CHPS Cheat Sheet 2026

The 30 highest-yield CHPS facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
210 min time limit
70.00% to pass
  1. In the context of the HIPAA Security Rule, what does 'integrity' of ePHI mean? ePHI has not been altered or destroyed in an unauthorized manner
  2. Under the HIPAA Security Rule, what must a covered entity do when it terminates a workforce member's employment? Implement a termination procedure that includes removal of system access
  3. The use of a data collection with 16 data components deleted by a research organization that has signed a data agreement. Limited data set
  4. The HIPAA Security Rule's Transmission Security standard is designed to protect ePHI when it is: Transmitted over electronic communications networks
  5. Under the Technical Safeguards of the HIPAA Security Rule, which implementation specification for Access Control is designated as 'required'? Unique user identification
  6. The four-factor risk assessment under the HIPAA Breach Notification Rule includes all of the following EXCEPT: Whether the affected individual has experienced actual identity theft
  7. Which security control is MOST effective at detecting unauthorized internal access to ePHI by snooping employees? User and Entity Behavior Analytics (UEBA)
  8. A hospital discovers a breach on March 15. Under HIPAA, individual breach notifications must be sent no later than: May 14 (60 days after discovery)
  9. Under the HIPAA Security Rule, which safeguard category includes workstation use policies and facility access controls? Physical Safeguards
  10. Which type of malware specifically encrypts healthcare data and demands payment for decryption keys, causing significant operational disruption to hospitals? Ransomware
  11. What is the primary purpose of a healthcare organization's sanctions policy under HIPAA? To define consequences for workforce members who violate privacy and security policies
  12. Which HIPAA provision requires covered entities to provide patients with an accounting of certain disclosures of their PHI? Right to an Accounting of Disclosures
  13. When a business associate discovers a breach of PHI, within what timeframe must it notify the covered entity? Without unreasonable delay and within 60 days of discovery
  14. Which technology provides the strongest protection for ePHI stored on a lost or stolen laptop under HIPAA? Full-disk encryption using FIPS 140-2 validated modules
  15. Under HIPAA, what must a covered entity do if it maintains PHI about deceased individuals? Maintain HIPAA protections for PHI of deceased individuals for 50 years after death
  16. Under the HIPAA Privacy Rule, what is the maximum period a covered entity may retain a patient's authorization for use or disclosure of PHI? Until the patient revokes it in writing
  17. A covered entity's risk management plan should achieve which primary goal per the HIPAA Security Rule? Reduce risks to ePHI to a reasonable and appropriate level
  18. In a healthcare EHR environment, which access control model most effectively enforces the Minimum Necessary standard? Role-Based Access Control (RBAC)
  19. An example of a policy that details the tasks that may be carried out on computers and laptops inside an organization Workstation use
  20. Which of the following is NOT considered protected health information (PHI) under HIPAA? De-identified health data that meets the Safe Harbor standard
  21. Which of the following is under HIPAA and involves giving a primary care provider a copy of an emergency department visit report? Disclosure of protected health information
  22. In a healthcare privacy program, which document formally authorizes the Privacy Officer's role and defines the scope of the privacy program? Privacy Policy Charter or Program Charter
  23. Which HIPAA Security Rule standard requires covered entities to implement policies to prevent, detect, contain, and correct security violations? Security Management Process
  24. Which HIPAA Security Rule safeguard category includes the requirement for workforce training on security policies and procedures? Administrative Safeguards
  25. After a new control is put in place, risk is still deemed to exist if an organization. Residual
  26. Which framework is most widely used by healthcare organizations to build a comprehensive privacy program structure? Generally Accepted Privacy Principles (GAPP)
  27. An organization has just implemented a new policy that spells out how it would physically safeguard the five clinics it owns. This is an illustration of a (n) Facility security plan
  28. Which of the following HIPAA Security Rule requirements addresses the need for a covered entity to restore ePHI data after a disaster? Disaster Recovery Plan
  29. Which of the following best describes the concept of 'integrity' in the context of the HIPAA Security Rule? Protecting ePHI from improper alteration or destruction
  30. Which federal agency is primarily responsible for enforcing the HIPAA Privacy and Security Rules? HHS Office for Civil Rights (OCR)
Turn these facts into recall: