CHPC Cheat Sheet 2026

The 30 highest-yield CHPC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β€” free, no sign-up.

120 questions
120 min time limit
75.00% to pass
  1. Which of the following is NOT required to be included in a Business Associate Agreement? β†’ The business associate's liability insurance coverage amount
  2. What rights does a patient have under the HIPAA Privacy Rule? β†’ The right to access and obtain copies of their medical records
  3. Which action by a covered entity constitutes retaliation prohibited under HIPAA? β†’ Threatening a patient for exercising their right to file a complaint with HHS
  4. Which of the following is a best practice when conducting internal investigations into compliance complaints? β†’ Documenting all steps, findings, and conclusions of the investigation
  5. Which of the following is an example of a biometric identifier that must be removed under the Safe Harbor method? β†’ Fingerprints and voice prints
  6. During an internal investigation, what is the primary purpose of interviewing witnesses? β†’ To collect evidence to substantiate or disprove allegations
  7. Under the Safe Harbor method, how must the age of an individual who is 90 years or older be reported in a de-identified dataset? β†’ Their age must be grouped into an aggregate category such as '90 or older'
  8. What happens to a BAA if the underlying covered entity–business associate relationship ends? β†’ The BA must return or destroy all PHI and confirm compliance to the covered entity
  9. When a covered entity shares a limited data set, what agreement must be executed with the recipient? β†’ Data Use Agreement
  10. A patient submits a written request to restrict how their PHI is used for treatment purposes. The covered entity may: β†’ Grant or deny the restriction at its discretion (except the mandatory out-of-pocket rule)
  11. A patient requests an amendment to their medical record. Under HIPAA, how long does the covered entity have to act on this request? β†’ 60 days, with a possible 30-day extension
  12. Under HIPAA, how long does a covered entity generally have to respond to a patient's request for access to their PHI? β†’ 30 days, with a possible 30-day extension
  13. Under HIPAA's Safe Harbor method, specific dates must be removed EXCEPT which component? β†’ The year alone (for individuals under 90)
  14. What is a 'limited data set' under HIPAA's Privacy Rule? β†’ PHI with direct identifiers removed but some indirect identifiers such as dates retained
  15. Under the HIPAA Safe Harbor method, which geographic data element may be retained in de-identified data? β†’ The state
  16. What is the main purpose of the HIPAA Privacy Rule? β†’ To establish national standards for protecting individuals’ medical records and PHI
  17. Under the Expert Determination method, what documentation must the expert maintain to support the de-identification determination? β†’ Documentation of the methods and results supporting the very small risk determination
  18. If an internal investigation uncovers a significant compliance violation, which of the following steps should occur? β†’ Implement corrective actions to address the violation
  19. A deceased patient's executor requests access to the decedent's medical records. HIPAA allows covered entities to disclose this PHI to: β†’ A personal representative of the decedent, such as an executor
  20. What is the best way to safeguard PHI on mobile devices such as laptops or smartphones? β†’ Implementing encryption for PHI
  21. Under HIPAA, a covered entity may charge a fee for providing a copy of PHI to a patient. Which cost element is NOT allowable? β†’ Staff time to locate and pull the record
  22. What is the purpose of conducting a compliance risk assessment in a healthcare organization? β†’ To identify areas of non-compliance and prioritize risk mitigation
  23. A patient submits a complaint that their PHI was accessed without authorization. What is the healthcare provider’s responsibility under HIPAA? β†’ Investigate the complaint to confirm if a HIPAA breach occurred
  24. When a covered entity discovers that a business associate has materially breached the BAA and the violation has not been cured, what must the covered entity do? β†’ Terminate the contract with the business associate if feasible
  25. Which of the following is a primary objective of conducting a periodic privacy risk assessment within a healthcare organization? β†’ To identify potential vulnerabilities and threats to the privacy of PHI.
  26. Under HIPAA, which of the following is an example of a business associate acting outside the scope of its BAA? β†’ Using patient data to market the BA's own services without authorization
  27. Under the HITECH Act, which entity extended individual rights regarding PHI to business associates? β†’ Business associates are now directly liable for honoring certain patient rights
  28. What is the role of auditing and monitoring in a healthcare compliance program? β†’ To evaluate the effectiveness of the compliance program and detect non-compliance
  29. Which document formally authorizes a business associate to use PHI for a purpose not specified in the original BAA? β†’ A BAA amendment or addendum signed by both parties
  30. Under HIPAA, which two methods are officially recognized for de-identifying protected health information? β†’ Safe Harbor and Expert Determination