This free RHIA study guide walks through every knowledge domain the AHIMA Registered Health Information Administrator exam tests, organized to the current AHIMA content outline.[2]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The RHIA is the bachelor’s-level administrator credential. Where the RHIT is the technician — focused on the hands-on, operational HIM work — the RHIA tests whether you can govern information, run the revenue cycle, ensure enterprise compliance, and lead an HIM department.
That administrative and leadership depth is exactly what this guide emphasizes. We teach all five official domains, one module each, and lead with the heaviest.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This is a high-yield overview mapped to the official content outline — not a substitute for your CAHIIM coursework.
RHIA Exam Snapshot
| Detail | RHIA Exam |
|---|---|
| Questions | 150 total (130 scored + 20 unscored pretest) |
| Format | Multiple choice, computer-based |
| Time | 3.5 hours (3 hours 30 minutes) |
| Passing score | Scaled score of 300 (scale 100–400); pass/fail |
| Administered by | AHIMA (CCHIIM) via Pearson VUE test centers |
| Eligibility | Bachelor's/master's/post-bacc certificate in HIM from a CAHIIM-accredited program |
| Cost | $229 AHIMA members / $299 non-members |
| Credential level | Administrator (vs. the RHIT technician credential) |
The RHIA covers five domains under the content outline effective March 1, 2021.[2] Study by weight — PHI Compliance and Data Analytics together are half the exam:
26%
2 · Compliance: Access, Use & Disclosure of PHI
HIPAA privacy/security, patient access, ROI, retention, breach response
24%
3 · Data Analytics & Informatics
Healthcare statistics, visualization, databases, the MPI, EHR/HIE
19%
1 · Information Governance
Data integrity, data dictionary/standards, IG policy, record content
16%
4 · Revenue Cycle Management
Claims, CDI, coding validation, value-based care, fraud prevention
15%
5 · Management & Leadership
Strategy, HR, process improvement, budgeting, accreditation
Notice the shape of the exam: it is not a coding test. Coding accuracy lives inside Revenue Management, but the bulk of the RHIA is compliance, analytics, governance, and leadership— the work of running a health-information function, not processing individual records. Keep that administrator’s lens as you study every module.
Module 1 · Information Governance
19% of the exam. Information governance (IG) is the administrator’s mandate: treat information as a strategic asset and put accountability, policy, and decision rights around it across its whole lifecycle. Every later domain depends on governed, trustworthy data — so this is where the RHIA mindset begins.
- 1
Capture / Create
Data is generated at the point of care and registration — clinical documentation, demographics, and coded data entered into the EHR.
- 2
Maintain / Use
Data supports treatment, payment, and operations; HIM ensures it stays accurate, complete, and standardized to the data dictionary.
- 3
Disclose / Share
Information is released via compliant ROI and exchanged through HIE — always applying the minimum-necessary standard.
- 4
Analyze / Report
Governed data is aggregated into statistics, dashboards, and trend reports that inform management and quality programs.
- 5
Archive / Retain
Records are stored for the legally required retention period under the organization's retention schedule.
- 6
Destroy
At end of retention, records are destroyed by a method that renders PHI unrecoverable, with a destruction log retained.
1.1 Data Integrity & Quality
means data is accurate, complete, consistent, and reliable across its lifecycle — unchanged from its source and fit for purpose. AHIMA’s data-quality model adds dimensions such as timeliness, relevance, and accessibility. The administrator evaluates the integrity of health data and completes data analysis to inform management,[2] because every report, statistic, and reimbursement decision downstream is only as good as the data feeding it.
| Characteristic | What it means |
|---|---|
| Accuracy | Data is correct and free of error |
| Completeness | All required values are present |
| Consistency | The same value means the same thing everywhere |
| Timeliness | Data is up to date and available when needed |
| Relevance | Data is meaningful for its intended use |
| Accessibility | Authorized users can obtain the data they need |
1.2 Data Standards & the Data Dictionary
A is the backbone of data standardization: a documented definition for every data element — its name, format, allowable values, and meaning. Managing data-dictionary standardization policies and managing data standards based on organizational policy are explicit IG tasks.[2] When the same element is defined and captured consistently across systems, data can be aggregated, compared, and exchanged accurately; when it is not, you get unreliable statistics and duplicate or conflicting data.
| Without standardization | With a governed data dictionary |
|---|---|
| Same field means different things by system | One definition applied everywhere |
| Reports don't reconcile | Statistics aggregate reliably |
| Data can't be exchanged cleanly | Interoperability and HIE are possible |
| Duplicate / conflicting values | A single source of truth |
1.3 Health Record Content & IG Policy
The administrator manages health-record content and documentation and develops the policies and procedures for data management and IG.[2]
Two concepts are frequently tested. The (LHR) is the organization’s formally defined official business record — what it will disclose in response to a legal request.
