CSBI HFMA Certified Specialist Business Intelligence Exam 2026/2027 | Page 1 | Passing Score: 75%
HEALTHCARE FINANCIAL MANAGEMENT ASSOCIATION
CSBI HFMA Certification
Certified Specialist Business Intelligence
Official HFMA Exam 2026/2027
100 75% See Provider
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Healthcare Data Management & Governance Q1-Q20
Section 2 Business Intelligence Tools & Analytics Q21-Q40
Section 3 Data Visualization & Dashboard Design Q41-Q60
Section 4 Performance Measurement & Quality Metrics Q61-Q80
Section 5 Financial Analytics & Revenue Cycle Intelligence Q81-Q100
Instructions: Select the single best answer for each question. This exam is designed for CSBI HFMA Certified Specialist Business
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 1 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q1 Question 1 of 100
A 38-year-old health information manager at a regional medical center discovers that patient
demographic records in the enterprise data warehouse contain duplicate entries for
approximately 12% of the patient population. The duplicates are causing inflated admission
counts and distorting length-of-stay calculations. The manager must recommend a primary
data governance strategy to resolve this issue sustainably. Which approach should the
manager prioritize?
A. A. Implementing a master patient index with deterministic and probabilistic matching algorithms
B. B. Conducting a one-time manual audit to identify and merge all duplicate records
C. C. Creating a secondary reporting database that filters out known duplicate entries
D. D. Requiring clinicians to verify patient identity at every encounter before data entry
Correct Answer: A
Rationale:
A master patient index with both deterministic and probabilistic matching provides a sustainable, automated
solution that continuously identifies and resolves duplicates at the point of entry and across systems. A
one-time manual audit addresses existing duplicates but does not prevent future occurrences, making it
insufficient as a primary governance strategy.
Q2 Question 2 of 100
A chief data officer at a large academic health system is establishing a formal data
governance council. The council will include representatives from clinical operations, finance,
IT, and compliance. The officer needs to define the primary responsibility of this governance
body regarding enterprise data assets. What is the council's core function?
A. A. Approving all database schema changes before implementation in production environments
B. B. Defining data ownership, quality standards, and access policies across the organization
C. C. Performing hands-on data extraction and transformation for all analytic projects
D. D. Managing server infrastructure and storage allocation for the data warehouse
Correct Answer: B
Rationale:
The core function of a data governance council is establishing and enforcing policies around data
ownership, quality standards, and access controls that ensure data is trustworthy and used appropriately.
Approving schema changes is a technical function typically handled by database administrators, while
infrastructure management falls to IT operations.
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 2 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q3 Question 3 of 100
A compliance analyst at a community hospital is evaluating whether the organization's data
sharing agreement with a third-party analytics vendor meets HIPAA requirements. The vendor
will receive limited data sets containing dates of service and ZIP codes for population health
analytics. The analyst must determine the minimum safeguard required before data transfer.
What is required?
A. A. Written consent from every patient whose data will be included in the transfer
B. B. De-identification of all records to the HIPAA safe harbor standard before transfer
C. C. A business associate agreement and a data use agreement that restricts re-identification
D. D. Encryption of the data set using AES-256 before any files leave the hospital network
Correct Answer: C
Rationale:
Under HIPAA, sharing limited data sets with a third party requires both a business associate agreement and
a data use agreement that prohibits re-identification and limits use to the stated purpose. Full
de-identification is not required for limited data sets, and individual patient consent is not mandated for
treatment, payment, or healthcare operations disclosures.
Q4 Question 4 of 100
A 45-year-old data steward at a multi-hospital system notices that the emergency
department's triage data is recorded differently across three facilities: one uses a 3-level
scale, one uses a 5-level scale, and one uses free-text descriptions. The system's quality
dashboard is producing inconsistent metrics. The steward must recommend the most effective
approach to achieve data comparability. Which strategy is most appropriate?
A. A. Allowing each facility to maintain its current system but creating three separate dashboards
for comparison
B. B. Aggregating all triage data into a binary urgent-or-non-urgent classification for reporting
purposes
C. C. Eliminating triage level from the quality dashboard and using only arrival-to-provider time
instead
D. D. Standardizing on the 5-level Emergency Severity Index across all facilities with mapping
rules for legacy data
Correct Answer: D
Rationale:
Standardizing on the nationally recognized 5-level Emergency Severity Index provides a validated,
comparable framework while mapping rules preserve the analytical value of legacy data. Reducing to a
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 3 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q5 Question 5 of 100
A healthcare organization is migrating its clinical data repository from an on-premises server
to a cloud-based platform. The director of information security must ensure that data at rest
and data in transit are protected according to industry best practices. Which combination of
controls best satisfies this requirement?
A. A. AES-256 encryption for data at rest and TLS 1.3 for data in transit with managed key rotation
B. B. SSL 3.0 for data in transit and database-level password protection for data at rest
C. C. VPN tunneling for all connections and MD5 hashing of stored records
D. D. Role-based access control for data at rest and firewall rules for data in transit
Correct Answer: A
Rationale:
AES-256 encryption at rest and TLS 1.3 in transit with managed key rotation represents the current gold
standard for protecting healthcare data throughout its lifecycle. SSL 3.0 is deprecated and insecure, MD5
hashing is not encryption, and access controls or firewalls alone do not protect the data content from
unauthorized viewing or interception.
Q6 Question 6 of 100
A data quality analyst at an integrated delivery network is tasked with measuring the
completeness of clinical documentation in the EHR. The analyst reviews 10,000 inpatient
discharge records and finds that 1,400 are missing discharge disposition, 900 lack principal
diagnosis codes, and 300 have no attending physician documented. Which metric best
represents the overall documentation completeness rate?
A. A. 86.0%, calculated as the average of the three individual field completeness rates
B. B. 74.0%, calculated as records with all three fields populated divided by total records
C. C. 96.0%, calculated by counting each completed field across all records and dividing by total
field opportunities
D. D. 87.0%, calculated as the median of the three individual field completeness percentages
Correct Answer: B
Rationale:
Overall documentation completeness should be measured by the percentage of records that have all
required fields populated, which is (10,000 minus records missing any field) divided by total records. The
average or median of individual rates masks the compounding effect of missing fields within the same
records, and the per-field rate overstates quality by counting partial records as complete.
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 4 of 71
HEALTHCARE FINANCIAL MANAGEMENT ASSOCIATION
CSBI HFMA Certification
Certified Specialist Business Intelligence
Official HFMA Exam 2026/2027
100 75% See Provider
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Healthcare Data Management & Governance Q1-Q20
Section 2 Business Intelligence Tools & Analytics Q21-Q40
Section 3 Data Visualization & Dashboard Design Q41-Q60
Section 4 Performance Measurement & Quality Metrics Q61-Q80
Section 5 Financial Analytics & Revenue Cycle Intelligence Q81-Q100
Instructions: Select the single best answer for each question. This exam is designed for CSBI HFMA Certified Specialist Business
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 1 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q1 Question 1 of 100
A 38-year-old health information manager at a regional medical center discovers that patient
demographic records in the enterprise data warehouse contain duplicate entries for
approximately 12% of the patient population. The duplicates are causing inflated admission
counts and distorting length-of-stay calculations. The manager must recommend a primary
data governance strategy to resolve this issue sustainably. Which approach should the
manager prioritize?
A. A. Implementing a master patient index with deterministic and probabilistic matching algorithms
B. B. Conducting a one-time manual audit to identify and merge all duplicate records
C. C. Creating a secondary reporting database that filters out known duplicate entries
D. D. Requiring clinicians to verify patient identity at every encounter before data entry
Correct Answer: A
Rationale:
A master patient index with both deterministic and probabilistic matching provides a sustainable, automated
solution that continuously identifies and resolves duplicates at the point of entry and across systems. A
one-time manual audit addresses existing duplicates but does not prevent future occurrences, making it
insufficient as a primary governance strategy.
Q2 Question 2 of 100
A chief data officer at a large academic health system is establishing a formal data
governance council. The council will include representatives from clinical operations, finance,
IT, and compliance. The officer needs to define the primary responsibility of this governance
body regarding enterprise data assets. What is the council's core function?
A. A. Approving all database schema changes before implementation in production environments
B. B. Defining data ownership, quality standards, and access policies across the organization
C. C. Performing hands-on data extraction and transformation for all analytic projects
D. D. Managing server infrastructure and storage allocation for the data warehouse
Correct Answer: B
Rationale:
The core function of a data governance council is establishing and enforcing policies around data
ownership, quality standards, and access controls that ensure data is trustworthy and used appropriately.
Approving schema changes is a technical function typically handled by database administrators, while
infrastructure management falls to IT operations.
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 2 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q3 Question 3 of 100
A compliance analyst at a community hospital is evaluating whether the organization's data
sharing agreement with a third-party analytics vendor meets HIPAA requirements. The vendor
will receive limited data sets containing dates of service and ZIP codes for population health
analytics. The analyst must determine the minimum safeguard required before data transfer.
What is required?
A. A. Written consent from every patient whose data will be included in the transfer
B. B. De-identification of all records to the HIPAA safe harbor standard before transfer
C. C. A business associate agreement and a data use agreement that restricts re-identification
D. D. Encryption of the data set using AES-256 before any files leave the hospital network
Correct Answer: C
Rationale:
Under HIPAA, sharing limited data sets with a third party requires both a business associate agreement and
a data use agreement that prohibits re-identification and limits use to the stated purpose. Full
de-identification is not required for limited data sets, and individual patient consent is not mandated for
treatment, payment, or healthcare operations disclosures.
Q4 Question 4 of 100
A 45-year-old data steward at a multi-hospital system notices that the emergency
department's triage data is recorded differently across three facilities: one uses a 3-level
scale, one uses a 5-level scale, and one uses free-text descriptions. The system's quality
dashboard is producing inconsistent metrics. The steward must recommend the most effective
approach to achieve data comparability. Which strategy is most appropriate?
A. A. Allowing each facility to maintain its current system but creating three separate dashboards
for comparison
B. B. Aggregating all triage data into a binary urgent-or-non-urgent classification for reporting
purposes
C. C. Eliminating triage level from the quality dashboard and using only arrival-to-provider time
instead
D. D. Standardizing on the 5-level Emergency Severity Index across all facilities with mapping
rules for legacy data
Correct Answer: D
Rationale:
Standardizing on the nationally recognized 5-level Emergency Severity Index provides a validated,
comparable framework while mapping rules preserve the analytical value of legacy data. Reducing to a
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 3 of 71
, SECTION 1 | Healthcare Data Management & Governance | Q1-Q20 | CSBI HFMA Certification 2026/2027
Q5 Question 5 of 100
A healthcare organization is migrating its clinical data repository from an on-premises server
to a cloud-based platform. The director of information security must ensure that data at rest
and data in transit are protected according to industry best practices. Which combination of
controls best satisfies this requirement?
A. A. AES-256 encryption for data at rest and TLS 1.3 for data in transit with managed key rotation
B. B. SSL 3.0 for data in transit and database-level password protection for data at rest
C. C. VPN tunneling for all connections and MD5 hashing of stored records
D. D. Role-based access control for data at rest and firewall rules for data in transit
Correct Answer: A
Rationale:
AES-256 encryption at rest and TLS 1.3 in transit with managed key rotation represents the current gold
standard for protecting healthcare data throughout its lifecycle. SSL 3.0 is deprecated and insecure, MD5
hashing is not encryption, and access controls or firewalls alone do not protect the data content from
unauthorized viewing or interception.
Q6 Question 6 of 100
A data quality analyst at an integrated delivery network is tasked with measuring the
completeness of clinical documentation in the EHR. The analyst reviews 10,000 inpatient
discharge records and finds that 1,400 are missing discharge disposition, 900 lack principal
diagnosis codes, and 300 have no attending physician documented. Which metric best
represents the overall documentation completeness rate?
A. A. 86.0%, calculated as the average of the three individual field completeness rates
B. B. 74.0%, calculated as records with all three fields populated divided by total records
C. C. 96.0%, calculated by counting each completed field across all records and dividing by total
field opportunities
D. D. 87.0%, calculated as the median of the three individual field completeness percentages
Correct Answer: B
Rationale:
Overall documentation completeness should be measured by the percentage of records that have all
required fields populated, which is (10,000 minus records missing any field) divided by total records. The
average or median of individual rates masks the compounding effect of missing fields within the same
records, and the per-field rate overstates quality by counting partial records as complete.
CSBI HFMA Certified Specialist Business Intelligence Exam - 2026/2027 | Passing Score: 75% | Page 4 of 71
