CHP Cheat Sheet 2026
The 30 highest-yield CHP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
60 min time limit
70% to pass
- Under the HITECH Act, which entities became directly liable for HIPAA compliance that were previously only bound through contractual agreements? → Business associates
- Which federal legislation made business associates directly subject to HIPAA compliance obligations? → The Health Information Technology for Economic and Clinical Health (HITECH) Act
- Which HITECH provision most directly addressed the gap that previously exempted business associates from direct HIPAA liability? → The direct applicability of Security Rule requirements to business associates
- Which of the following best describes a 'downstream' business associate under HIPAA? → A subcontractor of a business associate that also handles PHI
- Which body system is most relevant to understanding tissue response to treatment? → The musculoskeletal and integumentary systems
- How often should HIPAA risk assessments be conducted? → Annually or as needed
- What is the primary purpose of administrative safeguards under HIPAA? → To manage workforce security and access control
- What is the primary purpose of the HIPAA Breach Notification Rule? → To notify individuals and authorities about data breaches
- Under HIPAA, subcontractors of business associates who handle PHI are treated as: → Business associates with direct HIPAA obligations
- What does PHI stand for in the context of HIPAA? → Protected Health Information
- What are the four tiers of civil monetary penalties established by HITECH, listed from least to most severe? → Did not know, reasonable cause, willful neglect corrected, willful neglect not corrected
- What is the primary obligation of a certified professional regarding patient/client confidentiality? → Protect all personal information and disclose only with proper authorization
- What is the primary purpose of a covered entity conducting periodic audits of its business associates? → To verify that business associates are meeting their HIPAA obligations under the BAA
- Which of the following is a physical safeguard for HIPAA compliance? → Server room door locks
- What should a practitioner do when regulations conflict with employer policies? → Follow the regulation, as legal requirements supersede employer policies
- What is a key factor in ensuring HIPAA risk management success? → Regular staff training
- What is the primary goal of HIPAA's workforce security standard under the Security Rule? → To ensure only authorized workforce members can access ePHI
- Under HITECH, when must breaches affecting fewer than 500 individuals be reported to the Secretary of HHS? → Annually, within 60 days after the end of each calendar year
- What is the primary purpose of a HIPAA workforce sanctions policy? → To deter violations and demonstrate organizational commitment to compliance
- When a workforce member's job role changes significantly, what HIPAA Security Rule obligation is triggered? → Access privileges must be reviewed and updated to reflect the new role
- When an employee is terminated, what is the most critical HIPAA Security Rule action a covered entity must take? → Immediately revoke the terminated employee's access to all ePHI systems
- When faced with a conflict of interest, what is the appropriate course of action? → Disclose the conflict and recuse yourself from the situation
- What is the maximum civil monetary penalty per violation category under HITECH's highest penalty tier? → $50,000 per violation with a $1.5 million annual cap
- What is the primary purpose of maintaining a clean field during procedures? → To minimize the risk of introducing pathogens to the treatment area
- What is the primary purpose of the HIPAA Privacy Rule? → To ensure the confidentiality of protected health information (PHI)
- How does maintaining proper credentials demonstrate regulatory compliance? → It proves the practitioner has met all requirements for legal practice
- What constitutes a boundary violation in professional practice? → Engaging in dual relationships that could impair professional judgment
- What role does encryption play in technical safeguards? → It converts data into secure formats
- What is the primary purpose of regulatory compliance in professional practice? → To protect public safety and ensure minimum standards of care
- Which of the following is the clearest example of a HIPAA business associate? → A billing company that processes insurance claims containing PHI for a covered entity
Turn these facts into recall: