Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CHPS Practice Questions

Pass your AHIMA Certified in Healthcare Privacy and Security exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
68% Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

During a security awareness training session, a staff member asks whether they can access a coworker's medical record 'out of concern.' The privacy officer should respond that:

A
B
C
D
to track
Same family resources

Explore More AHIMA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

AHIMA CCA Certified Coding Associate

Practice QuestionsStudy GuideCheat SheetFlashcards2 videos4 blogs

AHIMA RHIT Registered Health Information Technician

Practice QuestionsStudy GuideCheat SheetFlashcards1 video2 blogs

AHIMA RHIA Registered Health Information Administrator

Practice QuestionsStudy GuideCheat Sheet1 video2 blogs

AHIMA CCS-P Certified Coding Specialist Physician-based

Practice Questions1 blog

AHIMA Certified Documentation Improvement Practitioner

Practice Questions1 video1 blog

AHIMA CCS Certified Coding Specialist

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoAAPC CPB Exam Guide 2026: Pass Certified Pro Biller (FREE)VideoAHIMA CDIP Exam Guide 2026: Documentation Integrity PrepVideoAHIMA RHIT Exam Guide 2026: Pass the HIT Exam (FREE)VideoAHIMA RHIT Exam Guide 2026: Pass the HIT Exam (FREE)ArticleAAPC CPB Exam Guide 2026: Pass Certified Pro Biller (FREE)28 min readArticleAHIMA CCA Exam Guide 2026: Pass Entry-Level Coding (FREE)26 min readArticleAHIMA CDIP Exam Guide 2026: Documentation Integrity Prep10 min readArticleAHIMA RHIA Exam Guide 2026: Pass HIM Administrator (FREE)28 min read
2026 Statistics

Key Facts: CHPS Exam

150

Total Questions

AHIMA (125 scored + 25 pretest)

3h 25m

Exam Time

AHIMA CHPS exam specifications

300

Passing Scaled Score

AHIMA scoring model (100-400 scale)

$259–$329

Exam Fee

AHIMA member/non-member pricing

68%

First-Attempt Pass Rate

AHIMA 2025 data (107 testers)

715

Certified CHPS Professionals

AHIMA (as of 12/31/2025)

AHIMA's CHPS exam uses 150 total items (125 scored + 25 pretest), with 3 hours 25 minutes of exam time inside a 3.5-hour appointment and a passing scaled score of 300. Pricing is $259 for AHIMA members and $329 for non-members. Content weighting spans four domains: Ethical/Legal/Regulatory (10-18%), Program Management (30-40%), IT/Physical/Technical Safeguards (24-35%), and Investigation/Compliance/Enforcement (19-24%). AHIMA's 2025 data shows a 68% first-attempt pass rate.

Sample CHPS Practice Questions

Try these sample questions to test your CHPS exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the HIPAA Privacy Rule, which entity is required to provide a Notice of Privacy Practices (NPP) to patients?
A.Business associates
B.Covered entities
C.Health information exchanges
D.Clearinghouses only
Explanation: Covered entities, including healthcare providers who conduct electronic transactions, health plans, and healthcare clearinghouses, are required to provide a Notice of Privacy Practices. The NPP informs patients about how their PHI may be used and disclosed and outlines their rights.
2A hospital's privacy officer receives a patient complaint about unauthorized access to medical records. What is the FIRST step the privacy officer should take?
A.Report the incident to the Office for Civil Rights immediately
B.Document the complaint and initiate an investigation
C.Terminate the employee suspected of unauthorized access
D.Notify local law enforcement
Explanation: The first step when receiving a privacy complaint is to document it and initiate an internal investigation. This allows the organization to gather facts, determine the scope of the incident, and assess whether a breach has occurred before taking further action such as reporting or disciplinary measures.
3Which of the following is a required element of the HIPAA Security Rule's administrative safeguards?
A.Encryption of all electronic communications
B.Risk analysis and risk management
C.Biometric authentication for all users
D.Annual penetration testing
Explanation: Risk analysis and risk management are required administrative safeguards under the HIPAA Security Rule (45 CFR 164.308). Organizations must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI and implement security measures to reduce risks to a reasonable and appropriate level.
4What is the maximum time frame for notifying affected individuals after discovering a breach of unsecured protected health information?
A.30 days
B.60 days
C.90 days
D.120 days
Explanation: Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. This timeline applies to individual notification regardless of the number of people affected.
5The HIPAA minimum necessary standard requires covered entities to:
A.Encrypt all PHI before sharing with any party
B.Limit PHI disclosures to the minimum amount needed for the intended purpose
C.Obtain patient authorization for every PHI disclosure
D.Restrict access to PHI to licensed healthcare providers only
Explanation: The minimum necessary standard requires covered entities to make reasonable efforts to limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose. This applies to most uses and disclosures but does not apply to disclosures for treatment, to the individual, or pursuant to an authorization.
6A healthcare organization discovers that a laptop containing unencrypted ePHI was stolen from an employee's vehicle. Under HIPAA, this situation is classified as:
A.A security incident that does not require notification
B.A breach requiring notification under the Breach Notification Rule
C.A privacy violation that only requires internal documentation
D.An addressable implementation specification failure
Explanation: The theft of a laptop containing unencrypted ePHI constitutes a breach under HIPAA because the PHI was not rendered unusable or unreadable through encryption or destruction. The organization must perform a risk assessment and, unless it can demonstrate a low probability that PHI was compromised, must notify affected individuals, HHS, and potentially the media.
7Which of the following correctly describes the relationship between HIPAA and state privacy laws?
A.HIPAA always preempts state laws regarding health information privacy
B.State laws that are more stringent than HIPAA generally are not preempted
C.State laws always take precedence over HIPAA
D.HIPAA and state laws cannot both apply to the same situation
Explanation: Under HIPAA preemption analysis, state laws that are more stringent (i.e., more protective of individual privacy) than HIPAA are generally not preempted and remain in effect. Covered entities must comply with whichever law provides greater protection for the individual. This means organizations operating in multiple states may need to follow different standards in different locations.
8A business associate agreement (BAA) must include all of the following provisions EXCEPT:
A.Permitted uses and disclosures of PHI by the business associate
B.Requirements to implement appropriate safeguards to protect PHI
C.Guaranteed indemnification of the covered entity for all breaches
D.Requirements to report security incidents and breaches to the covered entity
Explanation: While a BAA may include indemnification clauses as a business decision, guaranteed indemnification is not a required provision under HIPAA. Required BAA provisions include permitted/required uses and disclosures, safeguard implementation, breach reporting, and ensuring subcontractors agree to similar restrictions.
9Under the HIPAA Privacy Rule, a patient requests a copy of their complete medical record. The covered entity may deny this request ONLY if:
A.The records are maintained electronically and the patient wants a paper copy
B.A licensed healthcare professional determines access would endanger the patient or another person
C.The request would require excessive administrative effort
D.The patient has an outstanding balance on their account
Explanation: A covered entity may deny a patient's access to their PHI in limited circumstances, including when a licensed healthcare professional determines in their professional judgment that access would reasonably endanger the life or physical safety of the individual or another person. This is a reviewable denial, meaning the patient can request a review by a different professional.
10Which component of the HIPAA Security Rule specifically addresses the protection of ePHI during electronic transmission?
A.Administrative safeguards
B.Physical safeguards
C.Technical safeguards — transmission security
D.Organizational requirements
Explanation: Transmission security is a technical safeguard under the HIPAA Security Rule (45 CFR 164.312(e)). It requires covered entities to implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks, including integrity controls and encryption.

About the CHPS Exam

The AHIMA CHPS certification validates expertise in healthcare privacy and security program management. The exam covers HIPAA Privacy and Security Rules, breach notification, risk assessment, information governance, access controls, and compliance enforcement across all types of healthcare organizations.

Questions

125 scored questions

Time Limit

3 hours 25 minutes

Passing Score

Scaled score 300

Exam Fee

$259–$329 (AHIMA)

CHPS Exam Content Outline

10-18%

Ethical, Legal, and Regulatory Issues

Privacy/security laws and regulations, HIPAA preemption, officer responsibilities, and PHI access during public health emergencies

30-40%

Privacy and Security Program Management

Notice of Privacy Practices, patient rights, business associate agreements, facility security, workforce training, and record-set protections

24-35%

IT/Physical and Technical Safeguards

Security plans, access controls, encryption, business continuity, network protection, intrusion detection, and media disposal

19-24%

Investigation, Compliance, and Enforcement

Compliance monitoring, breach notification procedures, incident response, audit controls, and enforcement actions

How to Pass the CHPS Exam

What You Need to Know

  • Passing score: Scaled score 300
  • Exam length: 125 questions
  • Time limit: 3 hours 25 minutes
  • Exam fee: $259–$329

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CHPS Study Tips from Top Performers

1Program Management is the largest domain (30-40%): master NPP distribution, patient rights, and BAA requirements
2Know the difference between HIPAA Privacy Rule and Security Rule requirements and which applies to each scenario
3Practice breach notification timelines: 60 days to individuals, annual HHS report for under-500 breaches, media notification for 500+ breaches
4Build a risk assessment framework: identify threats, vulnerabilities, likelihood, and impact for PHI systems
5Study access control scenarios including emergency access, minimum necessary, and role-based authentication

Frequently Asked Questions

How many questions are on the CHPS exam?

The CHPS exam has 150 total questions: 125 scored items and 25 unscored pretest items randomly distributed throughout the exam. You will not know which items are pretest.

How long is the CHPS exam?

AHIMA allows 3 hours and 25 minutes of exam time for the CHPS, within a 3.5-hour total appointment window at Pearson VUE.

What score do I need to pass the CHPS exam?

The CHPS requires a scaled score of 300 or higher to pass. AHIMA scales all certification exams to a 100-400 range with the pass point set at 300.

What is the CHPS first-attempt pass rate?

AHIMA's 2025 data reports a 68% first-attempt pass rate for the CHPS exam across 107 first-time testers. The pass rate has ranged from 65% to 72% in recent years.

How much does the CHPS exam cost?

The CHPS exam costs $259 for AHIMA members and $329 for non-members. Retake fees are the same as the initial exam fee, and candidates must wait 90 days before retesting.

How should I prepare for the CHPS exam in 2026?

Focus heaviest on Program Management (30-40% of the exam) and Technical Safeguards (24-35%). Build a strong HIPAA foundation first, then practice scenario-based questions on breach notification, risk assessment, and compliance enforcement.