- What You Are Actually Studying For
- Domain-by-Domain Resource Mapping
- Official and Core Materials Every Candidate Needs
- Courses and Live Training Options
- Practice Tests and Question Banks
- A Domain-Anchored Study Schedule
- What Employers Actually Expect From a CHPS Holder
- Where Popular Resources Fall Short
- Frequently Asked Questions
- Domain 1 (Ethical, Legal, and Regulatory Issues) carries the largest exam weight at 23-27%, so it demands the most study time.
- AHIMA's official Body of Knowledge publications are the closest thing to a sanctioned CHPS textbook and should anchor your prep.
- Practice questions must reflect CHPS's applied, scenario-based format-not simple recall-to build real exam readiness.
- Domains 5 and 6 (Compliance/Enforcement and Breach Management) are lower-weight but frequently tested together in scenario questions.
What You Are Actually Studying For
The Certified in Healthcare Privacy and Security (CHPS) credential is issued by AHIMA and targets professionals who manage the intersection of patient privacy and information security inside healthcare organizations. That dual focus-privacy and security-is what makes resource selection tricky. Many candidates arrive with a strong background in one area but not both, and they misjudge how much the exam expects fluency across all six domains.
Before you spend a dollar on materials, understand what the exam is actually testing. The CHPS is not a memorization exercise. Questions are presented as workplace scenarios-a covered entity receives a records request, a business associate reports a ransomware incident, a privacy officer needs to revise a Notice of Privacy Practices-and you are expected to select the most appropriate professional response. That means your resources need to teach you how to apply rules, not just recite them.
If you have not yet locked in your testing appointment, reviewing the CHPS Exam Registration Process: Step-by-Step 2026 first will ensure your study timeline aligns with your eligibility window and application deadlines.
Domain-by-Domain Resource Mapping
One of the most common mistakes candidates make is treating all six domains equally. The exam blueprint tells a different story. Here is what each domain covers and the types of resources that address it most directly.
Domain 1: Ethical, Legal, and Regulatory Issues / Environmental Assessment (23-27%)
The largest domain on the exam. Candidates must navigate HIPAA Privacy Rule and Security Rule provisions, state preemption analysis, 42 CFR Part 2 substance abuse records rules, ethical frameworks for privacy officers, and environmental scanning techniques used to identify emerging regulatory risk.
- Primary resource: AHIMA's Fundamentals of Law for Health Informatics and Information Management
- Supplement with HHS Office for Civil Rights (OCR) guidance documents, which are free and authoritative
- Review state-versus-federal preemption scenarios-these appear regularly in exam questions
- Study HIPAA's minimum necessary standard in operational contexts, not just as a rule definition
Domain 2: Privacy Program Management (18-22%)
This domain tests whether candidates can build and sustain a functioning privacy program-workforce training, Notice of Privacy Practices requirements, patient rights administration, business associate agreement management, and privacy officer responsibilities.
- AHIMA's Health Information Management: Concepts, Principles, and Practice covers program infrastructure
- IAPP resources (even though CHPS is AHIMA-issued) offer strong privacy program management frameworks
- Focus on the operationalization of patient rights: access, amendment, accounting of disclosures, and restrictions
Domain 3: Security Program Management (18-22%)
Equally weighted to Domain 2, this domain covers risk analysis, risk management plans, administrative safeguards, physical safeguards, technical safeguards, and security officer roles under the HIPAA Security Rule.
- NIST Special Publication 800-66 (Implementing the HIPAA Security Rule) is freely available and directly exam-relevant
- AHIMA's security-focused Body of Knowledge resources address healthcare-specific application
- Understand the difference between required and addressable implementation specifications-this is a frequent exam topic
Domain 4: Information Technology (12-16%)
Candidates without an IT background often underestimate this domain. It covers electronic health record security architecture, network controls, encryption standards, audit logging, and access control models as they apply inside covered entities.
- HIMSS resources on health IT security provide practical, healthcare-contextualized coverage
- CompTIA Security+ study materials can supplement if your IT background is limited-focus on concepts, not the CompTIA exam itself
Domain 5: Compliance, Investigation, and Enforcement (10-14%)
Covers OCR complaint and investigation processes, civil monetary penalty tiers, resolution agreements, audit protocols, and workforce sanction policies.
- OCR's published resolution agreements and corrective action plans are free, real-world case studies
- Review the HIPAA enforcement rule and tiered penalty structure in detail
Domain 6: Breach Management (5-9%)
The smallest domain by weight, but breach scenarios frequently appear inside questions that are technically scored under Domains 1 or 5. Study the Breach Notification Rule's four-factor risk assessment, required notification timelines, and media notice thresholds.
- HHS breach notification guidance documents are the authoritative source
- Practice identifying which events meet the definition of a breach versus a permissible disclosure
Official and Core Materials Every Candidate Needs
There is no single CHPS study guide that works the way a USMLE Step 1 review book works. AHIMA does not publish a branded "CHPS Exam Prep" textbook. Instead, the credential draws from AHIMA's broader Body of Knowledge-a collection of references that practicing HIM professionals are expected to maintain familiarity with throughout their careers.
