- CHPS is administered by AHIMA and covers six weighted domains, with Domain 1 (Ethical, Legal, and Regulatory Issues) carrying the largest share at 23-27%.
- Registration requires meeting AHIMA's eligibility criteria before you submit your application - incomplete applications cause avoidable delays.
- Domain 3 (Security Program Management) and Domain 2 (Privacy Program Management) each carry 18-22% of the exam weight and demand equal preparation effort.
- Practice questions mapped to each domain are one of the most efficient ways to identify gaps before exam day - CHPS Exam Prep practice tests are built around...
What the CHPS Credential Actually Certifies
The Certified in Healthcare Privacy and Security (CHPS) credential is issued by the American Health Information Management Association (AHIMA). It signals that a professional has demonstrated competency across the intersection of healthcare privacy law, security program design, information technology governance, and compliance enforcement - all within the context of protected health information (PHI).
Unlike broader cybersecurity certifications, CHPS is purpose-built for the healthcare environment. Employers who value this credential include hospital systems, health plans, business associates, revenue cycle companies, and healthcare consulting firms. Privacy officers, compliance directors, HIM managers, and information security leads in healthcare settings are among the professionals who pursue it most often.
Understanding what the credential certifies is the starting point for understanding how to register and prepare for it. Every step of the registration process - from verifying eligibility to selecting a testing window - is designed around the six official domains the exam tests.
Eligibility Requirements Before You Register
Before touching the registration form, confirm you meet AHIMA's eligibility requirements. Submitting an application that does not satisfy the prerequisites will delay your approval and push back your testing window.
Education and Experience
AHIMA requires candidates to hold a combination of education and professional experience in healthcare privacy and/or security. The specific thresholds depend on your highest completed degree - candidates with a baccalaureate or higher in a health-related or information management field typically face a lower experience requirement than those entering without that background. Verify the current thresholds directly on the AHIMA CHPS credential page before applying, since requirements are subject to revision.
AHIMA Membership Status
Your membership status with AHIMA affects the exam fee. Members pay a reduced rate compared to non-members. If you are not yet a member, it is worth calculating whether joining before you register saves money - membership fees versus the exam fee differential can favor joining first.
Documentation You Will Need
- Transcripts or degree verification confirming your highest completed education level
- Documentation of professional experience in healthcare privacy, security, or a related field
- A valid form of government-issued identification (used at the testing center)
- Payment method for the exam fee
The Registration Process, Step by Step
The full CHPS Exam Registration Process runs through AHIMA's certification portal. Here is how each stage works in practice.
Step 1: Create or Log In to Your AHIMA Account
All CHPS registration activity happens through your AHIMA member account. If you do not have one, create it before starting the application. Your account stores your application status, approval notice, and eventually your certification records.
Step 2: Complete the CHPS Application
Inside the portal, navigate to the CHPS credential application. You will enter your education history, work experience, and employment information. Be precise - vague descriptions of job responsibilities are one reason applications get flagged for follow-up. Use the language of the CHPS domains when describing your experience: reference privacy program oversight, security policy management, regulatory compliance, or breach investigation work where it genuinely applies.
Step 3: Submit Required Documentation
Upload or arrange delivery of your transcripts and any supporting experience documentation. AHIMA may perform random audits of applications, so keep your supporting documents organized and accurate even after submission.
Step 4: Pay the Exam Fee
Payment is collected at the time of application submission. The fee differs based on AHIMA membership status. Non-members pay a premium - factor this into your total cost-of-certification calculation before submitting.
Step 5: Receive Your Authorization to Test (ATT)
Once AHIMA reviews and approves your application, you receive an Authorization to Test notice. This notice includes a deadline - your testing window - within which you must schedule and sit for the exam. Do not let this window lapse; rescheduling outside the window involves additional fees.
Step 6: Schedule Your Exam with Pearson VUE
CHPS is delivered through Pearson VUE testing centers. Log in to the Pearson VUE website using the information provided in your ATT, select a testing center or remote proctored option (availability varies), and choose an appointment date and time. Schedule as soon as you receive your ATT so you have maximum flexibility in choosing a convenient date.
| Registration Stage | Who Handles It | Key Action Required |
|---|---|---|
| Application Submission | AHIMA Portal | Complete all fields; upload transcripts |
| Fee Payment | AHIMA Portal | Pay at submission; confirm member vs. non-member rate |
| Authorization to Test | AHIMA | Check email; note ATT expiration date |
| Exam Scheduling | Pearson VUE | Book your seat promptly within the testing window |
| Exam Delivery | Pearson VUE Test Center | Bring valid government-issued ID |
Exam Structure and Domain Breakdown
The CHPS exam tests across six domains. Knowing the weight of each domain is not just trivia - it is the foundation of an intelligent study plan. Spending equal time on every domain regardless of weight is one of the most common preparation mistakes.
Domain 1: Ethical, Legal, and Regulatory Issues / Environmental Assessment (23-27%)
The largest single domain on the exam. Candidates must command HIPAA Privacy and Security Rules in depth, understand HITECH amendments, navigate state privacy laws that may be more stringent than federal minimums, and apply ethical frameworks to real-world scenarios.
- HIPAA Privacy Rule: permitted disclosures, minimum necessary standard, individual rights
- HIPAA Security Rule: administrative, physical, and technical safeguard categories
- State law preemption analysis
- Professional and organizational ethics in PHI handling
Domain 2: Privacy Program Management (18-22%)
This domain covers the operational side of running a healthcare privacy program - not just knowing the law, but building and sustaining the infrastructure that keeps an organization compliant.
- Privacy officer roles and responsibilities
- Notice of Privacy Practices development and delivery
- Training program design for workforce members
- Business Associate Agreement management
Domain 3: Security Program Management (18-22%)
Paired in weight with Domain 2, this domain requires candidates to understand how to design, implement, and maintain a security program for electronic PHI - including risk analysis methodology and security incident response.
- Risk analysis and risk management planning
- Security policies, procedures, and workforce sanctions
- Contingency planning and disaster recovery
- Vendor and third-party security oversight
Domain 4: Information Technology (12-16%)
Candidates must understand the technical environment in which PHI lives - networks, access controls, encryption, and system configurations - well enough to evaluate security controls, not necessarily implement them at an engineer level.
- Authentication and access control models
- Encryption standards and their application to ePHI
- Network architecture concepts relevant to PHI protection
- Audit logging and monitoring systems
Domain 5: Compliance, Investigation, and Enforcement (10-14%)
This domain tests understanding of how enforcement agencies - particularly HHS Office for Civil Rights - investigate complaints and conduct audits, and what organizations must do to respond effectively.
- OCR complaint and audit processes
- Corrective Action Plan (CAP) development
- Internal investigation procedures for potential HIPAA violations
- Civil and criminal penalty frameworks
Domain 6: Breach Management (5-9%)
The smallest domain by weight, but one with significant real-world operational consequences. Candidates must understand the four-factor risk assessment for determining whether an impermissible disclosure constitutes a reportable breach, and the notification timelines and processes that follow.
- HITECH Breach Notification Rule requirements
- Four-factor breach risk assessment methodology
- Individual, media, and HHS notification timelines
- Breach documentation and post-breach remediation
What the Questions Actually Look Like
CHPS questions are scenario-based. You will not see many pure recall questions like "What is the definition of PHI?" Instead, expect multi-sentence scenarios describing a situation at a hospital, health plan, or business associate - followed by a question asking what the privacy officer should do, what the organization is required to do under HIPAA, or which security control is most appropriate given the described risk.
This format means factual knowledge is necessary but not sufficient. You need to be able to apply the rules to ambiguous real-world situations. For example, a question might describe a scenario where a healthcare worker accessed a patient's record without a treatment justification, ask you to identify whether a breach occurred, and present four plausible answers that differ only in the specific regulatory threshold or notification step involved.
Working through practice questions mapped to the official domains is one of the highest-yield preparation activities available. CHPS Exam Prep's practice tests are structured around the same six domains, allowing you to identify exactly which areas of Domain 1 or Domain 3 you need to revisit before exam day.
Key Takeaway
Because questions are scenario-based and application-focused, studying definitions in isolation will leave you underprepared. Pair your reading with high-volume practice question exposure across all six domains - especially the three highest-weighted ones.