The (DRS) is the HIPAA concept of the records used to make decisions about an individual — the set a patient has a right to access and amend. They overlap but are defined for different purposes.
| Concept | Defined by / for | Purpose |
|---|---|---|
| Legal health record (LHR) | Organizational policy | What is disclosed as the official business record |
| Designated record set (DRS) | HIPAA Privacy Rule | What a patient can access and amend |
Checkpoint · Information Governance
Question 1 of 10
An RHIA defines information governance (IG) for a hospital's leadership. Which description best captures what IG provides to the organization?
Module 2 · Compliance: Access, Use & Disclosure of PHI
26% of the exam — the single largest domain. This is the heart of the RHIA. The administrator is the organization’s steward of patient privacy and security: managing patient access, processing information requests lawfully, monitoring PHI access, handling retention and destruction, following breach protocols, and ensuring privacy and security compliance.[2]
Master HIPAA here and you master the biggest block of the test.
2.1 HIPAA Privacy & Patient Access
protects through two core rules. The governs how PHI in any form may be used and disclosed and grants patients rights; the protects electronic PHI specifically.[3][4] A covered entity may use PHI for treatment, payment, and health-care operations (TPO) without authorization; most other uses require a valid authorization.
Throughout, the standard applies — use or disclose only what the purpose requires (treatment is an exception). Patients have rights to access, amend, and receive an .
| Right | What it lets the patient do |
|---|---|
| Access | Inspect and obtain a copy of their PHI (generally within 30 days) |
| Amend | Request correction of inaccurate or incomplete PHI |
| Accounting of disclosures | Receive a list of certain disclosures of their PHI |
| Restriction | Request limits on uses/disclosures (mandatory for out-of-pocket-paid services) |
| Notice (NPP) | Receive the Notice of Privacy Practices describing uses and rights |
2.2 Release of Information
(ROI) is where privacy law meets daily workflow. The administrator monitors ROI workflows and processes requests according to legal and regulatory standards.[2] Every disclosure runs the same checklist: confirm a valid authorization or permitted purpose, verify the requester’s identity and authority, apply the minimum-necessary standard, check special protections, then disclose, log, and track.
1 · Is the request valid & complete?
Confirm a valid HIPAA authorization (or a permitted purpose such as treatment, payment, or operations) with all required elements.
2 · Verify identity & authority
Confirm the requester is who they claim to be and has the legal right to the information (patient, personal representative, or court order).
3 · Apply the minimum-necessary standard
Disclose only the PHI needed for the stated purpose — not the whole record by default (treatment requests are an exception).
4 · Check special protections
Apply stricter rules for psychotherapy notes, substance-use records (42 CFR Part 2), HIV, and any more-stringent state law.
5 · Disclose, log & track
Release the information, document the disclosure for the accounting of disclosures, and track the request to completion.
Watch the special-protection traps. Psychotherapy notes get heightened protection and usually require specific authorization. Substance-use disorder records fall under 42 CFR Part 2, which is stricter than HIPAA.
And a subpoena is not a court order — a subpoena generally needs additional assurances (notice or a qualified protective order) before you disclose, while a court order compels disclosure.
| Legal request | Can you disclose PHI? |
|---|---|
| Court order | Yes — disclose as expressly authorized by the order |
| Subpoena (no court order) | Only with required assurances (notice to patient or a qualified protective order) |
| Patient authorization | Yes — within the scope and expiration of the authorization |
2.3 Retention & Destruction
The administrator applies retention and destruction policies for healthcare information.[2] A sets how long each record type is kept and how it is destroyed. The required period is the strictest of state law, federal rule, accreditation standard, and organizational policy.
