AHIMA certification
The Certified in Healthcare Privacy and Security (CHPS) is AHIMA's credential for the Privacy Officer, Security Officer, and healthcare compliance roles that every covered entity is required by HIPAA to staff. As of December 2025, 715 active CHPSs hold the credential. With ISC2 sunsetting the competing HCISPP credential on December 1, 2026, CHPS becomes the surviving healthcare-specific credential in this space — and the market timing has rarely been better, with OCR enforcement at record levels and ransomware against healthcare up 58% year over year.
By Taylor Rupe, editor · Updated
First-time pass (2025)
Exam fee (member)
Active CHPSs
Content domains
What it is
The CHPS credential is issued by AHIMA and recognizes mastery of healthcare privacy and information security. HIPAA's Privacy Rule and Security Rule require every covered entity to designate a Privacy Officer and a Security Officer. Most large health systems also staff Healthcare Compliance Officers, Information Governance Managers, and HIPAA program leads. The CHPS is the AHIMA-side credential that signals you can do that work.
The market timing for this credential matters. HIPAA Journal's 2025 report documents 62 million Americans affected by healthcare data breaches in 2025, OCR collecting $8.33 million in penalties across 21 settlements that year, and hacking incidents driving 80%+ of large breaches (up from 49% in 2019). The Change Healthcare incident in 2024 elevated privacy and security to board-level concern at every major US health system, and that hiring response continues through 2026.
AHIMA reports 715 active CHPSs as of December 31, 2025, up from 666 at end of 2023. That's still one of AHIMA's smallest credentialed populations — a feature, not a bug, for the credential's market value. Combined with the HCISPP sunset, the supply of credentialed healthcare privacy and security professionals is constrained at exactly the moment hospital demand is accelerating.
Eligibility
AHIMA accepts six education-plus-experience combinations for CHPS eligibility. All experience must be in healthcare privacy or security work (not generic IT security or general compliance). "Relevant field" for degrees means Health Information Management, Health Informatics, Information Technology, or similar.
| Education | Experience required |
|---|---|
| High school diploma / GED | 6 years |
| Associate's degree (relevant field) | 4 years |
| CCA, CCS, CCS-P, or RHIT credential | 4 years |
| Bachelor's degree (relevant field) | 2 years (most common path) |
| RHIA credential | 2 years |
| Master's, JD, MD, or PhD (relevant field) | 1 year |
Source: AHIMA CHPS eligibility page. Older third-party sites cite higher experience minimums; AHIMA's current published requirements are authoritative.
Exam structure
The CHPS exam has 150 items: 125 scored questions and 25 unscored pretest items for AHIMA's future calibration. 3.5 hours to complete. Delivered at Pearson VUE testing centers or via OnVUE remote proctoring.
Questions combine traditional multiple-choice with scenario-based items where candidates must select the best answer (often multiple options are technically defensible). The scenarios reward applied judgment about how to investigate a breach, design a privacy program, or scope a security risk assessment — not memorization of HIPAA regulation text.
Scoring uses a 100-400 scaled system with a passing score of 300. AHIMA does not publish the raw-to-scaled conversion. Schedule within 120 days of eligibility approval.
| Detail | CHPS specification |
|---|---|
| Time | 3.5 hours |
| Total questions | 150 (125 scored + 25 pretest) |
| Format | Multiple choice + scenario items |
| Delivery | Pearson VUE OR OnVUE remote |
| Passing score | 300 (scaled, 100-400) |
Fees
| Item | Member | Non-member |
|---|---|---|
| Exam fee | $259 | $329 |
| Retake fee | $259 | $329 |
| Recertification (per 2-year cycle) | $100 | $249 |
AHIMA membership runs ~$199/year separately. For a 4-year horizon (one exam + two recertifications), member-route total cost is $459 vs $827 non-member.
Pass rate
AHIMA's published CHPS first-time pass rates have moved meaningfully year over year because the test population is small:
| Year | First-time pass rate |
|---|---|
| 2025 | 68% (107 testers) |
| 2023 | 72% |
| 2022 | 59% |
| 2021 | 46% |
One notable AHIMA-reported figure: prep-course participants pass at 81% vs 48% for non-prep candidates. That's a self-selection effect (motivated candidates take the course), but it does suggest the official AHIMA prep cohort is a worthwhile investment. The candidates who fail typically struggle with the IT Safeguards domain (technical security controls) if they came from a pure privacy/compliance background, or with the Investigation, Compliance, and Enforcement domain if they came from a pure IT background.
Exam content
The CHPS content outline organizes the exam into four domains:
Ethical, Legal, and Regulatory Issues / Environmental Assessment
HIPAA Privacy, Security, and Breach Notification Rules; HITECH; 42 CFR Part 2 (substance use records); state-law preemption; 21st Century Cures Act information-blocking provisions; GDPR awareness; OCR audit protocol.