A Domain-Anchored Prep Timeline
Generic study schedules are not especially useful for CHPS because the domains carry very different weights and require different types of thinking. The following eight-week framework is organized around the exam's actual structure. Adjust the pace based on your existing background - a practicing privacy officer will move through Domain 2 faster than an IT professional new to privacy law, and vice versa for Domain 4.
Domain 1 Deep Dive (23-27%)
- Work through the HIPAA Privacy Rule in full, with attention to individual rights provisions and permitted disclosure categories
- Study the HIPAA Security Rule's three safeguard categories and their required vs. addressable implementation specifications
- Review state law preemption standards and how they interact with federal minimums
- Complete a domain-specific practice quiz at the end of each week to baseline your knowledge gaps
Domains 2 and 3 (Privacy and Security Program Management, 18-22% each)
- Week 3: Privacy program operations - BAA management, Notice of Privacy Practices, workforce training design
- Week 4: Security program operations - risk analysis methodology, incident response procedures, contingency planning
- Use spaced repetition on high-density regulatory detail (e.g., BAA required provisions, risk analysis steps) - flashcards work well here because the content is list-heavy
Domain 4: Information Technology (12-16%)
- Focus on access controls, encryption application to ePHI, and audit log concepts - not deep technical implementation
- Connect IT concepts back to HIPAA Security Rule technical safeguard requirements studied in week 2
Domains 5 and 6: Compliance, Investigation, Breach Management (10-14% and 5-9%)
- Domain 5: OCR audit process, CAP structure, investigation procedures
- Domain 6: Four-factor breach risk assessment, notification timelines, documentation requirements
- These domains are lower weight but high-consequence in practice - scenario questions here are often about sequencing (what do you do first, second, third)
Full-Length Practice and Targeted Review
- Take at least two full-length timed practice exams through CHPS Exam Prep
- Analyze wrong answers by domain - return to source material for any domain where you are consistently missing questions
- Final week: light review of weakest domain only; avoid cramming new material in the last 48 hours
For a comprehensive look at the materials that work best alongside this timeline, see CHPS Study Materials 2026: Books, Courses and Resources, which covers the official AHIMA resources and supplemental options that align with the domain framework above.
After Registration: What Comes Next
Once your application is approved and your exam is scheduled, the period between scheduling and exam day is where most candidates make or lose their score. A few operational points matter here.
Confirm Your Testing Center Requirements
Pearson VUE testing centers have specific policies about acceptable identification, what you may bring into the testing room, and check-in procedures. Review these policies on the Pearson VUE website before your appointment - arriving with the wrong form of ID or expecting to bring personal notes into the room will cost you your appointment.
Remote Proctoring Considerations
If you choose remote proctoring rather than an in-person test center, the technical and environmental requirements are strict. You will need a quiet, private room, a computer meeting Pearson VUE's specifications, and a reliable internet connection. Conduct a system check well in advance of your appointment date.
Score Reporting
CHPS exam results are typically available at the testing center immediately after completion for the scaled score. Official results and any credential conferral notification come through AHIMA. Keep your AHIMA account login accessible after exam day.
If you are still in the process of selecting your study resources before submitting your registration, review the full breakdown of CHPS study materials for 2026 to ensure you have the right foundation in place before your testing window begins.
Frequently Asked Questions
Processing time varies and is subject to application volume. Allow several weeks from submission to receipt of your Authorization to Test. Submit your application well before any target testing date to avoid pressure from a narrow window.
Yes, non-members can sit for the CHPS exam. However, non-members pay a higher exam fee. Calculate whether joining AHIMA before registering reduces your total out-of-pocket cost before submitting your application.
If your ATT expires before you schedule or sit for the exam, you will need to reapply and pay the exam fee again. Treat the ATT expiration date as a hard deadline and schedule your Pearson VUE appointment immediately upon receiving your authorization.
Prioritize Domain 1 (Ethical, Legal, and Regulatory Issues) first - it carries the largest weight at 23-27%. Follow with Domain 2 (Privacy Program Management) and Domain 3 (Security Program Management), which each account for 18-22%. Together, these three domains represent the majority of the exam.
Scenario-based practice questions mapped to the official six domains are among the most effective preparation tools available. They train you to apply regulatory knowledge to situational contexts - exactly what the exam tests. CHPS Exam Prep's practice tests are structured around the same domain framework as the official exam, making them directly relevant to what you will encounter on test day.