When retention ends, records are destroyed by a method that renders PHI unreadable and unrecoverable (e.g., shredding, secure electronic destruction), and a destruction log is retained as proof.
| Concept | The rule |
|---|---|
| Retention period | The strictest of state, federal, accreditation, and policy requirements |
| Destruction method | Render PHI unreadable and unrecoverable (shred, secure e-destruction) |
| Destruction log | Retained as proof of compliant destruction |
| Business associates | Bound by a BAA to follow the same retention/destruction rules |
2.4 Security & Breach Response
The requires three categories of safeguards for electronic PHI: administrative (risk analysis, workforce training, access management), physical (facility and device controls), and technical (access control, audit controls, integrity, transmission security).[4] When PHI is impermissibly used or disclosed, the administrator follows the protocol: an impermissible disclosure of unsecured PHI is presumed to be a breach unless a shows a low probability of compromise.[5]
1 · Was there an impermissible use or disclosure of unsecured PHI?
Secured (e.g., encrypted) PHI that is breached generally does NOT trigger notification. Start here.
2 · Does an exception apply?
Certain unintentional or good-faith disclosures within the workforce, and disclosures to authorized persons, are excepted.
3 · Run the four-factor risk assessment
Assess the PHI involved, who received it, whether it was actually acquired/viewed, and the extent of mitigation — to judge the probability of compromise.
4 · Low probability of compromise?
If low, document the assessment and no notification is required. If not low, it is a reportable breach.
5 · Notify
Notify affected individuals without unreasonable delay (≤ 60 days), notify HHS, and use media/substitute notice for 500+ affected.
Notification timing matters: affected individuals must be notified without unreasonable delay and no later than 60 days from discovery; breaches affecting 500 or more individuals require prompt notice to HHS and the media. strengthened these rules and extended them to business associates. Encrypted PHI is “secured” — a breach of properly encrypted data generally does not trigger notification.
| Safeguard | Examples |
|---|---|
| Administrative | Risk analysis, workforce training, access management, sanction policy |
| Physical | Facility access controls, workstation use, device and media controls |
| Technical | Access control, audit controls, integrity, transmission security (encryption) |
Checkpoint · PHI Compliance
Question 1 of 10
Under the HIPAA Privacy Rule, which of the following best describes the rule's central purpose?
Module 3 · Data Analytics & Informatics
24% of the exam. This domain is about turning governed data into insight and running the systems that hold it. The administrator develops productivity and summary reports, creates visual representations of data for decision-making, uses database techniques, manages the master patient index, audits documentation, optimizes health IT, supports HIE, and validates healthcare statistics for stakeholders.[2]
3.1 Healthcare Statistics & Reporting
describe and monitor a facility’s performance. The administrator must compute and, critically, validate them before reporting. The most-tested measures are utilization and rate statistics.
| Statistic | How it's computed |
|---|---|
| Average length of stay (ALOS) | Total discharge days ÷ number of discharges |
| Average daily census | Total inpatient service days ÷ days in the period |
| Occupancy rate | Inpatient service days ÷ available bed days × 100 |
| Bed turnover rate | Discharges ÷ available beds for the period |
| Mortality rate | Inpatient deaths ÷ discharges (incl. deaths) × 100 |
| Incidence rate | New cases of a condition ÷ population at risk |
| Prevalence rate | Existing cases (new + old) ÷ population at a point in time |
3.2 Data Visualization & Databases
Administrators create visual representations of data for decision-making and use database management techniques.[2] Choosing the right chart is a tested skill: a line graph shows a trend over time, a bar chart compares categories, a histogram shows a frequency distribution, a pie chart shows parts of a whole, and a scatter plot shows the relationship between two variables. On the database side, relational databases organize data into tables linked by keys and are queried with SQL.
| Goal | Use this chart |
|---|---|
| Show change over time / a trend | Line graph |
| Compare discrete categories | Bar chart |
| Show a frequency distribution | Histogram |
| Show parts of a whole | Pie chart |
| Show relationship between two variables | Scatter plot |
| Monitor KPIs at a glance | Dashboard |
3.3 The MPI & Data Integrity
The is the permanent link between a patient and their unique enterprise identifier, and managing its integrity is an explicit task.[2] Three error types dominate the exam — and they are not equally dangerous.
Duplicate
Two or more records/identifiers for the SAME patient. Fix: merge into one record.
