The AHIMA Certified in Healthcare Privacy and Security Certification Sample Question Set on this page is designed to familiarize you with the actual AHIMA CHPS exam format and question types. These sample questions help you understand how questions are structured and what to expect on test day. While they provide a useful starting point, they represent only a limited preview of the real exam experience.
These sample questions are intended for evaluation and familiarization only. To understand exam style, pacing, and reasoning patterns more clearly, we recommend trying our online sample practice environment. If you are preparing for the AHIMA Certified in Healthcare Privacy and Security (CHPS) and want to assess your readiness more rigorously, structured, timed, scenario-based practice is recommended. This approach aligns with the cognitive demands and professional expectations typically associated with Healthcare privacy and security professionals, HIM and health informatics professionals, healthcare compliance and risk professionals working in settings such as Hospitals and health systems, clinics and provider organizations, insurance companies and healthcare organizations.
Try Sample Exam » | Access Full AHIMA CHPS Practice Exam »
The demo introduces core concepts, while full-length premium simulations provide deeper, scenario-based coverage that more closely reflects the actual cognitive demands of the AHIMA Certified in Healthcare Privacy and Security exam, particularly in areas such as Privacy and security program management, physical and technical safeguards, investigation compliance and enforcement. You can use these sample questions as a starting point, then progress to the AHIMA CHPS Certification Practice Exam for stronger readiness. Our premium simulations are designed to mirror real exam conditions, helping you refine reasoning, pacing, and decision-making before your official exam attempt.
AHIMA CHPS Sample Questions:
01. A clinic places paper records marked for destruction in open recycling bins in a staff hallway. The bins are collected weekly by a general recycling vendor. Staff believe this is acceptable because the records are no longer needed for patient care. Which CHPS action is most appropriate?
a) Continue using open recycling bins because records marked for destruction are no longer PHI
b) Shred only records containing diagnoses and recycle all demographic pages without controls
c) Require secure disposal controls for paper records containing PHI, including protected storage and appropriate destruction handling
d) Ask patients to retrieve their old records from the bins if they want continued confidentiality
02. A generic annual privacy module is completed by all workforce members. However, release-of-information staff continue to make errors involving subpoenas, patient authorizations, and specially protected records. The privacy officer is asked whether the annual module is enough. Which action is most appropriate?
a) Keep only the generic module because role-specific training may create inconsistent standards
b) Add targeted role-based training and competency checks for release-of-information responsibilities
c) Remove release-of-information staff from privacy training because they learn by doing the work
d) Discipline all release-of-information staff without evaluating whether training addressed their duties
03. A hospital invites former patients to participate in a patient advisory council. The quality department plans to share current patient complaint examples, including names, units, dates of service, and staff involved, so council members can discuss improvement opportunities. Which CHPS guidance is most appropriate?
a) Review the information-sharing plan and use de-identified or appropriately limited information unless identifiable disclosure is authorized and necessary
b) Share the examples as written because advisory council members are former patients and understand confidentiality
c) Require council members to review complete complaint files so their recommendations are fully informed
d) Cancel the advisory council because patients may never participate in quality improvement discussions
04. A new patient portal feature will allow patients to upload documents and images before appointments. The project team says privacy review is unnecessary because the portal is already approved. No one has tested file-size limits, malware scanning, access permissions, or storage location for uploaded files. Which CHPS recommendation is most appropriate?
a) Disable all patient-upload capability because patient-submitted files are never appropriate in healthcare systems
b) Approve the feature because existing portal approval automatically covers every future function
c) Allow the feature if patients click a disclaimer saying uploads are their responsibility
d) Require security and privacy testing of the new feature before release, including upload controls, access permissions, and storage safeguards
05. A pilot program places voice-activated assistant devices in inpatient rooms to let patients request nonclinical services. Staff discover that the devices sometimes capture nearby conversations that include medication names and room numbers. The vendor has not provided clear information about audio retention, access, or deletion. Which CHPS recommendation is most appropriate?
a) Continue the pilot because the devices are intended for nonclinical service requests
b) Allow the vendor to store all audio indefinitely because it may improve device accuracy
c) Pause or limit the pilot until privacy, security, retention, access, and patient-notice controls are evaluated
d) Disable all inpatient technology because ambient devices can never be used safely
06. A ransomware tabletop exercise shows that the organization backs up critical systems nightly, but backup restoration has not been tested in more than three years. Leaders assume the backups are reliable because no backup failure alerts have appeared. Which CHPS recommendation is most appropriate?
a) Test restoration procedures and update recovery plans based on the results
b) Rely on the absence of failure alerts as proof that recovery will succeed
c) Focus only on cyber insurance coverage because backup testing is an IT preference
d) Stop performing backups because untested backups do not support security planning
07. A state privacy law changes the requirements for disclosing reproductive health information in certain circumstances. The privacy team learns of the change from an external newsletter, but no one has reviewed whether organizational policies, release workflows, or workforce training need updates. Which CHPS action is most appropriate?
a) Apply the change only to new patients because existing patient records were created before the law changed
b) Ignore the change until the federal HIPAA Privacy Rule is revised with identical wording
c) Ask release-of-information staff to interpret the law independently for each request
d) Monitor the change and update policies, procedures, and training as needed to maintain compliance
08. A laboratory information system containing PHI passed a security review five years ago. Since then, the laboratory added remote vendor support, new interfaces to external reference laboratories, and expanded access for outreach clinics. No updated risk assessment has been performed. Which CHPS recommendation is most appropriate?
a) Wait until the system is replaced because existing systems do not require reassessment
b) Perform an updated risk assessment that reflects current system connections, access patterns, and data flows
c) Continue relying on the original review because the system name and core function have not changed
d) Review only the laboratory’s paper procedures because electronic interfaces are managed by vendors
09. A business associate reports a possible disclosure error but repeatedly fails to provide the affected record count, data elements involved, recipient information, or mitigation evidence. The vendor says its internal review is confidential and asks the covered entity to close its incident ticket. Which CHPS action is most appropriate?
a) Escalate the vendor’s noncooperation through contract, privacy, security, and leadership channels to obtain information needed for assessment
b) Close the ticket because the vendor’s internal review is confidential
c) Accept a verbal statement that the event is low risk without supporting details
d) Notify no one and document nothing because the covered entity lacks complete facts
10. A department receives conflicting advice from two supervisors about whether patient photos may be used in internal education slides. One supervisor says consent is never needed for internal education, while another says photos are never allowed. Staff continue building slides while waiting for a final answer. Which CHPS response is most appropriate?
a) Delete all education slides because clinical images can never be used in workforce training
b) Pause the use of identifiable photos and escalate the question for policy, legal, and privacy review before materials are distributed
c) Use the photos because internal education is always exempt from privacy restrictions
d) Let the presenter decide because they know the clinical value of the images best
Answers:
|
Question: 01 Answer: c |
Question: 02 Answer: b |
Question: 03 Answer: a |
Question: 04 Answer: d |
Question: 05 Answer: c |
|
Question: 06 Answer: a |
Question: 07 Answer: d |
Question: 08 Answer: b |
Question: 09 Answer: a |
Question: 10 Answer: b |
For full-length, timed, scenario-based practice aligned with the official exam framework - and to build pacing, consistency, and confidence - explore our Premium AHIMA CHPS Certification Practice Exam.
Note: These sample questions are not official exam questions and are intended only for familiarization and study purposes. If you find any typos or data entry errors in these AHIMA Certified in Healthcare Privacy and Security (CHPS) sample questions, please let us know by emailing us at feedback@medicoexam.com
