Passed the CHP exam in 3 weeks — here's what the test actually focuses on
I'm a compliance officer at a mid-size outpatient clinic and needed the CHP to satisfy a new contract requirement. Didn't have a lot of lead time — only three weeks — so I studied about 90 minutes every day including weekends. Ended up with an 84% which I'm happy with given the timeline.
The exam is 100 questions with a 2.5-hour time limit and covers the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. Privacy Rule makes up the biggest chunk — probably 35–40% of the exam. Know the minimum necessary standard inside and out because it comes up constantly. The treatment, payment, and operations framework and when each exception applies was also tested heavily.
Business Associate Agreements showed up in about 10–12 questions. You need to know what triggers a BAA requirement, what must be included, and what happens when a subcontractor is involved. For the Security Rule, focus on the distinction between required and addressable implementation specifications — that's a classic exam trap.
I used Compliancy Group study materials plus the actual HHS HIPAA guidance documents. The official guidance is dry but the exam sometimes quotes it almost verbatim. It's worth reading through the key summaries on the HHS website alongside whatever prep course you're using.
The Breach Notification timeline rules are tested specifically — 60 days from discovery to notify individuals, the media notification threshold, and the HHS annual reporting requirement for smaller breaches. I got three questions on timelines and was glad I'd memorized the exact numbers.
The minimum necessary standard questions were everywhere on my exam — at least 15 questions touched on it in some way. Who can access what, how to respond to requests, how it applies to different workforce roles. Nail that section first before anything else.
Don't overthink the Enforcement Rule questions. They're mostly about the tier structure for civil monetary penalties and willful neglect corrected vs. uncorrected. The penalty amounts are specific so just memorize them — no shortcut there.
I work in IT security and came in thinking the Security Rule section would be easy. The addressable vs. required specification distinction is genuinely tricky in practice though. The exam presents scenarios where you have to decide whether an organization must implement a safeguard or just document why they didn't.