Overlay
One patient's data filed under ANOTHER patient's identifier — a patient-safety risk. Fix: unmerge urgently.
Overlap
The same patient has different identifiers across facilities in a system. Fix: reconcile in the EMPI.
A (two identifiers for one patient) is merged. An (one patient’s data under another patient’s identifier) is the most dangerous, because it mixes two patients’ clinical data — a patient-safety emergency that must be unmerged immediately. An overlap (the same patient with different identifiers across facilities) is reconciled in an enterprise MPI (EMPI).
3.4 EHR Systems & Health Information Exchange
The administrator prepares to support end users in EHR applications, optimizes health IT to improve workflow, and supports solutions.[2] HIE depends on — the ability of systems to exchange and use data — built on standards such as HL7 and the modern FHIR standard. The EHR also delivers clinical decision support (alerts, reminders, order sets) at the point of care.
| Term | What it is |
|---|---|
| EHR | The longitudinal digital record shared across providers and settings |
| HIE | Electronic sharing of health information among organizations |
| Interoperability | Systems exchanging and using data (often via HL7 / FHIR) |
| HL7 / FHIR | Standards for exchanging clinical and administrative data |
| Clinical decision support (CDS) | EHR alerts, reminders, and order sets at the point of care |
Checkpoint · Data Analytics & Informatics
Question 1 of 10
An RHIA defines the electronic health record (EHR) for a new informatics committee. Which description best captures what an EHR is?
Module 4 · Revenue Cycle Management
16% of the exam. Coding drives money, and the administrator oversees the cycle that turns documented care into collected revenue — validating coding accuracy, conducting CDI, verifying claims, educating providers on value-based care, and preventing fraud.[2] This is where the RHIA’s coding knowledge is applied at the enterprise, revenue-integrity level — not chart by chart.
4.1 The Revenue Cycle & Claims
The spans the front end (scheduling, registration, eligibility, authorization), the middle (charge capture, coding, CDI), and the back end (claims, payment posting, denials). HIM and coding sit in the middle — which is why documentation and coding quality determine whether the back end can collect.
- 1
Front end
Scheduling & registration
Capture accurate demographic and insurance data, verify eligibility, and obtain prior authorization — preventing downstream denials.
- 2
Front end
Patient access / financial clearance
Confirm coverage and benefits and set patient financial responsibility before or at the encounter.
- 3
Middle
Charge capture
Record every billable service and supply provided so it appears on the claim.
- 4
Middle
Coding & CDI
Assign accurate ICD-10-CM/PCS and CPT/HCPCS codes from complete documentation; query providers when documentation is unclear.
- 5
Back end
Claims submission
Produce and submit a clean claim (UB-04 or CMS-1500) that passes payer and NCCI edits.
- 6
Back end
Payment posting
Post remittances, apply contractual allowances, and reconcile expected versus actual reimbursement.
- 7
Back end
Denials & A/R follow-up
Work denials, appeal underpayments, and pursue collections to convert services into collected revenue.
Two metrics show up constantly. (DNFB) measures accounts discharged but not yet billed — a high DNFB usually signals a coding backlog. Accounts receivable (A/R) days measures how long it takes to collect after billing. Clean claims (no errors) and low denial rates keep both healthy.
| Metric | What it measures |
|---|---|
| DNFB (discharged not final billed) | Discharged accounts not yet billed — high = a bottleneck (often coding) |
| A/R days | Average days to collect after billing — lower is better cash flow |
| Clean claim rate | Share of claims with no errors, payable on first submission |
| Denial rate | Share of claims denied by payers — a compliance and efficiency signal |
| Case mix index (CMI) | Average DRG weight — clinical complexity that drives payment |
4.2 CDI & Coding Validation
(CDI) improves the accuracy, completeness, and specificity of documentation so it fully reflects severity and supports correct codes. CDI specialists issue compliant, non-leading provider queries to clarify ambiguous, incomplete, or conflicting documentation before coding. The administrator also validates coding accuracy by auditing assigned codes against documentation and official guidelines.[2][7]
| Compliant query | Leading (non-compliant) query |
|---|---|
| Non-leading; presents the clinical facts | Suggests a specific diagnosis to choose |
| Supported by clinical indicators | Lacks or ignores clinical support |
| Offers balanced, reasonable options | Offers only the higher-paying option |
| Aims for an accurate record | Aims to maximize reimbursement |
4.3 Reimbursement, Value-Based Care & Fraud
The administrator educates providers on value-based care programs and performs fraud prevention.[2] Fee-for-service pays per service (rewarding volume); ties payment to quality and outcomes, shifting risk to providers through value-based purchasing, bundled payments, and accountable care organizations.[6] On the integrity side, distinguish (knowing, intentional misrepresentation — e.g., billing for services not rendered, upcoding) from (improper practices causing unnecessary cost, without that intent).
