. You must also earn and submit 20 CCB-approved Continuing Education Units (CEUs) within 12 months of your anticipated exam date.

How much does the CHPC exam cost?

The CHPC exam application fee is $350 for HCCA/SCCE members and $450 for non-members. If you need to retake the exam, there is a $75 non-refundable re-exam application fee. If you fail two attempts within 180 days, you must wait 180 days before reapplying. A $75 rescheduling fee may also apply if you need to change your exam date.

How do I maintain my CHPC certification?

CHPC certification is valid for 2 years. To renew, you must earn 40 CCB Continuing Education Units (CEUs) during your certification period, with at least 20 coming from live training events. The renewal fee is $145 for HCCA/SCCE members and $265 for non-members. If you need additional time, monthly renewal extensions are available for $50 per month, up to a two-month maximum.