Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free HCISPP Practice Questions

Pass your ISC2 HealthCare Information Security and Privacy Practitioner exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which DR site type is fully equipped with hardware, software, and current data and can be activated in minutes to hours?

A
B
C
D
to track
Same family resources

Explore More ISC2 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISSP

Practice QuestionsStudy GuideFlashcards
1 video1 blog

ISC2 Certified in Cybersecurity (CC)

Practice QuestionsStudy GuideFlashcards
1 blog

ISC2 SSCP

Practice Questions
1 blog

ISC2 Certified in Governance, Risk and Compliance (CGRC)

Practice Questions

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Practice Questions

CCSP

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoCISSP Study Plan: 3-Month Schedule + Hours (2026)ArticleCISSP Study Plan: 3-Month Schedule + Hours (2026)16 min readArticleISC2 CC Certified in Cybersecurity Guide (FREE 2026)24 min readArticleISC2 SSCP 2026: CAT Strategy for Security Administrators7 min read
2026 Statistics

Key Facts: HCISPP Exam

125

Exam Items

ISC2

700/1000

Scaled Passing Grade

ISC2

3 hours

Exam Duration

ISC2

US$599

Exam Fee

ISC2

Dec 1, 2026

Inactive Designation

ISC2

DoD 8570.1

IAM I Approved

DoD

ISC2 HCISPP is a healthcare-focused privacy and security credential with a 3-hour, 125-item exam, a 700/1000 scaled passing grade, and a US$599 fee through Pearson VUE. The exam covers seven weighted domains: Healthcare Industry (12%), Information Governance (5%), Healthcare IT (14%), Regulatory and Standards (15%), Privacy and Security (24%), Risk Management (17%), and Third-Party Risk Management (13%). HCISPP is DoD 8570.1 approved for IAM Level I. ISC2 has designated HCISPP INACTIVE effective December 1, 2026; the exam remains bookable through the end of 2026, and currently certified holders retain their credential when CPEs and annual fees stay current.

Sample HCISPP Practice Questions

Try these sample questions to test your HCISPP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under HIPAA, which of the following entities is classified as a 'covered entity' rather than a 'business associate'?
A.A cloud storage vendor that stores PHI for a hospital
B.A medical billing company processing claims on behalf of a clinic
C.A health plan that pays for medical care
D.A shredding service contracted to destroy paper records containing PHI
Explanation: HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with covered transactions. A health plan that pays for or provides medical care is a covered entity directly subject to the HIPAA Privacy and Security Rules.
2Which healthcare reimbursement model pays providers a set amount per service performed, regardless of patient outcome?
A.Value-based care
B.Fee-for-service
C.Capitation
D.Bundled payment
Explanation: Fee-for-service (FFS) reimburses providers for each individual service or procedure rendered, with no link to outcomes or quality. It has historically been the dominant U.S. reimbursement model and is what value-based and alternative payment models seek to move away from.
3Which code set is used in the United States to classify diagnoses on a healthcare claim?
A.CPT
B.HCPCS Level II
C.ICD-10-CM
D.LOINC
Explanation: ICD-10-CM (International Classification of Diseases, 10th Revision, Clinical Modification) is the HIPAA-mandated code set for diagnoses on professional and institutional claims in the U.S. It is maintained by the National Center for Health Statistics (NCHS) under CMS supervision.
4Which acronym describes the three core HIPAA-permitted uses and disclosures that generally do NOT require patient authorization?
A.TPO — Treatment, Payment, and Healthcare Operations
B.PCM — Provider, Carrier, Member
C.RHO — Referral, Health, Outcomes
D.PHI — Protected Healthcare Information
Explanation: TPO stands for Treatment, Payment, and Healthcare Operations. Under 45 CFR 164.506, covered entities may use and disclose protected health information for these purposes without obtaining a separate patient authorization, subject to the minimum necessary rule and other Privacy Rule requirements.
5Which document is a covered entity required to provide to patients describing the entity's privacy practices, patient rights, and complaint procedures?
A.Notice of Privacy Practices (NPP)
B.Business Associate Agreement (BAA)
C.Authorization for Use and Disclosure
D.Notice of Information Blocking
Explanation: The HIPAA Privacy Rule (45 CFR 164.520) requires covered entities to provide patients with a Notice of Privacy Practices (NPP). The NPP describes how the entity may use and disclose PHI, the patient's rights, and how to file a complaint with the entity or with HHS OCR.
6A patient asks the hospital to send appointment reminders only to a personal mobile number rather than the home phone listed in the chart. Which HIPAA patient right does this exercise?
A.Right to amend
B.Right to confidential communications
C.Right to an accounting of disclosures
D.Right of access
Explanation: The right to request confidential communications under 45 CFR 164.522(b) lets patients request that PHI be communicated by alternative means or at alternative locations. Covered providers must accommodate reasonable requests without requiring the patient to explain why.
7Which workflow phase in a healthcare encounter typically initiates the revenue cycle?
A.Discharge planning
B.Claim adjudication
C.Patient registration and eligibility verification
D.Remittance posting
Explanation: The revenue cycle begins at patient registration and eligibility verification, where demographic, insurance, and authorization data are captured. Errors at this front-end step propagate downstream as denied claims, which is why front-end accuracy is a major control objective.
8Which healthcare role is generally responsible for the day-to-day implementation of the privacy program at a covered entity, including training, complaint handling, and policy enforcement?
A.Chief Medical Officer
B.Privacy Officer
C.Chief Financial Officer
D.Patient Access Coordinator
Explanation: HIPAA requires covered entities to designate a Privacy Officer responsible for the development and implementation of privacy policies and procedures, workforce training, complaint receipt, and overall coordination of the privacy program (45 CFR 164.530).
9A primary care provider sends a referral with imaging results to a specialist via a regional Health Information Exchange. Which information flow concept is BEST illustrated?
A.Internal disclosure for healthcare operations
B.External, inter-organizational PHI exchange for treatment
C.De-identified data release for research
D.Marketing communication
Explanation: Sending PHI between two organizations through an HIE for direct patient care is an external, inter-organizational exchange for treatment. It is permitted under HIPAA without patient authorization but must follow minimum necessary, security, and HIE participation agreements.
10Which delivery model is characterized by a single organization owning hospitals, physician groups, and health plans to coordinate care and capitated payments?
A.Fee-for-service network
B.Integrated delivery network (IDN)
C.Independent Practice Association (IPA)
D.Federally Qualified Health Center (FQHC)
Explanation: An Integrated Delivery Network (IDN) brings hospitals, employed physicians, post-acute services, and often a health plan under a common organization. This vertical integration enables coordinated care, value-based contracting, and shared analytics across the continuum.