| Concept | What the administrator must know |
|---|---|
| Fee-for-service | Pays per service — rewards volume |
| Value-based care | Pays for quality/outcomes — shifts risk to providers |
| DRG / APC | Inpatient (DRG) and outpatient (APC) prospective payment groups |
| Upcoding | Coding more severe/expensive than documented — fraud |
| Unbundling | Billing components separately for higher pay — improper |
| False Claims Act | Liability for knowingly submitting false claims to federal programs |
Checkpoint · Revenue Cycle Management
Question 1 of 10
When an RHIA reports a facility's case mix index, what unit best describes the resulting value?
Module 5 · Management & Leadership
15% of the exam. This is the domain that most distinguishes the RHIA from the RHIT. The administrator implements organizational strategy, manages people, redesigns processes, prepares budgets, manages contracts, facilitates training, and supports accreditation.[2] You are being tested as a department leader, not a record processor.
5.1 Strategy & Organizational Leadership
defines the organization’s long-term direction — its mission, vision, and goals — and allocates resources to achieve them, often using a and a balanced scorecard. The administrator implements strategies that support organizational initiatives,[2] translating high-level strategy into department objectives, staffing, and process changes. Distinguish leadership (setting vision and motivating change) from management (planning, organizing, and controlling day-to-day operations).
5.2 Human Resource Management
The administrator performs human resource activities — recruiting staff, creating job descriptions, and resolving personnel issues.[2] A job description defines a position’s duties and reporting relationships; a job specification defines the qualifications a person needs.
Performance is managed through appraisals and, when needed, progressive discipline (verbal warning → written warning → suspension → termination). Staffing is planned in (FTE) units against productivity standards.
| Concept | What it is |
|---|---|
| Job description | A position's duties, responsibilities, and reporting relationships |
| Job specification | The qualifications and skills a person needs for the job |
| Performance appraisal | A periodic, structured evaluation against expectations |
| Progressive discipline | Graduated steps: verbal → written → suspension → termination |
| FTE | Staffing as the hours of one full-time employee (two half-time = 1.0 FTE) |
| Productivity standard | Expected output (e.g., charts coded per hour) used to manage performance |
5.3 Process Improvement & Projects
The administrator performs work design and process-improvement activities.[2] The core tools: Lean eliminates waste, Six Sigma reduces variation through DMAIC (Define, Measure, Analyze, Improve, Control), and the (Plan-Do-Study-Act) tests a change on a small scale before spreading it. Projects are planned and tracked with tools like a Gantt chart, guarding scope against scope creep.
| Method / tool | What it does |
|---|---|
| PDSA cycle | Plan-Do-Study-Act — test a change small, then refine and spread |
| Lean | Eliminates non-value-adding waste from a process |
| Six Sigma (DMAIC) | Reduces variation and defects: Define, Measure, Analyze, Improve, Control |
| Root cause analysis (RCA) | Identifies the underlying cause of a problem or event |
| Gantt chart | Schedules project tasks against time to track progress |
5.4 Budgeting, Accreditation & Compliance
The administrator assists with preparing budgets and with entity accreditation, licensing, or certification.[2] An plans day-to-day revenue and expenses (salaries are usually the biggest line); a plans major long-term purchases. Variance analysis compares budgeted to actual to control finances.
On the external side, distinguish (voluntary, e.g., The Joint Commission) from licensure (mandatory government permission) and certification (meeting defined standards, e.g., CMS Conditions of Participation). All of it runs inside a — policies, training, auditing, and reporting.
| Term | Mandatory? | Granted by |
|---|---|---|
| Accreditation | Voluntary | An external accrediting body (e.g., The Joint Commission) |
| Licensure | Mandatory | Government — permission to operate or practice |
| Certification | Often required to bill | A body confirming standards are met (e.g., CMS CoP) |
Checkpoint · Management & Leadership
Question 1 of 10
A health information manager wants to reduce variation and defects in the chart-deletion workflow by following a structured, data-driven methodology built on the Define, Measure, Analyze, Improve, and Control phases. Which performance-improvement approach is being described?
