Certified in Healthcare Privacy and Security (CHPS®)
What is CHPS
- CHPS is a credential for professionals specializing in privacy and security of health information: designing, implementing, and administering robust privacy & security programs in healthcare settings.
- It demonstrates mastery of the legal, regulatory, technical, and administrative aspects of protecting Protected Health Information (PHI) and ensuring compliance with privacy/security standards (e.g. HIPAA, etc.) across healthcare organizations.
- CHPS-certified individuals often hold roles such as Privacy Officer, Security Officer, Compliance Director, Chief Privacy/Security Officer — in hospitals, clinics, insurance companies, HIM departments, consulting firms, and other healthcare organizations.
Who Should Pursue CHPS — Eligibility Requirements
To be eligible for the CHPS exam, candidates must meet one of the following criteria:
- High school diploma (or GED) plus at least 6 years of experience in healthcare privacy or security management.
- Associate degree (in relevant field such as HIM, Health Informatics, IT, etc.) plus at least 4 years of experience in healthcare privacy or security management.
- A recognized credential such as CCA, CCS, CCS-P, or RHIT, plus at least 4 years of experience in healthcare privacy/security.
- Bachelor’s degree (relevant field) plus at least 2 years of privacy/security experience.
- RHIA credential plus at least 2 years of privacy/security experience.
- Master’s degree (e.g. JD, MD, PhD) in relevant field plus at least 1 year of experience in healthcare privacy or security.
If you meet one of these, you can apply for CHPS exam.
CHPS Exam: Format & Logistics
From ’s published information:
- Exam is computer-based, delivered through ’s testing partner (Pearson VUE), either at authorized test centers or via remote proctoring (OnVUE) where available.
- Total questions: 150 (125 scored + 25 pre-test items).
- Time allowed: 3.5 hours (210 minutes).
- Exam is closed-book — no outside resources or codebooks are allowed during test.
- Passing score: 300 (on ’s scaled scoring system).
- Retake policy: If a candidate fails, they must wait 90 days before re-applying and retaking the exam. A new fee is required.
- Exam fee: US $329 for non-members, US $259 for members.
CHPS Exam Content — Domains & What You Must Know
The CHPS exam content is organized by four major domains. Each domain comprises key tasks and competencies that candidates must master.
Domain 1: Ethical, Legal, and Regulatory Issues / Environmental Assessment (≈ 10-18%)
Candidates must be able to:
- Serve as a resource to interpret and apply privacy and security laws, regulations, state/federal standards, and accreditation agency rules.
- Identify responsibilities of a Privacy Officer and/or Security Officer.
- Understand and apply “preemption” principles — handling cases where federal and state laws differ.
- Evaluate privacy/security policies when health-information exchanges or cross-entity data sharing is involved.
- Ensure compliance for documentation, production, retention, and disclosure of protected health information (PHI) as per laws and accreditation standards.
- Understand special situations such as public-health emergencies and their impact on PHI access & disclosure rules.
Domain 2: Privacy & Security Program Management and Administration (≈ 30-40%)
This domain covers organizational-level program design, policy development, management of privacy/security governance. Key tasks:
- Develop, document, and communicate privacy/security policies and procedures (e.g., “minimum necessary” protocols).
- Manage contracts and relationships with Business Associates — ensure Business Associate Agreements (BAAs), Service Level Agreements (SLAs), compliance with privacy/security rules.
- Evaluate and maintain physical security plans to prevent unauthorized access, theft or tampering with information (physical safeguards).
- Plan, deliver, and document staff training and awareness programs on privacy & security practices for workforce.
- Oversee use/disclosure of information for research, ensuring compliance with organizational policies and regulations.
- Conduct risk assessments, monitor for threats or vulnerabilities, advise on mitigation, manage breach-prevention programs, incident response plans.
- Define and manage “designated record sets,” control access rights, de-identify data when required, and manage patient requests for information release.
- Establish processes for Notice of Privacy Practices (NPP), manage patient rights request flows, authorizations, disclosures, consent, right to access, and audits.
Domain 3: Information Technology / Physical and Technical Safeguards
This domain assesses knowledge of technical and physical safeguards needed to protect PHI and ensure secure data management. Key areas:
- Implementation and maintenance of technical safeguards: access controls, authentication, encryption, data transmission security, audit controls, and secure storage.
- Physical safeguards: secure locations for data storage, restricted access areas, protection from theft or unauthorized physical access, secure disposal of records, environmental controls.
- Oversight of Business Associates’ technical safeguards when PHI is shared with third-party vendors — ensuring compliance through agreements (BAAs) and audits.
- Documentation and enforcement of policies around secure handling, access logging, identity verification, data transmission and storage standards.
Domain 4: Investigation, Compliance & Enforcement
This domain covers how to handle breaches, compliance audits, enforcement actions, incident response, remediation, and legal/regulatory follow-up. Key tasks:
- Conduct compliance audits and risk assessments; investigate possible breaches or unauthorized disclosures.
- Manage breach notification procedures, documentation, reporting requirements, and mitigation strategies.
- Enforce privacy/security policies; manage user access rights, log monitoring, incident logs, and remedial actions.
- Ensure ongoing compliance with regulatory and accreditation standards; respond to external audits, patient requests, subpoenas, court orders while safeguarding PHI and legal compliance.
- Maintain documentation and evidence for compliance & enforcement purposes; develop processes for regular review and updates of policies and procedures.
What CHPS Certification Enables — Roles & Use Cases
CHPS-certified professionals are qualified for senior and strategic roles related to privacy, security, and compliance in healthcare. Typical roles include:
- Privacy Officer, Security Officer, Compliance Officer / Director in hospitals, clinics, home-health agencies, long-term care, insurance companies.
- HIM / HIT leadership roles — responsible for data governance, security policy implementation, compliance oversight, risk management, audit readiness.
- Consultants advising healthcare organizations on HIPAA compliance, data security frameworks, risk assessment, breach management, business-associate compliance.
- Data privacy & security analysts, risk management teams, audit & compliance departments — helping implement privacy/security programs, training, monitoring, investigations.
- Organizations facing increasing regulatory scrutiny, data privacy laws, need for compliance and data security — CHPS holders provide credible expertise to satisfy regulatory, accreditation, and audit requirements.
Given the growing importance of data protection, privacy, cybersecurity, and regulatory compliance worldwide — particularly with electronic health records (EHR), interoperability, data sharing, telehealth — CHPS is a highly relevant and in-demand credential.