Privacy and Security Program Management and Administration
Policy development, workforce training, Business Associate Agreements (BAAs), vendor management, audits, data governance, the distinct roles of the Privacy Officer versus the Security Officer.
Information Technology / Physical and Technical Safeguards
Administrative, physical, and technical safeguards under the Security Rule. Access controls, encryption, audit logs, mobile and telehealth, cloud — all relevant to the January 2025 Security Rule NPRM that's reshaping this domain.
Investigation, Compliance, and Enforcement
Breach investigation methodology, the four-factor risk assessment, OCR notification thresholds (the 500-individual line for media plus immediate HHS notification), corrective action plans, civil and criminal penalty tiers, OCR settlement patterns.
2025-2026 hot topics on the exam
HIPAA Security Rule NPRM (January 6, 2025): OCR proposed sweeping modernization removing the addressable/required distinction, mandating continuous risk analysis, encryption-by-default, MFA, network segmentation, and 72-hour incident response. Final rule expected late 2026.
OCR Risk Analysis Initiative: 13 completed investigations as of 2025, all citing failure to conduct an "accurate and thorough" §164.308(a)(1)(ii)(A) risk analysis.
Ransomware enforcement: OCR settled 4 ransomware investigations in 2025 (19 total to date). Healthcare ransomware attacks up 58% YoY.
For exact percentage weights, download AHIMA's CHPS Exam Content Outline PDF.
Study prep
Candidates already working in healthcare privacy or security roles typically prepare 3 to 4 months at ~8-10 hours/week. Career-changers entering from adjacent fields (IT, compliance, legal) should plan 4 to 6 months with bridge study in their weaker domain.
AHIMA Official CHPS Exam Prep Cohort: Live virtual sessions, on-demand content, instructor check-ins. Spring 2026 cohort started May 4, 2026; Fall cohort runs November 2-14, 2026. Roughly $500-700 member pricing. The 81% pass rate among cohort participants vs 48% for non-cohort makes this the strongest single prep investment.
AHIMA CHPS Exam Preparation book (Danika E. Brinda) — ISBN 978-1584264903, ~$110 retail. The textbook the cohort references.
Third-party question banks: Udemy's CHPS test prep, MedicoExam, and books like CHPS Exam Prep: All-in-One Review + 250 Practice Questions (ISBN 978-1967502103). Useful for question stamina; not as current on OCR enforcement trends as AHIMA's own materials.
What to drill: The four-factor breach risk assessment, the §164.308(a)(1)(ii)(A) risk analysis requirement, OCR enforcement letters and settlement patterns, the BAA contractual structure, and the new 2025 Security Rule NPRM provisions. These are the highest-yield prep targets based on observed exam content.
Credential comparison
HCISPP is being sunset. ISC2 announced the credential will be designated inactive on December 1, 2026, three years after the final exam administration on December 1, 2023. Current HCISPP holders are being contacted with migration pathways to ISC2's Certified in Cybersecurity (entry-level credential) or to ISC2 Healthcare Certificates. New candidates cannot earn HCISPP after December 2026.
This changes the landscape entirely. As of late 2026, CHPS becomes the only active, dedicated healthcare privacy and security credential in the US market. People who already hold HCISPP should add CHPS (or CISSP from ISC2, or CIPP/US from IAPP) to stay current.
| Credential | Status 2026+ | Focus |
|---|---|---|
| CHPS (AHIMA) | Active, only surviving healthcare-specific cred | HIPAA, healthcare privacy programs |
| HCISPP (ISC2) | Inactive Dec 1, 2026 | Healthcare security with broader scope |
| CISSP (ISC2) | Active (industry-agnostic) | General information security management |
| CIPP/US (IAPP) | Active (privacy law) | US privacy law (HIPAA, CCPA, sector laws) |
Source: ISC2 HCISPP sunset notice.
Salary
The CHPS doesn't have its own BLS occupation code — the credential rides on top of three job titles. 2026 averages:
| Role | Average salary | Range |
|---|---|---|
| HIPAA Privacy Officer | $136,965 | $85K-$175K |
| Healthcare Compliance Officer | $118,145 | $88K-$161K |
| Chief Privacy Officer / VP Privacy | $190K-$260K+ | major IDNs |
By experience tier for HIPAA Compliance Officer roles (2026 data):
Geographic premium: California, New York, Massachusetts, New Jersey, Washington, Maryland/DC, and Connecticut base ranges run $120K-$155K, with major metros higher. Total compensation often includes a 5-12% annual bonus at senior levels.