How to Use This RHIA Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. PHI Compliance (26%) and Data Analytics (24%) are half the exam — start there, then Information Governance (19%), Revenue Management (16%), and Management & Leadership (15%).
- Think like an administrator. The RHIA tests judgment at the department and enterprise level — governance, compliance decisions, revenue integrity, and leadership — not record-by-record processing.
- Use the RHIT guide for the technical side. If you’re shaky on the operational HIM and coding mechanics, our RHIT study guide covers that technician-level material in depth.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs.
RHIA Concept Questions
Common RHIA concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
RHIA Glossary
The high-yield RHIA terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Abuse
- Practices inconsistent with sound fiscal or medical practice causing unnecessary cost — improper but not necessarily intentional.
- Accounting of disclosures
- A patient's HIPAA right to a list of certain disclosures of their PHI made by the covered entity.
- Accreditation
- Voluntary review by an external body (e.g., The Joint Commission) confirming an organization meets quality standards.
- Average length of stay
- ALOS — total discharge days for a group of inpatients divided by the number of discharges in the period.
- Breach
- An impermissible use or disclosure of unsecured PHI that compromises its security or privacy, unless a risk assessment shows low probability of compromise.
- Business associate
- A person or entity performing functions involving PHI on behalf of a covered entity, bound by a business associate agreement (BAA).
- Capital budget
- A budget for major, long-term asset purchases such as a new EHR module or scanners.
- Case mix index
- CMI — the average DRG relative weight for a facility's patients; a measure of clinical complexity that drives reimbursement.
- Clinical documentation improvement
- CDI — a program improving documentation accuracy and completeness so it supports correct codes and reflects severity.
- Compliance program
- An organized system of policies, training, auditing, and reporting to prevent and detect violations of law and policy.
- Covered entity
- Under HIPAA, a health plan, health-care clearinghouse, or provider that transmits health information electronically.
- Data dictionary
- A documented set of standard definitions for every data element — name, format, allowable values, and meaning — enforcing consistency across systems.
- Data governance
- A subset of information governance focused specifically on the management, quality, and integrity of an organization's data.
- Data integrity
- The accuracy, completeness, consistency, and reliability of data throughout its lifecycle — unchanged from source and fit for purpose.
- Designated record set
- Under HIPAA, the records a covered entity uses to make decisions about an individual — what a patient may access and amend.
- Diagnosis-Related Group
- DRG — an inpatient classification paying a fixed amount per admission based on diagnoses and procedures.
- Discharged not final billed
- DNFB — accounts discharged but not yet billed; high values signal revenue-cycle bottlenecks, often in coding.
- Duplicate
- Two or more records or identifiers created for the same patient — must be merged to preserve a single record.
- Four-factor risk assessment
- The breach analysis of the PHI involved, who received it, whether it was actually acquired/viewed, and the extent of mitigation.
- Fraud
- Knowingly submitting false claims or misrepresenting services to obtain payment — illegal under the False Claims Act.
- Full-time equivalent
- FTE — a unit expressing staffing as the hours of one full-time employee (e.g., two half-time staff = 1.0 FTE).
- Health information exchange
- HIE — the electronic sharing of health information among organizations to improve coordination of care.
- Healthcare statistics
- Quantitative measures (census, length of stay, rates) computed from health data to describe and monitor organizational performance.
- HIPAA
- The Health Insurance Portability and Accountability Act — federal law setting national standards to protect health information.
- HITECH
- The Health Information Technology for Economic and Clinical Health Act, which strengthened HIPAA enforcement and added breach notification.
- Incidence rate
- The number of new cases of a condition in a population over a period.
- Information governance
- An organization-wide framework of accountability, policies, and decision rights for managing information as a strategic asset across its lifecycle.
- Interoperability
- The ability of different information systems and devices to exchange and use data, often via HL7 or FHIR standards.
- Legal health record
- The formally defined subset of records an organization discloses as its official business record in response to a legal request.
