- What Are CHPS CEUs and Why They Matter
- CHPS Recertification Requirements at a Glance
- Approved CEU Categories for CHPS Holders
- Domain-Aligned CEU Planning
- Earning CEUs Through Specific Activities
- Documentation, Audits, and Submission
- Strategic Scheduling: Aligning CEUs to Your Role
- Common Mistakes CHPS Holders Make with CEUs
- Frequently Asked Questions
- CHPS certification requires ongoing continuing education units (CEUs) to maintain active status through each recertification cycle.
- CEU activities must align with CHPS competency domains, including privacy program management, security program management, and breach management.
- AHIMA-approved education, employer-sponsored training, and self-directed study all qualify toward your CEU requirement.
- Keeping auditable documentation for every CEU activity is non-negotiable - AHIMA conducts random compliance audits.
What Are CHPS CEUs and Why They Matter
Earning the Certified in Healthcare Privacy and Security (CHPS) credential is a significant professional achievement. But the credential does not maintain itself. Like all AHIMA-issued certifications, CHPS requires credential holders to earn continuing education units (CEUs) on an ongoing basis to prove that their knowledge of healthcare privacy and security law, technology, and practice keeps pace with a rapidly shifting landscape.
This is not a bureaucratic formality. The CHPS domains span areas - from evolving federal and state regulatory requirements to active threat response under breach management - where the practical standards change faster than most professional fields. A CHPS holder who earned the credential several years ago and did nothing since would genuinely be out of date. CEUs are the mechanism that prevents credentialed professionals from becoming liabilities to the organizations that trust them.
If you are still working toward the credential itself, reviewing the CHPS Eligibility Requirements: Who Can Apply in 2026 is a logical first step before diving into what happens after you pass.
CHPS Recertification Requirements at a Glance
CHPS certification operates on a recertification cycle managed by AHIMA. During each cycle, credential holders must accumulate a defined number of CEUs drawn from approved categories. The specific hour and unit requirements are set by AHIMA and published in the official CHPS recertification handbook - always confirm current figures directly with AHIMA, as requirements can be updated between publication cycles.
What matters conceptually is the structure:
- CEUs must be relevant. Activities need to connect to the substantive competencies measured by the CHPS credential - privacy law, security program management, IT governance, compliance, investigation, or breach response.
- AHIMA-approved education carries the most straightforward credit pathway. Courses offered directly through AHIMA or its approved partners are pre-vetted for relevance.
- Non-AHIMA activities are acceptable but require the credential holder to justify relevance and maintain documentation.
- Ethics education is a recurring CEU requirement for AHIMA credentials, reflecting the weight Domain 1 places on ethical frameworks in healthcare information management.
| Recertification Element | Key Consideration |
|---|---|
| CEU cycle length | Set by AHIMA; verify current cycle dates in your credential portal |
| Required ethics CEUs | A minimum number of hours must specifically address ethics - tied to Domain 1 competencies |
| AHIMA-approved vs. self-reported | AHIMA-approved courses are pre-cleared; self-reported activities require documentation and relevance justification |
| Audit exposure | AHIMA randomly audits credential holders; documentation gaps can result in decertification |
| Renewal fee | A recertification fee applies at the end of each cycle; confirm current fee with AHIMA directly |
Approved CEU Categories for CHPS Holders
AHIMA recognizes several broad categories of activity for CEU credit. Understanding which category applies to each activity you complete helps you plan efficiently and avoid gaps at the end of your cycle.
Formal Education
College coursework in health informatics, health law, cybersecurity, or information governance qualifies. Graduate-level courses in these areas typically carry strong credit value. If you are pursuing advanced education relevant to your CHPS domains, this is one of the highest-yield CEU strategies available.
AHIMA-Sponsored and Pre-Approved Education
AHIMA's own continuing education catalog - including virtual conferences, webinars, self-study modules, and the AHIMA Annual Conference - is a primary source. These activities are pre-assigned CEU values and do not require additional documentation beyond proof of completion.
Professional Presentations and Publications
Presenting at a healthcare privacy and security conference, publishing a peer-reviewed article on HIPAA compliance, or contributing to an AHIMA practice brief all generate CEU credit. This category rewards active professional contribution rather than passive consumption of education.
Employer-Sponsored Training
In-house compliance training, vendor-led security awareness programs, tabletop breach response exercises, and similar workplace activities may qualify - provided they connect to a recognized CHPS competency area and are properly documented.
Self-Study
Reading professional journals, studying regulatory updates from OCR, and working through domain-specific practice materials can qualify under self-directed learning categories, subject to AHIMA's specific rules on documentation and hour limits for this category.