AHIMA Body of Knowledge Publications
Access to AHIMA's Body of Knowledge is available through AHIMA membership and provides the most credentialed alignment to what the exam tests. Key titles to prioritize include works covering health information law, privacy program management, and security fundamentals. If you are not an AHIMA member, membership often costs less than purchasing individual titles and also provides access to practice resources and the candidate handbook.
Free Government and Regulatory Documents
Several of the best CHPS study resources cost nothing. The HHS Office for Civil Rights publishes extensive guidance on HIPAA Privacy Rule provisions, Security Rule safeguards, breach notification, and enforcement. NIST publishes implementation guides specifically written for healthcare entities. These are not peripheral supplements-they are primary sources that exam questions are built from.
The CHPS Candidate Handbook
AHIMA's CHPS Candidate Handbook is not a study guide, but it contains the official domain outline and content specifications. Read it before you select any other resource. The domain percentages listed in this article come from that document, and aligning your materials to those weights is the most efficient way to allocate study hours.
Courses and Live Training Options
Structured courses are useful for candidates who want guided progression through the content, prefer instructor accountability, or have significant gaps in either the privacy or security side of the exam. Several options exist at different price points.
AHIMA-Sponsored Preparation Programs
AHIMA periodically offers CHPS preparation workshops and virtual seminars tied to their annual conference schedule and on-demand learning library. These are produced with direct awareness of the exam blueprint and tend to be particularly strong on Domains 1, 2, and 5 given AHIMA's HIM roots. Watch the AHIMA store for self-paced modules that can be completed asynchronously.
HIMSS and IAPP Adjacent Resources
While HIMSS and IAPP credential candidates for separate certifications, both organizations publish educational content that directly overlaps with CHPS Domains 3 and 4. HIMSS Healthcare Privacy and Security Academy courses and IAPP's CIPP/US Foundation materials-used selectively-can strengthen your security program management and privacy law fluency without requiring you to pursue those certifications.
Independent Healthcare Compliance Instructors
A growing number of AHIMA-credentialed instructors offer CHPS-focused prep courses through platforms like AHIMA's online learning hub or independent healthcare education platforms. When evaluating these, check that the instructor maps content to the six CHPS domains explicitly and that the course includes applied scenario practice, not only lecture review.
Practice Tests and Question Banks
Content knowledge alone does not pass the CHPS exam. The scenario-based format means you need to develop judgment under exam conditions-learning to identify the single best answer when two or three options appear defensible. That only happens through deliberate practice with quality questions.
The most effective practice questions share three characteristics: they are anchored to a specific CHPS domain, they present realistic workplace scenarios rather than isolated fact recall, and they include detailed answer explanations that teach you the reasoning behind both correct and incorrect choices.
Our CHPS practice test platform is built around these principles, with questions mapped to all six exam domains and explanations written at the application level the actual exam demands. Using a structured question bank early in your prep-not just in the final two weeks-allows you to identify domain-specific gaps while you still have time to address them through targeted reading.
Key Takeaway
Start using practice questions in your first week of studying, not your last. Early practice reveals which domains need more resource investment before you have locked in your full study schedule.
| Resource Type | Best For | Domain Coverage Strength | Cost Range |
|---|---|---|---|
| AHIMA Body of Knowledge | Content depth, official alignment | Domains 1, 2, 5 | Membership or per-title purchase |
| HHS/OCR Guidance Documents | Regulatory accuracy, enforcement context | Domains 1, 5, 6 | Free |
| NIST SP 800-66 | Security Rule implementation detail | Domain 3 | Free |
| AHIMA Prep Workshops | Structured guidance, instructor Q&A | Domains 1, 2, 3 | Moderate to high |
| CHPS Practice Test Platform | Applied reasoning, gap identification | All six domains | Low to moderate |
| OCR Resolution Agreements | Real enforcement cases, penalty scenarios | Domains 5, 6 | Free |
A Domain-Anchored Study Schedule
The most useful study schedules for CHPS are built around the domain weight distribution, not arbitrary weekly chapter assignments. Here is a ten-week framework that reflects where the exam actually places its emphasis.
Domain 1: Ethical, Legal, and Regulatory Issues (23-27%)
- Read foundational HIPAA Privacy Rule provisions and HHS OCR guidance in full
- Map state law preemption scenarios and practice identifying which law applies
- Study 42 CFR Part 2 distinctions from standard HIPAA rules
- Begin Domain 1 practice questions daily to test regulatory application
Domain 2: Privacy Program Management (18-22%)
- Work through business associate agreement requirements and patient rights mechanics
- Practice drafting scenarios: NPP elements, workforce training program components, access request workflows
- Review AHIMA Body of Knowledge sections on privacy officer roles
Domain 3: Security Program Management (18-22%)
- Read NIST SP 800-66 in full; annotate required vs. addressable implementation specifications
- Study risk analysis methodology and how to document a risk management plan
- Practice scenario questions distinguishing administrative, physical, and technical safeguard categories
Domain 4: Information Technology (12-16%)
- Review access control models, audit logging requirements, and encryption standards in healthcare EHR contexts
- Use HIMSS IT security resources for applied healthcare framing
Domains 5 & 6: Compliance/Enforcement and Breach Management (15-23% combined)
- Study OCR penalty tiers and at least five published resolution agreements
- Master the four-factor breach risk assessment and notification timelines
- Practice identifying breach vs. permissible disclosure scenarios
Full-Exam Integration and Gap Closure
- Complete timed full-length practice exams across all six domains
- Review every incorrect answer explanation before moving to the next question set
- Return to primary sources for any domain where practice accuracy remains weak
What Employers Actually Expect From a CHPS Holder
Understanding who hires for CHPS clarifies why certain materials matter more than others. The credential is recognized primarily by hospitals, health systems, physician group practices, managed care organizations, and healthcare consulting firms. Privacy officers, compliance directors, health information managers, and security analysts in these organizations pursue CHPS to validate operational expertise-not theoretical knowledge of regulations.
Employers in these settings expect CHPS holders to function independently: conducting or overseeing risk analyses, responding to OCR complaint investigations, managing breach notification timelines, advising on business associate agreement language, and training workforce members on privacy obligations. That means your study materials need to prepare you to reason through ambiguous situations, not simply recall rule text.
This is also why the practice test resources on this site are structured around scenario-based questions rather than flashcard-style recall. The exam mirrors what the job actually requires, and your preparation should too.
Where Popular Resources Fall Short
Several study approaches that work well for other healthcare certifications create blind spots for CHPS candidates.
Generic Privacy Law Textbooks
Academic health law textbooks often provide excellent conceptual grounding but rarely address the operational mechanics of HIPAA enforcement, the specifics of addressable vs. required security specifications, or the breach notification risk assessment process at the depth the exam requires. They can build your Domain 1 foundation, but they are not sufficient on their own.
Security Certifications Borrowed Wholesale
Some candidates with IT backgrounds attempt to substitute CompTIA Security+ or CISSP prep materials for Domain 3 and 4 study. These are useful supplements for building technical vocabulary, but they are not healthcare-contextualized. The CHPS exam specifically tests how security principles apply within HIPAA's regulatory framework-concepts like addressable implementation specifications and covered entity obligations have no direct equivalent in general IT security certifications.
Outdated Materials
HIPAA enforcement guidance, OCR audit protocols, and HHS breach notification FAQs are updated periodically. Materials more than a few years old may reflect superseded enforcement priorities or pre-amendment rule text. Always verify that any course or textbook references the current versions of the Privacy Rule, Security Rule, and Breach Notification Rule before committing significant study time to it.
For candidates still finalizing their testing timeline alongside their resource selection, the CHPS exam registration guide walks through the full application process so you can plan your material purchases around a concrete exam date.
The right combination of official AHIMA resources, free regulatory primary sources, and a scenario-based CHPS practice test bank provides the coverage and applied reasoning practice the credential genuinely demands. Assemble your resource stack intentionally-domain by domain, weight by weight-and your preparation will reflect the depth the exam rewards.
Frequently Asked Questions
AHIMA does not publish a single branded "CHPS Study Guide." Instead, the exam draws from AHIMA's Body of Knowledge-a collection of reference publications used by practicing HIM professionals. AHIMA membership provides the broadest access to these materials and is often the most cost-effective starting point for exam prep.
Allocate study time proportionally to domain weight. Domain 1 (Ethical, Legal, and Regulatory Issues) at 23-27% deserves the most investment. Domains 2 and 3 (Privacy and Security Program Management) each carry 18-22% and together account for roughly 40% of the exam. Domains 5 and 6, while lower weight, often appear together in scenario questions and should not be treated as afterthoughts.
Free government resources-HHS OCR guidance, NIST SP 800-66, published resolution agreements-are genuinely authoritative and cover large portions of the exam blueprint. However, they require you to self-direct your reading and do not provide the applied scenario practice the exam demands. Most candidates find the best outcome comes from combining free primary sources with structured AHIMA resources and a scenario-based practice question bank.
No. Domains 3 and 4 together represent up to 38% of the exam and specifically test security program management and information technology concepts within a healthcare context. Candidates with exclusively privacy backgrounds consistently report that the security domains require the most supplemental study time, particularly understanding required versus addressable HIPAA Security Rule implementation specifications and risk analysis methodology.
Most candidates benefit from eight to twelve weeks of structured preparation, depending on their existing background in both privacy and security. Candidates with gaps in one or both areas may need additional time. Starting practice questions in the first week-rather than waiting until content review is complete-helps identify those gaps early enough to address them before the exam date.