Certified in Healthcare Privacy Compliance
The CHPC validates your expertise in healthcare privacy regulation — HIPAA, HITECH, state privacy laws, breach notification, and privacy program management. Built for privacy officers and compliance professionals who own patient data protection.
Under HIPAA, which of the following is considered a "minimum necessary" standard violation?
The minimum necessary standard requires covered entities to limit PHI access and disclosures to the least amount needed to accomplish the intended purpose. Sending a complete medical record when only billing dates are required exceeds that standard.
The 7 CHPC exam domains
All our CHPC questions are tagged to the official domain outline. The question bank weights harder on the high-percentage domains.
Privacy Standards, Policies, and Procedures
- HIPAA Privacy Rule and HITECH Act requirements
- GLB Act, FERPA, and GINA policy obligations
- Record retention policy maintenance
- Non-retaliation policy requirements
- Privacy notices and stakeholder communications
Privacy Compliance Program Oversight
- Privacy officer role, authority, and responsibilities
- Annual work plan and risk assessment processes
- Governance board reporting on program activity
- Evaluating program effectiveness on an ongoing basis
- Incorporating OCR, OIG, FTC, and HITECH enforcement into operations
Screening/Evaluation of Employees, Physicians, Vendors and Other Agents
- Business associate agreement requirements and scope
- Vendor privacy due diligence and third-party risk management
- Privacy obligations in job descriptions and performance evaluations
- Background checks in accordance with applicable rules
- Privacy-related issues in exit interviews
Communication, Education, and Training on Compliance Issues
- Role-based privacy training program development
- General privacy training for employees, physicians, and vendors
- Distilling complex privacy laws into understandable formats
- Tracking participation in ongoing privacy training
- Promoting an organizational culture that values information protection
Privacy Monitoring, Auditing, and Internal Reporting Systems
- Organizational risk assessments and annual auditing plans
- Privacy audit methodology and access log monitoring
- Anonymous reporting systems and hotline operations
- Monitoring and benchmarking audit results
- HHS OCR audit readiness and external audit response
Discipline for Non-Compliance
- Privacy violations addressed in disciplinary policies
- Proportionate and consistent disciplinary action
- Coordination with management on corrective action
- Monitoring disciplinary actions across all organizational levels
- Documentation of disciplinary actions
Investigations and Remedial Measures
- Breach notification rule requirements and risk-of-harm analysis
- Individual, HHS, and media notification timelines
- Fair and objective privacy investigation procedures
- Corrective action plan development and monitoring
- Coordination with regulatory agencies and legal counsel
Domain names and weights are sourced from the official CHPC Candidate Handbook published by the Compliance Certification Board (CCB). Domains 01, 04, and 05 each carry 17% — our question bank reflects that equal weighting across these three domains.
Know the rules, pass the exam
The CHPC is regulation-heavy. Here's what our study guides and question bank cover.
Health Insurance Portability and Accountability Act
Privacy Rule, Security Rule, and the full PHI framework. The heaviest topic on the CHPC.
Health Information Technology for Economic and Clinical Health Act
Breach notification obligations, BA direct liability, and enforcement enhancements.
Substance Use Disorder Confidentiality Regulations
SUD record protections that exceed standard HIPAA requirements.
Family Educational Rights and Privacy Act
Student education records and the HIPAA/FERPA intersection in school-based health settings.
Genetic Information Nondiscrimination Act
Protections for genetic information as PHI under the HIPAA Privacy Rule.
Gramm-Leach-Bliley Act
Financial privacy obligations and their intersection with healthcare privacy programs.
Everything you need to pass CHPC
CHPC-specific question bank
Questions weighted to match the real exam — heavily focused on Privacy Rule, monitoring and auditing, and investigation scenarios.
Timed mock exams
Simulate the 2-hour CHPC experience with full-length 120-question timed tests and post-exam domain breakdowns.
Privacy regulation study guides
Deep-dive guides on HIPAA, HITECH, 42 CFR Part 2, FERPA, GINA, and GLB Act — written to match what the exam actually tests.
Investigation scenario walkthroughs
Domain 7 is 15% of the exam. We cover breach response, risk-of-harm analysis, notification timelines, and HHS reporting with real-world scenarios.
Domain progress tracker
See your accuracy broken down by all 7 CHPC domains. The tracker surfaces your weakest areas automatically as you practice.
Exam-date study scheduler
Enter your exam date and we build a study plan that covers all 7 domains proportionally — with heavier time on Domains 01, 04, and 05.
Do you qualify for CHPC?
Same eligibility structure as the CHC — work experience plus CEUs. No HCCA membership required.
Work experience
1 year full-time in a compliance role, or 1,500 hours of direct compliance duties in the last 2 years. Your duties must align with the CHPC Detailed Content Outline.
Continuing education
20 CCB-approved CEUs within 12 months of your exam date, with at least 10 from live training events. CEUs used for a prior application can be reused if still valid.
Application & fee
$350 for HCCA/SCCE members, $450 for non-members. Re-exam fee is $75. If you fail twice within 180 days, you must wait 180 days before reapplying.
CHC or CHPC — which first?
If your role is privacy-focused (privacy officer, HIPAA coordinator),
CHPC alone may be the right credential. If you're a generalist compliance
professional, many start with CHC and add CHPC later.