CHP Cheat Sheet 2026

The 30 highest-yield CHP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

50 questions
60 min time limit
70% to pass
  1. Under the HITECH Act, which entities became directly liable for HIPAA compliance that were previously only bound through contractual agreements? Business associates
  2. Which federal legislation made business associates directly subject to HIPAA compliance obligations? The Health Information Technology for Economic and Clinical Health (HITECH) Act
  3. Which HITECH provision most directly addressed the gap that previously exempted business associates from direct HIPAA liability? The direct applicability of Security Rule requirements to business associates
  4. Which of the following best describes a 'downstream' business associate under HIPAA? A subcontractor of a business associate that also handles PHI
  5. Which body system is most relevant to understanding tissue response to treatment? The musculoskeletal and integumentary systems
  6. How often should HIPAA risk assessments be conducted? Annually or as needed
  7. What is the primary purpose of administrative safeguards under HIPAA? To manage workforce security and access control
  8. What is the primary purpose of the HIPAA Breach Notification Rule? To notify individuals and authorities about data breaches
  9. Under HIPAA, subcontractors of business associates who handle PHI are treated as: Business associates with direct HIPAA obligations
  10. What does PHI stand for in the context of HIPAA? Protected Health Information
  11. What are the four tiers of civil monetary penalties established by HITECH, listed from least to most severe? Did not know, reasonable cause, willful neglect corrected, willful neglect not corrected
  12. What is the primary obligation of a certified professional regarding patient/client confidentiality? Protect all personal information and disclose only with proper authorization
  13. What is the primary purpose of a covered entity conducting periodic audits of its business associates? To verify that business associates are meeting their HIPAA obligations under the BAA
  14. Which of the following is a physical safeguard for HIPAA compliance? Server room door locks
  15. What should a practitioner do when regulations conflict with employer policies? Follow the regulation, as legal requirements supersede employer policies
  16. What is a key factor in ensuring HIPAA risk management success? Regular staff training
  17. What is the primary goal of HIPAA's workforce security standard under the Security Rule? To ensure only authorized workforce members can access ePHI
  18. Under HITECH, when must breaches affecting fewer than 500 individuals be reported to the Secretary of HHS? Annually, within 60 days after the end of each calendar year
  19. What is the primary purpose of a HIPAA workforce sanctions policy? To deter violations and demonstrate organizational commitment to compliance
  20. When a workforce member's job role changes significantly, what HIPAA Security Rule obligation is triggered? Access privileges must be reviewed and updated to reflect the new role
  21. When an employee is terminated, what is the most critical HIPAA Security Rule action a covered entity must take? Immediately revoke the terminated employee's access to all ePHI systems
  22. When faced with a conflict of interest, what is the appropriate course of action? Disclose the conflict and recuse yourself from the situation
  23. What is the maximum civil monetary penalty per violation category under HITECH's highest penalty tier? $50,000 per violation with a $1.5 million annual cap
  24. What is the primary purpose of maintaining a clean field during procedures? To minimize the risk of introducing pathogens to the treatment area
  25. What is the primary purpose of the HIPAA Privacy Rule? To ensure the confidentiality of protected health information (PHI)
  26. How does maintaining proper credentials demonstrate regulatory compliance? It proves the practitioner has met all requirements for legal practice
  27. What constitutes a boundary violation in professional practice? Engaging in dual relationships that could impair professional judgment
  28. What role does encryption play in technical safeguards? It converts data into secure formats
  29. What is the primary purpose of regulatory compliance in professional practice? To protect public safety and ensure minimum standards of care
  30. Which of the following is the clearest example of a HIPAA business associate? A billing company that processes insurance claims containing PHI for a covered entity
Turn these facts into recall: