CHPS logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CHPS Eligibility Requirements: Who Can Apply in

CHPS Eligibility Requirements: Who Can Apply in 2026

Updated 11 min read CHPS Exam Prep
Table of Contents
TL;DR
  • CHPS is administered by AHIMA and targets healthcare information management professionals in privacy and security roles.
  • Eligibility combines a minimum education threshold with verified healthcare privacy or security work experience.
  • The exam spans six domains, with Ethical/Legal/Regulatory Issues carrying the heaviest weight at 23-27%.
  • Candidates should confirm their experience documentation before submitting an application to avoid processing delays.

Who Is the CHPS Credential For?

The Certified in Healthcare Privacy and Security (CHPS) credential is issued by the American Health Information Management Association (AHIMA). It is designed specifically for professionals who work at the intersection of healthcare data governance, patient privacy, and information security - not general IT security practitioners, and not purely administrative health information staff, but the people who sit squarely between those two worlds.

If your day-to-day work involves interpreting HIPAA regulations, managing a healthcare organization's privacy program, assessing security risks against clinical data systems, or responding to patient data breaches, CHPS is built around your job. The credential signals to employers that you have demonstrated, verified competency across the full lifecycle of healthcare privacy and security - from regulatory interpretation through incident response.

Before you invest time in exam preparation, confirming you meet the eligibility requirements is an essential first step. The good news: AHIMA has structured eligibility around realistic career trajectories in health information management, meaning most working professionals in the field can qualify with the right combination of education and experience.

Why Eligibility Verification Matters: AHIMA may audit applications after submission. Candidates who cannot produce documentation for their claimed education or experience risk having their application denied even after paying fees. Gather your transcripts and employment records before you begin the application process.

The Core Eligibility Requirements

CHPS eligibility is based on two primary pillars: education and professional experience. AHIMA structures these as complementary - a stronger education background can offset a shorter experience requirement, and vice versa. This tiered approach recognizes that healthcare privacy and security professionals enter the field through varied academic and professional paths.

At a high level, candidates must hold at minimum a bachelor's degree and have accumulated relevant work experience in healthcare privacy and/or security. The specific number of years required varies depending on your degree level and field of study. Candidates with graduate-level education in a relevant field may qualify with fewer years of direct experience than someone entering with an associate degree or a bachelor's in an unrelated field.

Importantly, AHIMA evaluates experience not just by job title but by the nature of the work performed. Experience must be in a healthcare setting and must involve substantive privacy or security responsibilities. Roles where privacy or security was incidental - rather than a core function - may not satisfy the requirement in full. This is worth discussing honestly with yourself before you apply: does your job actually involve the work the CHPS exam tests?

Degree Level and Field of Study

AHIMA recognizes degrees from accredited institutions. Relevant fields include health information management, health administration, information technology, nursing, public health, and related healthcare or information disciplines. A degree in a completely unrelated field - say, mechanical engineering - is generally not treated the same as a health information management degree when AHIMA calculates experience requirements.

If your undergraduate or graduate degree is in a healthcare or information-related field, you are likely to satisfy the educational component more straightforwardly. If your degree is in an adjacent or unrelated area, you may need additional years of qualifying experience. Always confirm current requirements directly with AHIMA, as specific thresholds are updated periodically.

Education Pathways Explained

Education Level Field of Study General Impact on Experience Requirement
Associate Degree Health Information Management or related Longer experience requirement typically applies
Bachelor's Degree Health Information Management, IT, or healthcare field Standard experience requirement
Bachelor's Degree Non-healthcare, non-IT field May require additional years of qualifying experience
Master's Degree or Higher Healthcare, HIM, public health, or related Reduced experience requirement may apply

The table above is a general framework. Because AHIMA updates eligibility specifics, always cross-reference against the current candidate handbook before submitting your application. For a full breakdown of who qualifies and under which pathway, the dedicated CHPS Eligibility Requirements: Who Can Apply in 2026 resource covers these distinctions in granular detail.

What Counts as Qualifying Experience

This is where many candidates underestimate the specificity AHIMA expects. Not all healthcare work qualifies - and not all privacy-adjacent work qualifies either. CHPS experience must be in healthcare privacy and/or security, verified through employment records, and performed in a healthcare setting or directly supporting a healthcare organization.

Roles That Typically Qualify

  • Privacy Officer or Assistant Privacy Officer at a hospital, health system, or payer organization
  • Healthcare Information Security Analyst or Manager
  • Compliance Officer with direct privacy and security oversight responsibilities
  • Health Information Manager with documented privacy program responsibilities
  • HIPAA Compliance Coordinator or Specialist
  • Risk Analyst focused on healthcare data or clinical systems security

Experience That May Not Fully Qualify

  • General IT roles in healthcare where privacy/security was not a defined responsibility
  • Healthcare administrative roles without documented involvement in privacy or security functions
  • Non-healthcare industry privacy or security roles (these are evaluated on a case-by-case basis)

Key Takeaway

When documenting experience, be specific. List the privacy and security functions you actually performed - policy development, risk assessments, breach investigations, staff training on HIPAA - rather than relying on your job title alone. AHIMA evaluates function, not just title.

The Application and Registration Process

Once you have confirmed you meet the education and experience thresholds, the next step is submitting your application through AHIMA's certification portal. The process involves submitting educational transcripts, documenting work experience with employer verification, and paying the applicable exam fee.

AHIMA members pay a lower exam fee than non-members - a meaningful financial consideration if you are not already an AHIMA member. Evaluate whether the membership cost plus discounted exam fee is less than the non-member exam fee. For many candidates who plan to maintain CHPS certification long-term (and need continuing education units for recertification), AHIMA membership typically makes financial sense.

After your application is approved, you will receive an authorization to test (ATT) letter with a window during which you must schedule and sit for the exam. Do not let this window expire - rescheduling after an expired ATT requires reapplication and additional fees. The moment your ATT arrives, open your preparation calendar and commit to a test date.

Application Audit Risk: AHIMA conducts random audits of submitted applications. If selected, you must produce original transcripts and employer documentation confirming your experience. Keep copies of everything you submitted - including the specific language used to describe your experience - in case you are audited months after initial approval.

For ongoing credential maintenance after passing, understanding the CEU requirements that keep your CHPS active is equally important. The CHPS Continuing Education Units: A Complete Guide 2026 article covers exactly what counts toward recertification and how to plan your learning calendar around those requirements.

What the Exam Actually Covers

Confirming eligibility is step one. Understanding the exam structure is step two - because the six domains of the CHPS exam directly reflect the job functions that qualify you. There is a deliberate alignment between what AHIMA considers qualifying experience and what the exam tests.

Domain 1: Ethical, Legal, and Regulatory Issues / Environmental Assessment (23-27%)

The heaviest domain on the exam. Candidates must understand HIPAA Privacy and Security Rules in depth, state law preemption analysis, the HITECH Act, 42 CFR Part 2 (substance use disorder records), and the ethical obligations of healthcare privacy professionals. This domain also covers environmental assessment - understanding the regulatory landscape your organization operates within.

  • Federal vs. state privacy law hierarchy and preemption
  • Patient rights under HIPAA (access, amendment, accounting of disclosures)
  • Ethical frameworks for healthcare information professionals
  • Regulatory agency roles (OCR, CMS, FTC in healthcare contexts)

Domain 2: Privacy Program Management (18-22%)

Covers the operational side of building and running a healthcare privacy program - policies, procedures, workforce training, Notice of Privacy Practices, and business associate agreement management.

  • Developing and maintaining privacy policies aligned with HIPAA requirements
  • Business associate agreement (BAA) requirements and management
  • Workforce training program design and documentation
  • Patient rights request handling procedures

Domain 3: Security Program Management (18-22%)

Mirrors Domain 2 in weight and covers the HIPAA Security Rule's administrative, physical, and technical safeguard requirements. Candidates must understand risk analysis methodology, security management processes, and how to structure a compliant security program.

  • Required vs. addressable implementation specifications under the Security Rule
  • Security risk analysis and risk management processes
  • Contingency planning and disaster recovery requirements
  • Workforce security and access management controls

Domain 4: Information Technology (12-16%)

Tests practical knowledge of the technology underpinning healthcare information security - encryption, network security, authentication, and EHR system security considerations. This domain requires enough technical literacy to evaluate security controls, even if candidates are not network engineers.

  • Encryption standards and their application to ePHI
  • Authentication mechanisms (MFA, role-based access control)
  • Network security fundamentals relevant to healthcare environments
  • EHR audit log capabilities and limitations

Domain 5: Compliance, Investigation, and Enforcement (10-14%)

Covers internal compliance monitoring, complaint investigation processes, OCR enforcement procedures, and civil/criminal penalty frameworks under HIPAA. Candidates must understand how violations are investigated, tiered, and resolved.

  • OCR complaint investigation and resolution processes
  • HIPAA penalty tiers and culpability factors
  • Internal compliance audit and monitoring methodologies
  • Corrective action plan (CAP) development and implementation

Domain 6: Breach Management (5-9%)

The smallest domain by weight, but critically important in practice. Tests knowledge of the HIPAA Breach Notification Rule - the four-factor risk assessment, notification timelines, content requirements, and media notification thresholds.

  • The four-factor breach risk assessment under the Breach Notification Rule
  • Individual, HHS, and media notification requirements and timelines
  • Breach investigation documentation and reporting
  • Business associate breach notification obligations

The domain weights matter for how you allocate study time. Domains 1, 2, and 3 together represent roughly 60-70% of the exam. You can start building toward the exam by testing yourself against domain-specific questions at our CHPS practice test platform, which organizes questions by domain so you can identify your weakest areas early.

Roles and Employers That Seek CHPS Credential Holders

The CHPS credential is most directly valued by organizations that have formal HIPAA compliance obligations - which is to say, virtually every entity in the healthcare ecosystem. However, the roles where CHPS carries the most weight tend to be in larger, more complex organizations where privacy and security functions are distinct, staffed positions rather than ad hoc responsibilities.

Typical Hiring Organizations

  • Health systems and academic medical centers - Large hospital systems often have dedicated Privacy Officers, Security Officers, and compliance teams where CHPS is a preferred or required credential.
  • Health insurance companies and managed care organizations - Payers handle massive volumes of PHI and face regular OCR scrutiny, making credentialed privacy and security professionals high-value hires.
  • Healthcare consulting firms - Firms offering HIPAA compliance consulting, privacy program assessments, and breach response services frequently list CHPS as a differentiating credential for client-facing staff.
  • Electronic health record (EHR) vendors and health IT companies - Companies building and maintaining systems that process ePHI need staff who understand both the technical and regulatory dimensions of healthcare data security.
  • Government and public health agencies - State health departments, federally qualified health centers, and federal agencies operating under HIPAA value formal privacy and security credentials.
  • Business associates - Third-party service providers to covered entities - billing companies, transcription services, cloud storage providers serving healthcare - increasingly credential their privacy and security staff to demonstrate compliance capability to clients.

Making the Most of Eligibility: Building Your Prep Plan

Once your eligibility is confirmed and your ATT is in hand, you need a structured approach to exam preparation - one built around the six CHPS domains, not generic study habits. The domain weighting should directly determine where you invest the most time.