Key Takeaway
Do not rely exclusively on one CEU category. A portfolio approach - mixing formal education, employer training, AHIMA-approved webinars, and self-study - is more resilient against audit scrutiny and better reflects genuine professional development.
Domain-Aligned CEU Planning
The most defensible and professionally useful approach to earning your CHPS CEUs is to align your activities directly with the six exam domains. This ensures that your continuing education reinforces exactly the competencies that define the credential - and gives you a clear rationale for every activity if audited.
Domain 1: Ethical, Legal, and Regulatory Issues / Environmental Assessment (23-27%)
This is the largest domain by weight. CEU activities should include HIPAA regulatory updates, state privacy law developments, HHS OCR enforcement actions, and ethics-specific education. Given that AHIMA mandates ethics CEUs within every cycle, much of this requirement can be met here.
- Track annual OCR guidance documents and settlement announcements
- Complete AHIMA's designated ethics modules to satisfy the mandatory ethics CEU component
- Monitor state-level health privacy legislation, particularly in states with laws that exceed HIPAA's minimum requirements
Domain 2: Privacy Program Management (18-22%)
This domain covers how a privacy program is designed, operated, and evaluated. Relevant CEU activities include courses on privacy impact assessments, Notice of Privacy Practices development, workforce training program design, and business associate agreement management.
- Attend AHIMA webinars focused on privacy officer operational responsibilities
- Review updated guidance from the HHS Office for Civil Rights on individual rights under HIPAA
Domain 3: Security Program Management (18-22%)
Security program management content covers HIPAA Security Rule compliance, risk analysis and risk management, administrative and physical safeguards, and security policies. This domain benefits particularly from cybersecurity-focused continuing education, including NIST framework updates and HHS HC3 threat briefings.
- Attend security-focused track sessions at health IT conferences
- Review NIST SP 800-series publications relevant to healthcare IT environments
- Participate in tabletop exercises focused on ransomware or insider threat scenarios
Domain 4: Information Technology (12-16%)
IT domain CEUs should address electronic health record architecture, access control systems, encryption standards, network security fundamentals, and emerging technologies such as cloud storage and mobile health applications. Vendor certifications in relevant platforms (with a privacy/security angle) may qualify.
- Complete modules on EHR access log auditing and anomaly detection
- Review cloud computing security frameworks as they apply to healthcare data
Domain 5: Compliance, Investigation, and Enforcement (10-14%)
This domain covers investigation methodology, complaint response, workforce sanctions, and coordination with law enforcement. Relevant CEUs include training on HIPAA complaint investigation procedures and case studies drawn from real OCR enforcement actions.
- Study published OCR resolution agreements for investigation and corrective action plan structure
- Take courses on internal compliance investigation methodology
Domain 6: Breach Management (5-9%)
Though the smallest domain by weight, breach management is operationally high-stakes. CEUs in this area should cover breach risk assessment methodology, HHS breach notification timelines, media and individual notification requirements, and post-breach remediation strategies.
- Complete courses on the four-factor breach risk assessment under HIPAA
- Review the HHS breach portal (the "Wall of Shame") for current reportable breach patterns
Earning CEUs Through Specific Activities
Some of the most effective CEU-earning activities for active CHPS holders are ones that blend professional contribution with education. Consider these high-value approaches:
- Joining an AHIMA Community of Practice (CoP): Active participation in privacy and security CoPs can yield CEU credit while connecting you with peers navigating the same regulatory environment.
- Speaking at regional or national conferences: Presenting a session on, for example, breach risk assessment methodology or state privacy law compliance earns presentation credit while reinforcing your own domain mastery.
- Mentoring candidates preparing for the exam: Some mentoring activities qualify under AHIMA's professional development categories, and the process of explaining CHPS concepts - such as the distinction between privacy program management and security program management - deepens your own understanding.
- Writing for AHIMA or peer-reviewed outlets: Articles on healthcare privacy enforcement trends, security program benchmarking, or emerging IT governance issues can generate meaningful CEU credit.
If you want to reinforce your foundational domain knowledge while earning self-study CEUs, spending time with structured practice materials is an efficient strategy. Our CHPS practice test platform is specifically designed around the six exam domains and can serve as a domain-gap assessment tool even for experienced credential holders looking to identify where their continuing education investment will pay off most.
Documentation, Audits, and Submission
AHIMA conducts random audits of credential holders during recertification. If you are selected, you will be required to produce documentation proving that your reported CEU activities actually occurred and were relevant to your credential. This is not a process where informal recollection is sufficient.
What Documentation Looks Like in Practice
For every CEU activity you complete, maintain a file that includes:
- A certificate of completion or attendance record with the date, provider name, and topic
- The number of contact hours or CEU units awarded
- A brief written note connecting the activity to a specific CHPS domain (especially for self-study or employer-sponsored activities)
- For publications or presentations: a copy of the published article or a conference program confirming your session
AHIMA's online credential portal allows you to log activities as you complete them rather than reconstructing the record at renewal time. Use it consistently - attempting to recreate a year or two of CEU history at recertification is both stressful and risky.
Strategic Scheduling: Aligning CEUs to Your Role
CHPS holders work in a range of roles - privacy officers, compliance directors, health information managers, security analysts, and healthcare attorneys among them. Your CEU strategy should reflect both your credential requirements and the specific demands of your current position.
Foundation and Regulatory Currency
- Prioritize Domain 1 (Ethical, Legal, and Regulatory) CEUs - complete mandatory ethics requirement early
- Attend AHIMA Annual Conference or equivalent to bank high-credit AHIMA-approved education
- Establish your documentation system in the AHIMA credential portal
Operational Depth
- Focus continuing education on Domains 2 and 3 - privacy and security program management
- Pursue employer-sponsored training opportunities and document them immediately
- Consider a presentation proposal for a regional AHIMA or HIMSS chapter event
Specialization and Renewal Preparation
- Fill remaining CEU gaps with targeted self-study in Domains 4, 5, and 6
- Audit your portal records for completeness before the cycle closes
- Submit recertification application and fee before the deadline
For professionals who are simultaneously preparing for or recently returned from the initial exam, the CHPS Continuing Education Units: A Complete Guide 2026 provides the full framework for thinking about credential maintenance as a continuous professional discipline rather than a once-per-cycle scramble.
Common Mistakes CHPS Holders Make with CEUs
Experienced professionals make predictable errors in managing their CEU requirements. Knowing these patterns in advance can prevent an otherwise clean record from becoming a problem at renewal.
- Banking CEUs too late in the cycle: Attending a single large conference in the final months of a cycle to catch up on hours is risky. Events get cancelled, sessions fill, and life intervenes. Distribute your CEU activity throughout the cycle.
- Claiming general IT or legal training without domain justification: A general cybersecurity certificate course is not automatically a CHPS CEU. You must connect it explicitly to a CHPS domain (most naturally Domains 3 or 4) and document that connection.
- Forgetting the ethics requirement: The mandatory ethics CEU component catches credential holders off guard when they assume that any compliance or privacy education covers it. Ethics-specific education is a distinct category.
- Failing to log activities promptly: Certificates expire, conference programs disappear, and employer training records are harder to retrieve after staff turnover. Log every activity within a week of completion.
- Overlooking self-study opportunities with structured tools: Reviewing domain-specific materials - including using practice tests aligned to the CHPS exam domains - can support self-study CEU claims when properly documented and connected to a specific domain.
For professionals still navigating the initial credential pathway, understanding what the exam measures in detail - including the precise domain weightings above - helps you build a CEU strategy that starts the moment you pass. The CHPS Eligibility Requirements: Who Can Apply in 2026 article covers the pre-credentialing side of this journey.
Frequently Asked Questions
AHIMA's policies on CEU carryover change periodically. As of the most recent guidance, a limited number of excess CEUs may be applied to the subsequent cycle. Always confirm the current carryover rules directly in your AHIMA credential portal before relying on this option for planning purposes.
Adjacent topics qualify if you can demonstrate relevance to one of the six CHPS domains. A course on general data breach law would qualify under Domains 1 or 6. A course on database administration might qualify under Domain 4 if it addresses access controls or audit logging in a healthcare context. Document the connection explicitly.
Activities without adequate documentation may be disallowed, potentially leaving you short of the required CEU total. This can result in suspension or revocation of your CHPS credential until the deficiency is resolved. AHIMA's audit process takes compliance seriously - treat every CEU as if it will be audited.
Yes - earning a new AHIMA credential typically generates CEU credit applicable to other AHIMA credentials you already hold. The specific credit value is set by AHIMA and should be confirmed in your credential portal at the time of your CHPS certification.
Education from HIMSS and other recognized health IT organizations may qualify as non-AHIMA self-reported CEUs, provided the content maps to a CHPS domain. CISA, CISSP, or similar security-credential coursework can qualify under Domains 3 or 4 with appropriate documentation. The key is always demonstrable relevance to the CHPS competency framework.
Ready to Start Practicing?
Reinforce your knowledge across all six CHPS domains with targeted practice questions built specifically for the exam. Whether you are preparing for initial certification or keeping your domain knowledge sharp for recertification, our practice tests help you identify gaps and build confidence in the areas that matter most.
Start Free Practice Test