Honest caveat: It's hard to isolate the dollar lift of CHPS specifically. Most listings ask for "CHPS or CHPC or CIPP/US" — the credential gets you past the resume filter, but salary is driven by years of experience and scope of responsibility, not the specific credential held.
Sources: Glassdoor HIPAA Privacy Officer, Accountable HQ compliance officer 2026.
Maintenance
2-year cycle. 30 CEUs per cycle for a single AHIMA credential.
HIIM domain alignment: At least 80% of CEUs must align with AHIMA's HIIM domains relevant to privacy, security, regulatory work, and information governance. Up to 20% can be on related but outside-domain topics.
40% AHIMA-source rule (effective 2025): At least 40% of CEUs must come from AHIMA-produced content (including HCPro), AHIMA Component Association programs, or AHIMA-approved Trainer designations.
Self-Assessment: AHIMA requires a self-assessment activity each cycle.
Recertification fee: $100 member / $249 non-member per cycle. Multi-credential discounts available.
Career impact
The CHPS unlocks Privacy Officer, Security Officer, Compliance Officer, and Information Governance Manager roles across the healthcare ecosystem.
Hospitals and health systems
Largest single employer category — every system needs a designated Privacy Officer under §164.530(a)(1) and a Security Officer under §164.308(a)(2). Major IDNs (HCA, Kaiser, Cleveland Clinic, Mayo) staff multiple privacy and security roles.
Health insurance payers
UnitedHealth, Aetna, regional Medicaid MCOs, Blue Cross plans. Heavy hirers because of PHI and claims data volume. Privacy roles here often pay above hospital equivalents.
HIM consulting and audit firms
Clearwater, Protiviti, Crowe, and similar healthcare-focused privacy/compliance practices. CHPS plus 5+ years senior consultant pay $130K-$200K.
EHR vendors and health-tech
Epic, Oracle Health (Cerner), athenahealth for privacy product roles. SaaS healthcare vendors must staff privacy and security leadership; CHPS is a strong signal.
Federal contractors and government
DoD COOL recognizes CHPS for Army and DoD Civilian healthcare roles. VA and HHS contractors routinely list it as preferred. Federal contracting work pays well and is highly stable.
Law firms and HIPAA specialty consultancies
Privacy attorneys often pair JD with CHPS to signal applied operational depth, not just legal expertise. Smaller compliance consultancies also stack the credential.
2025-2026 demand drivers
Healthcare ransomware attacks up 58% YoY (GuidePoint Security 2025); ~57 large breaches per month reported to OCR; ~62M Americans affected by healthcare breaches in 2025; Change Healthcare 2024 incident continues to drive board-level investment in privacy and security through 2026. The credential isn't tied to a single SOC code, but the underlying job market is in expansion.
FAQ
No new candidates can earn HCISPP — the final exam was December 1, 2023. If you already hold HCISPP, maintain it through the December 1, 2026 inactivation date and add CHPS, CISSP, or CIPP/US to stay current. If you're choosing a new healthcare privacy credential in 2026, CHPS is the surviving option.
Yes. AHIMA's six-pathway eligibility includes a master's, JD, MD, or PhD in a relevant field with 1 year of healthcare privacy or security experience. This is often the route for healthcare attorneys and physician compliance officers who want the operational credential alongside their professional degree.
Yes. The DoD's COOL program officially recognizes CHPS for Army and DoD Civilian healthcare positions. VA and HHS contractors routinely list it as preferred or required. Federal contracting roles tied to HIPAA compliance frequently call for CHPS, CHPC, or CIPP/US interchangeably.
Different scope. CISSP is ISC2's industry-agnostic information security management credential — deeper on the technical security side, no healthcare specialization. CHPS is healthcare-specific with strong privacy depth alongside the security material. Senior healthcare CISOs and Security Officers often hold both. If you want one credential for a healthcare-focused privacy/security career, CHPS. If you want the strongest possible general-security credential plus healthcare experience, CISSP.
Almost certainly yes once the rule is finalized. AHIMA typically updates exam content outlines within 12-18 months of major regulatory changes. The final rule is expected late 2026; expect a content outline refresh in 2027. Until then, current candidates should still know the existing Security Rule structure cold — the new provisions are additive to, not a replacement for, the current framework.
On this page
Related certifications and roles
Bachelor's HIM credential. The RHIA + 2 years CHPS path is one of the most common.
Healthcare analytics credential. Privacy meets analytics in modern compliance work.
The complete AHIMA certification roadmap.
The RHIA-eligible BSHIM that opens CHPS via the RHIA + 2 years path.
The deeper degree path; pairs well with CHPS at senior privacy roles.
Why the underlying program's accreditation matters for credential eligibility.
Sources
Last refreshed . Always verify current details directly with AHIMA.