CHPC EXAM QUESTIONS AND ANSWERS (VERIFIED
AND WELL DETAILED ANSWERS) LATEST UPDATE
2025/2026
A new privacy officer is reviewing an
organization's current policy on patient
requests for amendments. Which of
the following is the MOST critical to the
evaluation process?
A. effective and revision dates of
the policy
B. accurate description of the
regulatory requirements
C. nature of complaints related to
the policy
D. description of the form letters used
to respond to requests - CORRECT ANSWER B. accurate description of the
regulatory requirements
As part of due diligence on Business
Associates, a privacy officer would be
MOST concerned with confirming that
they conduct:
,A. criminal background checks.
B. credit history checks.
C. provider credentialing checks.
D. health screening checks. - CORRECT ANSWER A. criminal background
checks.
Data breach response training is
required by which of the following
regulations?
A. HITECH
B. GLBA
C. FMLA
D. Privacy Act - CORRECT ANSWER A. HITECH
A business associate has contacted
an organization's privacy officer to
alert him that some of the patient
information that they hold in relation
to the BAA may have been breached.
An employee took a laptop that
contained patient information from
several vendors and misplaced it at an
airport. They are not 100% sure that
information from the organization was
on the laptop. Which of the following is
the MOST appropriate response by the
,privacy officer?
A. Rely on the business associate to
conduct any needed notifications.
B. Notify each individual whose PHI
has been possibly disclosed.
C. Determine if the breach involved
more than 500 individuals.
D. Assure that all notifications
occur no later than 90 days after
discovery. - CORRECT ANSWER C. Determine if the breach involved
more than 500 individuals.
During an internal investigation, it is
discovered that the Institutional Review
Board (IRB) has not been reviewing the
informed consents or authorizations
completed by research subjects. Which
of the following should a privacy
officer do FIRST?
A. Report the issue to OHRP.
B. Report the issue to the OCR.
C. Contact legal counsel.
D. Contact the provost. - CORRECT ANSWER C. Contact legal counsel.
Which of the following uses of patient health information do not require the
patient's authorization?
, a. Treatment, payment, health care administration
b. Marketing
c. Genetic testing and research studies
d. Release of psychotherapy notes - CORRECT ANSWER a. Treatment,
payment, health care administration
Which of the following are considered protected health information under HIPAA?
Select all that apply.
a. Phone number
b. Medical record number
c. License plate number
d. Email address - CORRECT ANSWER a. Phone number b. Medical record
number c. License plate number d. Email address
HIPAA rules do not require providers to grant patient access to which of the
following types of information?
a. Accounting disclosures
b. Office visit documentation
c. Psychotherapy notes
d. Medication list - CORRECT ANSWER c. Psychotherapy notes
The "Notice of Privacy Practices" explains the ways the practice will use patient
information and describes patients' rights regarding their information. a. True b.
False - CORRECT ANSWER a. True
There are three things that a practice must do regarding communicating with the
patient about privacy practices and procedures, except for one of the following:
AND WELL DETAILED ANSWERS) LATEST UPDATE
2025/2026
A new privacy officer is reviewing an
organization's current policy on patient
requests for amendments. Which of
the following is the MOST critical to the
evaluation process?
A. effective and revision dates of
the policy
B. accurate description of the
regulatory requirements
C. nature of complaints related to
the policy
D. description of the form letters used
to respond to requests - CORRECT ANSWER B. accurate description of the
regulatory requirements
As part of due diligence on Business
Associates, a privacy officer would be
MOST concerned with confirming that
they conduct:
,A. criminal background checks.
B. credit history checks.
C. provider credentialing checks.
D. health screening checks. - CORRECT ANSWER A. criminal background
checks.
Data breach response training is
required by which of the following
regulations?
A. HITECH
B. GLBA
C. FMLA
D. Privacy Act - CORRECT ANSWER A. HITECH
A business associate has contacted
an organization's privacy officer to
alert him that some of the patient
information that they hold in relation
to the BAA may have been breached.
An employee took a laptop that
contained patient information from
several vendors and misplaced it at an
airport. They are not 100% sure that
information from the organization was
on the laptop. Which of the following is
the MOST appropriate response by the
,privacy officer?
A. Rely on the business associate to
conduct any needed notifications.
B. Notify each individual whose PHI
has been possibly disclosed.
C. Determine if the breach involved
more than 500 individuals.
D. Assure that all notifications
occur no later than 90 days after
discovery. - CORRECT ANSWER C. Determine if the breach involved
more than 500 individuals.
During an internal investigation, it is
discovered that the Institutional Review
Board (IRB) has not been reviewing the
informed consents or authorizations
completed by research subjects. Which
of the following should a privacy
officer do FIRST?
A. Report the issue to OHRP.
B. Report the issue to the OCR.
C. Contact legal counsel.
D. Contact the provost. - CORRECT ANSWER C. Contact legal counsel.
Which of the following uses of patient health information do not require the
patient's authorization?
, a. Treatment, payment, health care administration
b. Marketing
c. Genetic testing and research studies
d. Release of psychotherapy notes - CORRECT ANSWER a. Treatment,
payment, health care administration
Which of the following are considered protected health information under HIPAA?
Select all that apply.
a. Phone number
b. Medical record number
c. License plate number
d. Email address - CORRECT ANSWER a. Phone number b. Medical record
number c. License plate number d. Email address
HIPAA rules do not require providers to grant patient access to which of the
following types of information?
a. Accounting disclosures
b. Office visit documentation
c. Psychotherapy notes
d. Medication list - CORRECT ANSWER c. Psychotherapy notes
The "Notice of Privacy Practices" explains the ways the practice will use patient
information and describes patients' rights regarding their information. a. True b.
False - CORRECT ANSWER a. True
There are three things that a practice must do regarding communicating with the
patient about privacy practices and procedures, except for one of the following:
