Free CHPS Practice Questions
10 free, exam-style Certified in Healthcare Privacy and Security (CHPS) practice questions with answers and
explanations. No signup required. Work through them below, then take the
full free CHPS practice test to study every exam domain.
Question 1
A state law requires covered entities to provide patients a copy of their records within 15 days, while the HIPAA Privacy Rule permits up to 30 days. When both apply, which standard governs?
- The HIPAA 30-day standard, because federal law preempts contrary state law
- Whichever standard the covered entity adopts in its own policies
- The state 15-day standard, because it is more stringent
- The HIPAA standard, unless the state obtained an exception from HHS
Show answer & explanation
Correct answer: C - The state 15-day standard, because it is more stringent
Question 2
A university operates a health clinic that treats only enrolled students. Under federal law, the students' treatment records maintained by the clinic are generally governed by:
- The HIPAA Privacy Rule, since the clinic is a health care provider
- FERPA, because HIPAA excludes FERPA-covered records from the definition of PHI
- Both HIPAA and FERPA, applying whichever is more protective of the student
- State medical-records law only, as federal privacy law does not reach schools
Show answer & explanation
Correct answer: B - FERPA, because HIPAA excludes FERPA-covered records from the definition of PHI
Question 3
A patient submits a written request for a paper copy of their record. Under the HIPAA right of access, the covered entity MAY charge a fee that includes:
- Labor for copying, plus the cost of supplies and postage
- Staff time spent searching for and retrieving the record
- The cost of verifying the requester's identity and authority
- A flat per-page rate that need not reflect the actual cost of copying
Show answer & explanation
Correct answer: A - Labor for copying, plus the cost of supplies and postage
Question 4
A covered entity hires a cloud vendor to store encrypted ePHI. The vendor holds only encrypted data and lacks the decryption key, so it cannot view the information. Under HIPAA, the vendor is:
- Not a business associate, because it cannot access the unencrypted ePHI
- Exempt under the conduit exception, since it only stores data it is sent
- A business associate only if it voluntarily agrees to that status in writing
- A business associate that must enter into a business associate agreement
Show answer & explanation
Correct answer: D - A business associate that must enter into a business associate agreement
Question 5
A data set is being de-identified under the Safe Harbor method and includes patients aged 92, 95, and 101. To comply, these ages must be:
- Reported as listed, since age alone is not one of the 18 identifiers
- Aggregated into a single category of '90 or older'
- Replaced with each patient's year of birth instead of age
- Offset by a consistent random number of days to mask them
Show answer & explanation
Correct answer: B - Aggregated into a single category of '90 or older'
Question 6
An organization's risk analysis shows that an addressable implementation specification in the Security Rule is not reasonable and appropriate for its environment. The organization must:
- Skip the specification, since addressable items are optional and need not be implemented
- Implement it exactly as written anyway, because every specification is mandatory
- Document its rationale and adopt a reasonable equivalent measure
- Obtain written approval from OCR before deviating from the specification
Show answer & explanation
Correct answer: C - Document its rationale and adopt a reasonable equivalent measure
Question 7
A hospital implements two-factor authentication for access to its EHR. Which combination meets the definition of true two-factor authentication?
- A fingerprint scan plus a one-time code from a mobile token
- A password plus the answer to a personal security challenge question
- A username entered together with an account password
- Two distinct passwords entered on two separate screens
Show answer & explanation
Correct answer: A - A fingerprint scan plus a one-time code from a mobile token
Question 8
To satisfy the Security Rule's risk analysis requirement, an organization's analysis must:
- Cover only the systems that store its highest-volume ePHI
- Consist of an annual third-party penetration test of the network perimeter
- Be a one-time checklist comparing existing written policies to the rule's text
- Assess risks to all ePHI it creates, receives, maintains, or transmits
Show answer & explanation
Correct answer: D - Assess risks to all ePHI it creates, receives, maintains, or transmits
Question 9
A workforce member emails a spreadsheet of unsecured PHI to the wrong external recipient. Under the Breach Notification Rule, this impermissible disclosure is:
- Automatically a reportable breach that requires immediate individual notification
- Presumed a breach unless a risk assessment shows a low probability of compromise
- Not a breach if the recipient verbally agrees to delete the email
- Exempt because it was an accident rather than an intentional disclosure
Show answer & explanation
Correct answer: B - Presumed a breach unless a risk assessment shows a low probability of compromise
Question 10
A covered entity discovers a breach of unsecured PHI affecting 120 individuals. When must it report this breach to the HHS Secretary?
- Without unreasonable delay, within 60 days of discovering the breach
- Within 24 hours, since all breaches require immediate federal notice
- In the annual breach log submitted within 60 days after year-end
- Only if one or more affected individuals later file a complaint with OCR
Show answer & explanation
Correct answer: C - In the annual breach log submitted within 60 days after year-end