CHPC Cheat Sheet 2026
The 30 highest-yield CHPC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β free, no sign-up.
120 questions
120 min time limit
75.00% to pass
- Which of the following is NOT required to be included in a Business Associate Agreement? β The business associate's liability insurance coverage amount
- What rights does a patient have under the HIPAA Privacy Rule? β The right to access and obtain copies of their medical records
- Which action by a covered entity constitutes retaliation prohibited under HIPAA? β Threatening a patient for exercising their right to file a complaint with HHS
- Which of the following is a best practice when conducting internal investigations into compliance complaints? β Documenting all steps, findings, and conclusions of the investigation
- Which of the following is an example of a biometric identifier that must be removed under the Safe Harbor method? β Fingerprints and voice prints
- During an internal investigation, what is the primary purpose of interviewing witnesses? β To collect evidence to substantiate or disprove allegations
- Under the Safe Harbor method, how must the age of an individual who is 90 years or older be reported in a de-identified dataset? β Their age must be grouped into an aggregate category such as '90 or older'
- What happens to a BAA if the underlying covered entityβbusiness associate relationship ends? β The BA must return or destroy all PHI and confirm compliance to the covered entity
- When a covered entity shares a limited data set, what agreement must be executed with the recipient? β Data Use Agreement
- A patient submits a written request to restrict how their PHI is used for treatment purposes. The covered entity may: β Grant or deny the restriction at its discretion (except the mandatory out-of-pocket rule)
- A patient requests an amendment to their medical record. Under HIPAA, how long does the covered entity have to act on this request? β 60 days, with a possible 30-day extension
- Under HIPAA, how long does a covered entity generally have to respond to a patient's request for access to their PHI? β 30 days, with a possible 30-day extension
- Under HIPAA's Safe Harbor method, specific dates must be removed EXCEPT which component? β The year alone (for individuals under 90)
- What is a 'limited data set' under HIPAA's Privacy Rule? β PHI with direct identifiers removed but some indirect identifiers such as dates retained
- Under the HIPAA Safe Harbor method, which geographic data element may be retained in de-identified data? β The state
- What is the main purpose of the HIPAA Privacy Rule? β To establish national standards for protecting individualsβ medical records and PHI
- Under the Expert Determination method, what documentation must the expert maintain to support the de-identification determination? β Documentation of the methods and results supporting the very small risk determination
- If an internal investigation uncovers a significant compliance violation, which of the following steps should occur? β Implement corrective actions to address the violation
- A deceased patient's executor requests access to the decedent's medical records. HIPAA allows covered entities to disclose this PHI to: β A personal representative of the decedent, such as an executor
- What is the best way to safeguard PHI on mobile devices such as laptops or smartphones? β Implementing encryption for PHI
- Under HIPAA, a covered entity may charge a fee for providing a copy of PHI to a patient. Which cost element is NOT allowable? β Staff time to locate and pull the record
- What is the purpose of conducting a compliance risk assessment in a healthcare organization? β To identify areas of non-compliance and prioritize risk mitigation
- A patient submits a complaint that their PHI was accessed without authorization. What is the healthcare providerβs responsibility under HIPAA? β Investigate the complaint to confirm if a HIPAA breach occurred
- When a covered entity discovers that a business associate has materially breached the BAA and the violation has not been cured, what must the covered entity do? β Terminate the contract with the business associate if feasible
- Which of the following is a primary objective of conducting a periodic privacy risk assessment within a healthcare organization? β To identify potential vulnerabilities and threats to the privacy of PHI.
- Under HIPAA, which of the following is an example of a business associate acting outside the scope of its BAA? β Using patient data to market the BA's own services without authorization
- Under the HITECH Act, which entity extended individual rights regarding PHI to business associates? β Business associates are now directly liable for honoring certain patient rights
- What is the role of auditing and monitoring in a healthcare compliance program? β To evaluate the effectiveness of the compliance program and detect non-compliance
- Which document formally authorizes a business associate to use PHI for a purpose not specified in the original BAA? β A BAA amendment or addendum signed by both parties
- Under HIPAA, which two methods are officially recognized for de-identifying protected health information? β Safe Harbor and Expert Determination
Turn these facts into recall: