Certified in Healthcare Privacy and Security (CHPS®)
Individuals who earn the CHPS designation will achieve recognition of their expertise in designing, implementing, and administering privacy and security protection programs in all types of healthcare organizations. Holders demonstrate advanced knowledge of the privacy and security dimensions of HIM to include best management practices.
Candidates must meet one of the following eligibility requirements to sit for the CHPS examination:
- High School or General Education Degree (GED) and a minimum of six (6) years of experience in healthcare privacy or security management; or
- Associate degree and a minimum of four (4) years of experience in healthcare privacy or security management; or
- CCA or CCS or CCS-P or RHIT and a minimum of four (4) years of experience in healthcare privacy or security management; or
- Baccalaureate degree and a minimum of two (2) years of experience in healthcare privacy or security management; or
- RHIA and a minimum of two (2) years of experience in healthcare privacy or security management; or
- Master's Degree or higher (e.g., JD, MD, or PhD) and a minimum of one (1) year of experience in healthcare privacy or security management
Certified Professionals and Pass Rates
As of 12/31/19, there were 639 certified CHPS professionals.
Year
|
Exam
|
# First Time Testers
|
Pass Rate First Time Testers
|
2020*
|
CHPS
|
57
|
53%
|
2019*
|
CHPS
|
76
|
58%
|
2018*
|
CHPS
|
110
|
66%
|
*U.S. and Canada results only
Exam Specifications
The CHPS is a timed exam. Candidates have 3.5 hours to complete the exam. The total number of questions on the exam range between 140 and 160 total items. The exam is given in a computer-based format.
AHIMA exams contain a variety of questions or item types that require you to use your knowledge, skills, and/or experience to select the best answer. Each exam includes scored questions and pre-test questions randomly distributed throughout the exam. Pre-test questions are not counted in the final results.
The passing score for the CHPS is 300.
Competencies for CHPS fall into four domains. Each domain accounts for a specific percentage of the total questions on the certification exam. See the Exam Content Outline below for greater detail.
Domain 1 – Ethical, Legal, and Regulatory Issues/ Environmental Assessment (23-27%)
Tasks:
- Serve as a resource (provide guidance) to your organization regarding privacy and security laws, regulations, and standards of accreditation agencies to help interpret and apply the standards
- Demonstrate privacy and security compliance with documentation, production and retention as required by State and Federal law as well as accrediting agencies.
- Identify responsibilities as a privacy officer and/or security officer
Domain 2 – Program Management and Administration (23-27%)
Tasks:
- Create, document, and communicate information including, but not limited to, minimum necessary protocols
- Manage contracts and business associate relationships and secure appropriate agreements related to privacy and security (e.g., BAA, SLA, etc.)
- Evaluate and monitor facility security plan to safeguard unauthorized physical access to information and prevent theft or tampering
- Develop, deliver, evaluate,and document training and awareness on information privacy and security to provide an informed workforce
- Work with appropriate organization officials to verify that information used or disclosed for research complies with organizational policies and procedures and applicable privacy regulations
- Assess, recommend, revise, and communicate changes to organizational policies, procedures, and practices related to privacy and security
- Assess and communicate risks and ramifications of privacy and security incidents, including those by business associates
- Establish a preventative program to detect, prevent,and mitigate privacy/security breaches
- Recommend appropriate de-identification methodologies
- Verify that requesters of protected information are authorized and permitted to receive the protected information (subpoena, court orders, search warrants)
- Define HIPAA-designated record sets for the organization in order to appropriately respond to a request for release of information
- Identify information and record sets requiring special privacy protections
- Recommend, review,and approve protocols to verify identity and access rights of recipients/users of health information
- Establish, maintain, and ensure the distribution process of the organization’s Notice of Privacy Practices
- Establish and maintain operational systems to receive, process, and document requests for patients’ rights as outlined in the Notice of Privacy Practices
Domain 3 – Information Technology/Physical and Technical Safeguards (23-27%)
Tasks:
- Participate in the development and verify maintenance of the inventory of software, hardware, and all information assets to protect information assets and to facilitate risk analysis
- Participate in business continuity planning for planned downtime and contingency planning for emergencies and disaster recovery
- Participate in evaluation, selection, and implementation of information privacy and security solutions
- Implement a systematic process to evaluate risk to and criticalities of information systems which contain protected Health Information(PHI)
- Participate in media control practices that govern the receipt, removal, re-use, or disposal (internal and external destruction) of any media or devices containing sensitive data
- Assess and monitor physical security mechanisms to limit the access of unauthorized personnel to facilities, equipment, and information
- Establish reasonable safeguards to reduce incidental disclosures and prevent privacy breaches
- Participate in the development and management of the organization’s information security plan
- Participate in the organizational risk analysis plan to identify threats and vulnerabilities
- Monitor compliance with the security policies and ensure compliance with technical, physical, and administrative safeguards
- Establish internal policies, procedures, and rules to protect information and participate in the development of guidelines, procedures, and controls to ensure the integrity, availability, and confidentiality of communication across networks
- Ensure appropriate technologies are used to protect information received from or transmitted to external users
- Advocate the use of event triggering to identify abnormal conditions within a system (e.g. intrusion detection, denial of service, and invalid log-on attempts).
- Establish and manage facilitate process for verifying and controlling access authorizations, authentication mechanisms, and privileges including emergency access
- Evaluate the use of encryption for protected health information and other sensitive data
Domain 4 – Investigation, Compliance, and Enforcement (23-27%)
Tasks:
- Monitor and assess compliance with state and federal laws and regulations related to privacy and security to update organizational practices, policies, procedures,and training of workforce
- Coordinate the organization’s response to inquiries and investigations from external entities relating to privacy and security to provide response consistent with organizational policies and procedures
- Develop performance measures and reports to monitor and improve organizational performance and report to appropriate organizational body
- Enforce privacy and security policies, procedures, and guidelines to facilitate compliance with federal, state, and other regulatory or accrediting bodies
- Monitor access to protected health information
- Establish an incident/complaint investigation response, develop response plan, and identify team members to respond to a privacy or security incident
- Coordinate mitigation efforts
- Develop policy and procedure for breach notification (federal)
- Educate workforce on reporting requirements for breach notification (federal)
- Perform risk assessment for breach notification (federal)
- Notify appropriate individuals/agencies/media within time frame for breach notification (federal)
- Maintain the appropriate documentation for breach notification (federal)