Weeks 1-2

Domain 1 Deep Dive - Regulatory and Legal Foundation

  • Work through HIPAA Privacy Rule requirements systematically
  • Study state law preemption analysis frameworks
  • Review HITECH Act amendments to HIPAA in full
  • Complete a practice question set focused exclusively on Domain 1
Weeks 3-4

Domains 2 and 3 - Privacy and Security Program Operations

  • Map HIPAA Security Rule required vs. addressable specifications
  • Review BAA requirements and common BAA gap scenarios
  • Practice security risk analysis question scenarios
  • Test yourself on workforce training requirements under both Privacy and Security Rules
Week 5

Domains 4 and 5 - IT Fundamentals and Compliance/Enforcement

  • Focus on encryption, authentication, and audit control concepts from a HIPAA lens
  • Review OCR enforcement process and penalty tier structure
  • Study corrective action plan components and internal audit methodologies
Week 6

Domain 6 and Full-Length Practice

  • Master the four-factor breach risk assessment - high-frequency exam topic
  • Review notification timelines for individual, HHS, and media notification
  • Complete two full-length timed practice exams at our practice test platform
  • Identify remaining weak domains and spend final days on targeted review

This six-week structure applies spaced repetition in a meaningful way: you revisit Domain 1 material when studying Domains 2 and 3 (because the regulatory framework underpins program management), and you revisit Domains 2 and 3 when studying Breach Management in Week 6 (because breach response draws on both privacy and security program knowledge). The domains are not silos - they are layers.

Practice Testing Is Eligibility-Irrelevant: You do not need to wait for your formal ATT to begin practice testing. Many successful CHPS candidates begin domain-focused practice questions as soon as they decide to pursue the credential - often months before their application is even submitted. Early practice testing clarifies your knowledge gaps and helps you assess whether your experience has actually prepared you for the exam content. Start testing at our CHPS practice test platform now.

Maintaining your credential after passing also requires ongoing engagement with the field. Understanding how CEUs are structured helps you plan professional development proactively rather than scrambling at recertification time. The CHPS Continuing Education Units: A Complete Guide 2026 resource walks through what types of activities qualify and how to document them efficiently.

Frequently Asked Questions

Can I apply for CHPS if my degree is not in health information management?

Yes. AHIMA accepts degrees from a range of fields, including general IT, nursing, public health, and health administration. A degree in an unrelated field is also accepted, but it typically results in a longer required experience period before you qualify. Confirm your specific pathway against the current AHIMA candidate handbook, as requirements are updated periodically.

Does experience as a general IT professional in a hospital qualify for CHPS?

Not necessarily on its own. General IT work in a healthcare setting does not automatically satisfy the healthcare privacy and security experience requirement. Your experience must involve substantive privacy or security responsibilities - such as HIPAA compliance activities, security risk analysis, privacy program management, or breach response - not just supporting IT infrastructure in a hospital environment.

How long is the CHPS exam authorization valid after I receive my ATT?

AHIMA provides a testing window within which you must schedule and complete your exam after receiving your authorization to test. If you do not test within that window, you will need to reapply and pay applicable fees again. Check your ATT documentation for the exact expiration date and schedule your exam promptly upon receiving authorization.

Which CHPS exam domain should I prioritize in my study plan?

Domain 1 - Ethical, Legal, and Regulatory Issues / Environmental Assessment - carries the highest weight at 23-27% of the exam, making it the most important single domain to master. However, Domains 2 and 3 together are roughly equal in weight to Domain 1, so all three early domains deserve significant study time. Use practice test results by domain to identify where your personal knowledge gaps are most significant.

Is AHIMA membership required to sit for the CHPS exam?

No, AHIMA membership is not required to apply for or sit for the CHPS exam. However, AHIMA members receive a reduced exam fee. For many candidates who plan to maintain CHPS long-term and participate in AHIMA's continuing education ecosystem, membership typically provides net financial benefit over time - but it is not a prerequisite for eligibility.

Ready to Start Practicing?

Confirm your eligibility, then put your domain knowledge to the test. Our CHPS practice questions are organized by domain so you can target your weakest areas from day one - whether you're six weeks out or six months away from your exam date.

Start Free Practice Test
Continue reading:

Ready to pass your CHPS exam?

Put this into practice with free CHPS questions across every exam domain.