About the HCISPP Exam

The ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP) credential validates expertise in implementing, managing, and assessing security and privacy controls to protect healthcare organizations and patient information. It is built around seven weighted domains: Healthcare Industry, Information Governance in Healthcare, Information Technologies in Healthcare, Regulatory and Standards Environment, Privacy and Security in Healthcare, Risk Management and Risk Assessment, and Third-Party Risk Management. The exam is 3 hours, 125 multiple-choice items, with a 700/1000 scaled passing grade and a US$599 fee delivered through Pearson VUE.

Assessment

125 multiple-choice items in linear, fixed-form delivery covering seven weighted domains

Time Limit

3 hours

Passing Score

700/1000 scaled score

Exam Fee

US$599 (ISC2 / Pearson VUE)

HCISPP Exam Content Outline

12%

Healthcare Industry

Healthcare organizations, delivery models, workflows, patient safety, roles, information flow, protected data exchange, reimbursement (FFS, value-based), ICD-10/CPT/HCPCS code sets, and the revenue cycle

5%

Information Governance in Healthcare

Information governance principles, data classification and stewardship, information lifecycle management, and IG roles and responsibilities

14%

Information Technologies in Healthcare

EHR/EMR (Epic, Oracle Health/Cerner, Meditech, Allscripts, Athenahealth), HIE (Carequality, CommonWell), HL7 v2/FHIR R4/DICOM, ICD-10/CPT/SNOMED CT/LOINC, medical devices and IoT (FDA MDS2, postmarket cybersecurity), cloud and data center technology, PHI/ePHI characteristics, and external threats and vulnerabilities

15%

Regulatory and Standards Environment

HIPAA Privacy/Security/Breach Notification (45 CFR 164), HITECH, 21st Century Cures Act and ONC's eight information blocking exceptions, FDA premarket/postmarket cybersecurity, CMS conditions of participation, OCR enforcement and CMP tiers, GDPR, PIPEDA, CCPA/CPRA, NY SHIELD, Texas HB 300, Washington My Health My Data Act, NIST 800-66, NIST CSF healthcare profile, HITRUST CSF, and ISO 27799

