CHPS Cheat Sheet 2026
The 30 highest-yield CHPS facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
150 questions
210 min time limit
70.00% to pass
- In the context of the HIPAA Security Rule, what does 'integrity' of ePHI mean? → ePHI has not been altered or destroyed in an unauthorized manner
- Under the HIPAA Security Rule, what must a covered entity do when it terminates a workforce member's employment? → Implement a termination procedure that includes removal of system access
- The use of a data collection with 16 data components deleted by a research organization that has signed a data agreement. → Limited data set
- The HIPAA Security Rule's Transmission Security standard is designed to protect ePHI when it is: → Transmitted over electronic communications networks
- Under the Technical Safeguards of the HIPAA Security Rule, which implementation specification for Access Control is designated as 'required'? → Unique user identification
- The four-factor risk assessment under the HIPAA Breach Notification Rule includes all of the following EXCEPT: → Whether the affected individual has experienced actual identity theft
- Which security control is MOST effective at detecting unauthorized internal access to ePHI by snooping employees? → User and Entity Behavior Analytics (UEBA)
- A hospital discovers a breach on March 15. Under HIPAA, individual breach notifications must be sent no later than: → May 14 (60 days after discovery)
- Under the HIPAA Security Rule, which safeguard category includes workstation use policies and facility access controls? → Physical Safeguards
- Which type of malware specifically encrypts healthcare data and demands payment for decryption keys, causing significant operational disruption to hospitals? → Ransomware
- What is the primary purpose of a healthcare organization's sanctions policy under HIPAA? → To define consequences for workforce members who violate privacy and security policies
- Which HIPAA provision requires covered entities to provide patients with an accounting of certain disclosures of their PHI? → Right to an Accounting of Disclosures
- When a business associate discovers a breach of PHI, within what timeframe must it notify the covered entity? → Without unreasonable delay and within 60 days of discovery
- Which technology provides the strongest protection for ePHI stored on a lost or stolen laptop under HIPAA? → Full-disk encryption using FIPS 140-2 validated modules
- Under HIPAA, what must a covered entity do if it maintains PHI about deceased individuals? → Maintain HIPAA protections for PHI of deceased individuals for 50 years after death
- Under the HIPAA Privacy Rule, what is the maximum period a covered entity may retain a patient's authorization for use or disclosure of PHI? → Until the patient revokes it in writing
- A covered entity's risk management plan should achieve which primary goal per the HIPAA Security Rule? → Reduce risks to ePHI to a reasonable and appropriate level
- In a healthcare EHR environment, which access control model most effectively enforces the Minimum Necessary standard? → Role-Based Access Control (RBAC)
- An example of a policy that details the tasks that may be carried out on computers and laptops inside an organization → Workstation use
- Which of the following is NOT considered protected health information (PHI) under HIPAA? → De-identified health data that meets the Safe Harbor standard
- Which of the following is under HIPAA and involves giving a primary care provider a copy of an emergency department visit report? → Disclosure of protected health information
- In a healthcare privacy program, which document formally authorizes the Privacy Officer's role and defines the scope of the privacy program? → Privacy Policy Charter or Program Charter
- Which HIPAA Security Rule standard requires covered entities to implement policies to prevent, detect, contain, and correct security violations? → Security Management Process
- Which HIPAA Security Rule safeguard category includes the requirement for workforce training on security policies and procedures? → Administrative Safeguards
- After a new control is put in place, risk is still deemed to exist if an organization. → Residual
- Which framework is most widely used by healthcare organizations to build a comprehensive privacy program structure? → Generally Accepted Privacy Principles (GAPP)
- An organization has just implemented a new policy that spells out how it would physically safeguard the five clinics it owns. This is an illustration of a (n) → Facility security plan
- Which of the following HIPAA Security Rule requirements addresses the need for a covered entity to restore ePHI data after a disaster? → Disaster Recovery Plan
- Which of the following best describes the concept of 'integrity' in the context of the HIPAA Security Rule? → Protecting ePHI from improper alteration or destruction
- Which federal agency is primarily responsible for enforcing the HIPAA Privacy and Security Rules? → HHS Office for Civil Rights (OCR)
Turn these facts into recall: