Certified in Healthcare Privacy Compliance (CHPC) – Complete
Practice Exam & Study Guide
Comprehensive 100-Question Mock Exam with Detailed Rationales
Prepared for:
Healthcare Privacy and Compliance Professionals preparing for the HCCA CHPC Certification
Exam
Question 1
Under HIPAA, which of the following is not considered Protected Health Information (PHI)?
A. A patient’s medical record number
B. A hospital’s internal zip code list
C. A patient’s Social Security number
D. A physician’s notes about a patient’s diagnosis
Answer: B
Rationale: PHI refers to individually identifiable health information related to a person’s health,
treatment, or payment. A hospital’s internal zip code list without any link to individuals is not PHI.
Question 2
The “minimum necessary” standard requires covered entities to:
A. Disclose only information that a patient authorizes
B. Limit PHI use and disclosure to the minimum needed for a purpose
C. Never share PHI without written authorization
D. Apply the same restrictions to de-identified data
Answer: B
Rationale: The HIPAA Privacy Rule mandates that covered entities make reasonable efforts to limit PHI
to the minimum necessary to accomplish the intended purpose. De-identified data are not subject to
this rule.
Question 3
Which of the following is a required element of a HIPAA-compliant Notice of Privacy Practices (NPP)?
A. The hospital’s mission statement
B. A list of all staff with access to PHI
C. Description of how PHI may be used or disclosed
D. The names of all business associates
,Answer: C
Rationale: The NPP must inform individuals how their PHI can be used or disclosed, their rights, and the
entity’s responsibilities under HIPAA.
Question 4
A compliance officer is investigating a potential breach. What is the first step in determining if it meets
the definition of a “breach” under HIPAA?
A. Notify the affected individuals
B. Perform a risk assessment considering the nature and extent of PHI involved
C. Notify HHS within 60 days
D. Report to law enforcement
Answer: B
Rationale: The first step is to conduct a risk assessment to determine the probability that PHI was
compromised, considering factors like type of information, unauthorized access, and mitigation actions.
Question 5
Which federal office enforces the HIPAA Privacy and Security Rules?
A. OIG
B. OCR
C. CMS
D. DOJ
Answer: B
Rationale: The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services
(HHS) is responsible for enforcing HIPAA privacy and security regulations.
Question 6
A compliance hotline should be designed to:
A. Report only financial misconduct
B. Ensure employees can anonymously report concerns without fear of retaliation
C. Allow managers to review all reports before investigation
D. Replace formal compliance training
Answer: B
Rationale: A key compliance program element is having a confidential or anonymous reporting system
that protects employees from retaliation.
Question 7
, A patient requests an amendment to their medical record. The hospital denies it. What must the
organization do next?
A. Delete the disputed record
B. Allow the patient to sue
C. Provide a written denial and explain how to submit a statement of disagreement
D. Ignore the request
Answer: C
Rationale: Under HIPAA, patients have the right to request amendments. If denied, the covered entity
must provide a written explanation and allow the patient to submit a disagreement statement.
Question 8
Which of the following best describes a business associate (BA)?
A. An internal department handling claims
B. A vendor that processes PHI on behalf of a covered entity
C. Any employee with access to PHI
D. A patient’s family member helping with billing
Answer: B
Rationale: A BA is any person or entity that performs functions or services involving PHI for a covered
entity, such as billing or IT vendors.
Question 9
The most effective compliance training programs are:
A. Conducted once during onboarding
B. Generic and the same for all employees
C. Role-based and tailored to job responsibilities
D. Focused solely on HIPAA Privacy
Answer: C
Rationale: Training should be relevant to employee duties; role-based training ensures that individuals
understand their specific compliance obligations.
Question 10
Which of the following would not require patient authorization under HIPAA?
A. Disclosure to a marketing company
B. Disclosure to a law enforcement officer with a valid subpoena
C. Disclosure to an employer
D. Disclosure for research unrelated to treatment
Practice Exam & Study Guide
Comprehensive 100-Question Mock Exam with Detailed Rationales
Prepared for:
Healthcare Privacy and Compliance Professionals preparing for the HCCA CHPC Certification
Exam
Question 1
Under HIPAA, which of the following is not considered Protected Health Information (PHI)?
A. A patient’s medical record number
B. A hospital’s internal zip code list
C. A patient’s Social Security number
D. A physician’s notes about a patient’s diagnosis
Answer: B
Rationale: PHI refers to individually identifiable health information related to a person’s health,
treatment, or payment. A hospital’s internal zip code list without any link to individuals is not PHI.
Question 2
The “minimum necessary” standard requires covered entities to:
A. Disclose only information that a patient authorizes
B. Limit PHI use and disclosure to the minimum needed for a purpose
C. Never share PHI without written authorization
D. Apply the same restrictions to de-identified data
Answer: B
Rationale: The HIPAA Privacy Rule mandates that covered entities make reasonable efforts to limit PHI
to the minimum necessary to accomplish the intended purpose. De-identified data are not subject to
this rule.
Question 3
Which of the following is a required element of a HIPAA-compliant Notice of Privacy Practices (NPP)?
A. The hospital’s mission statement
B. A list of all staff with access to PHI
C. Description of how PHI may be used or disclosed
D. The names of all business associates
,Answer: C
Rationale: The NPP must inform individuals how their PHI can be used or disclosed, their rights, and the
entity’s responsibilities under HIPAA.
Question 4
A compliance officer is investigating a potential breach. What is the first step in determining if it meets
the definition of a “breach” under HIPAA?
A. Notify the affected individuals
B. Perform a risk assessment considering the nature and extent of PHI involved
C. Notify HHS within 60 days
D. Report to law enforcement
Answer: B
Rationale: The first step is to conduct a risk assessment to determine the probability that PHI was
compromised, considering factors like type of information, unauthorized access, and mitigation actions.
Question 5
Which federal office enforces the HIPAA Privacy and Security Rules?
A. OIG
B. OCR
C. CMS
D. DOJ
Answer: B
Rationale: The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services
(HHS) is responsible for enforcing HIPAA privacy and security regulations.
Question 6
A compliance hotline should be designed to:
A. Report only financial misconduct
B. Ensure employees can anonymously report concerns without fear of retaliation
C. Allow managers to review all reports before investigation
D. Replace formal compliance training
Answer: B
Rationale: A key compliance program element is having a confidential or anonymous reporting system
that protects employees from retaliation.
Question 7
, A patient requests an amendment to their medical record. The hospital denies it. What must the
organization do next?
A. Delete the disputed record
B. Allow the patient to sue
C. Provide a written denial and explain how to submit a statement of disagreement
D. Ignore the request
Answer: C
Rationale: Under HIPAA, patients have the right to request amendments. If denied, the covered entity
must provide a written explanation and allow the patient to submit a disagreement statement.
Question 8
Which of the following best describes a business associate (BA)?
A. An internal department handling claims
B. A vendor that processes PHI on behalf of a covered entity
C. Any employee with access to PHI
D. A patient’s family member helping with billing
Answer: B
Rationale: A BA is any person or entity that performs functions or services involving PHI for a covered
entity, such as billing or IT vendors.
Question 9
The most effective compliance training programs are:
A. Conducted once during onboarding
B. Generic and the same for all employees
C. Role-based and tailored to job responsibilities
D. Focused solely on HIPAA Privacy
Answer: C
Rationale: Training should be relevant to employee duties; role-based training ensures that individuals
understand their specific compliance obligations.
Question 10
Which of the following would not require patient authorization under HIPAA?
A. Disclosure to a marketing company
B. Disclosure to a law enforcement officer with a valid subpoena
C. Disclosure to an employer
D. Disclosure for research unrelated to treatment