24%

Privacy and Security in Healthcare

CIA, least privilege, IAM (RBAC, ABAC, break-the-glass), encryption (AES-256, FIPS 140-3), de-identification (Safe Harbor 18 identifiers, Expert Determination), pseudonymization, sensitive data handling (mental health, 42 CFR Part 2 substance use, GINA genetic, minors), program controls, monitoring/auditing/logging, incident response (NIST 800-61), breach handling (60-day rule, four-factor test), and workforce training

17%

Risk Management and Risk Assessment

Risk lifecycle, qualitative and quantitative methodologies (SLE/ARO/ALE), threat and vulnerability identification, risk treatment (accept/mitigate/transfer/avoid), risk monitoring, BCP/DR (BIA, RTO/RPO, DR site types), control selection, and NIST 800-30/39

13%

Third-Party Risk Management

Business Associate Agreements (BAAs), vendor due diligence (SOC 2 Type II, HITRUST CSF Assessment), supply chain and Nth-party risk (Log4j, SolarWinds), third-party requirements, ongoing monitoring, termination and offboarding, connection agreements (ISA), and concentration risk

How to Pass the HCISPP Exam

What You Need to Know

  • Passing score: 700/1000 scaled score
  • Assessment: 125 multiple-choice items in linear, fixed-form delivery covering seven weighted domains
  • Time limit: 3 hours
  • Exam fee: US$599

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

HCISPP Study Tips from Top Performers

1Memorize HIPAA's 60-day breach notification rule and the four-factor risk assessment used to determine reportable breaches under 45 CFR 164.402-414.
2Master Safe Harbor de-identification (18 identifiers) versus Expert Determination, and how pseudonymization differs from both — re-identifiable data is still PHI.
3Learn the eight ONC information blocking exceptions and which group they belong to: Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Content and Manner, Fees, and Licensing.
4Distinguish covered entity vs. business associate vs. subcontractor, and remember the Omnibus Rule requirement to flow BAAs down to subcontractors handling PHI.
5Practice mapping NIST 800-30 (risk assessment), 800-61 (incident response), 800-66 (HIPAA Security Rule implementation), and HITRUST CSF to specific HCISPP scenarios.
6Know the difference between RBAC, ABAC, and break-the-glass access — including what monitoring controls make BTG defensible in emergency departments.

Frequently Asked Questions

What is the ISC2 HCISPP exam in 2026?

The HCISPP is a healthcare-focused privacy and security credential. The exam is delivered as a linear, fixed-form computer-based test through Pearson VUE: 125 multiple-choice items, 3 hours, with a scaled passing grade of 700 out of 1000. The exam fee is US$599 in major ISC2 regions, and seven domains are weighted from 5% to 24%.

What experience do I need to earn HCISPP?

Candidates need two years of cumulative paid work experience across the seven HCISPP domains, with at least one of the two years specifically in healthcare. If you pass without the experience, you become an Associate of ISC2 and have up to three years to earn the experience required for full certification.

Is HCISPP being retired?

ISC2 announced that HCISPP will move to INACTIVE status effective December 1, 2026. The exam remains bookable through the end of 2026. Candidates currently holding HCISPP retain the credential as long as they meet CPE requirements and pay the ISC2 annual maintenance fee. After December 1, 2026, ISC2 will not issue new HCISPP certifications.

What domains are on the HCISPP exam?

The exam covers seven domains: Healthcare Industry (12%), Information Governance in Healthcare (5%), Information Technologies in Healthcare (14%), Regulatory and Standards Environment (15%), Privacy and Security in Healthcare (24%), Risk Management and Risk Assessment (17%), and Third-Party Risk Management (13%).

How much does the HCISPP exam cost?

The standard HCISPP exam registration is US$599 in major ISC2 regions. Annual maintenance is US$135 once certified. Retakes are US$599 per attempt and follow ISC2's tiered waiting periods of 30, 60, and 90 days for the second, third, and later attempts within a 12-month window.

Is HCISPP DoD 8570.1 approved?

Yes. HCISPP is approved by the U.S. Department of Defense under the 8570.1 baseline for Information Assurance Manager Level I (IAM I) roles, supporting use within DoD information assurance workforce categories before DoDM 8140 transitions complete.

How long should I study for HCISPP?

Most candidates plan 80-150 focused study hours across 8-12 weeks. Healthcare-experienced candidates may need less time on Domain 1 and more on Domains 5-7 (privacy/security, risk, third-party). Cybersecurity-experienced candidates often invert this and spend more time on healthcare workflows, code sets, and reimbursement.