- Master Patient Index
- The MPI — the permanent database linking every medical record number a patient has to one unique enterprise identifier.
- Minimum necessary
- The HIPAA principle of using, disclosing, or requesting only the least PHI needed to accomplish the intended purpose.
- Operating budget
- A budget for day-to-day revenue and expenses (salaries, supplies) over a fiscal year.
- Overlay
- One patient's information recorded under another patient's identifier — a serious patient-safety error to resolve immediately.
- PDSA cycle
- Plan-Do-Study-Act — an iterative method for testing and implementing a process change on a small scale first.
- Prevalence rate
- The number of existing cases (new and old) of a condition in a population at a point in time.
- Privacy Rule
- The HIPAA rule setting national standards for how PHI may be used and disclosed and granting patients rights over their information.
- Protected health information
- PHI — individually identifiable health information held or transmitted by a covered entity or business associate, in any form.
- Release of information
- ROI — the HIM process of validating, fulfilling, and tracking requests for copies of a patient's health information.
- Retention schedule
- A policy specifying how long each record type is kept and how it is destroyed when retention ends.
- Revenue cycle
- All clinical and administrative functions that capture, manage, and collect patient-service revenue, from scheduling to final payment.
- Security Rule
- The HIPAA rule requiring administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
- Six Sigma
- A data-driven methodology (DMAIC) that reduces process variation and defects.
- Strategic planning
- Defining an organization's long-term direction and allocating resources to achieve its mission, vision, and goals.
- SWOT analysis
- A planning tool assessing internal Strengths and Weaknesses and external Opportunities and Threats.
- Value-based care
- Reimbursement tied to quality and outcomes rather than volume, shifting financial risk toward providers.
RHIA Study Guide FAQ
The RHIA exam has 150 questions total — 130 scored items and 20 unscored pretest items — all multiple choice. You have 3.5 hours (3 hours 30 minutes) to complete it. Answer everything, since the pretest items are indistinguishable from the scored ones.
Per the AHIMA content outline (effective March 1, 2021): Information Governance (19%), Compliance with Uses and Disclosures of PHI (26%), Data Analytics and Informatics (24%), Revenue Management (16%), and Management and Leadership (15%). PHI Compliance is the largest single domain.
The passing scaled score for the RHIA is 300 on a 100–400 scale. AHIMA does not publish a fixed number-correct cut score; raw scores are converted to a scaled score so every candidate must demonstrate the same ability level regardless of which exam form they took.
The RHIA is the bachelor's-level administrator credential and tests management, leadership, enterprise information governance, strategy, and revenue-cycle management. The RHIT is the technician credential focused on the operational, technical HIM work. This guide teaches the administrator depth; our RHIT study guide covers the technical side.
You must hold (or be completing) a baccalaureate, master's, or post-baccalaureate certificate in Health Information Management from a CAHIIM-accredited program, or have graduated from an HIM program approved by a foreign association with a reciprocity agreement with AHIMA.
The RHIA exam costs $229 for AHIMA members and $299 for non-members. It is administered by AHIMA's Commission on Certification (CCHIIM) at Pearson VUE test centers in a computer-based format. RHIA certification is renewed with continuing education units (CEUs).
Study by weight: lead with PHI Compliance (26%) and Data Analytics (24%), which together are half the exam, then Information Governance (19%), Revenue Management (16%), and Management and Leadership (15%). Read each module, take the checkpoint to find gaps, then drill with our free practice test and flashcards.
Yes — the full guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.American Health Information Management Association. “Registered Health Information Administrator (RHIA) Certification.” ahima.org. ↑
- 2.American Health Information Management Association. “RHIA Exam Content Outline (effective 03/01/2021).” ahima.org. ↑
- 3.U.S. Department of Health & Human Services. “HIPAA for Professionals: The Privacy Rule.” hhs.gov. ↑
- 4.U.S. Department of Health & Human Services. “HIPAA for Professionals: The Security Rule.” hhs.gov. ↑
- 5.U.S. Department of Health & Human Services. “HIPAA Breach Notification Rule.” hhs.gov. ↑
- 6.Centers for Medicare & Medicaid Services. “Medicare Value-Based Programs.” cms.gov. ↑
- 7.Centers for Medicare & Medicaid Services. “ICD-10 and Official Coding Guidelines.” cms.gov. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
