CHPA logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CHPA Recertification Requirements 2026: A

CHPA Recertification Requirements 2026: A Complete Guide

Updated 10 min read CHPA Exam Prep
Table of Contents
TL;DR
  • CHPA recertification is competency-driven - your CEUs must map to the eight defined healthcare security domains, not just any security topic.
  • Domain 2 (Healthcare Security Leadership, 20%) and Domain 3 (Healthcare Security Workforce Management, 16%) together represent over a third of exam weight -...
  • Letting your CHPA lapse means re-sitting the full examination rather than completing a streamlined renewal process.
  • Documentation errors - missing dates, missing provider names, unverifiable hours - are the most common reason recertification applications are delayed.

What Is CHPA Recertification and Why It Matters

The Certified Healthcare Protection Administrator (CHPA) credential signals that a healthcare security professional has demonstrated mastery across a rigorous, multi-domain body of knowledge - from physical security design to workplace violence prevention. But earning that credential is only the beginning. Recertification is the mechanism by which the certifying body confirms that holders are staying current in a field that evolves constantly alongside healthcare regulations, threat landscapes, and technology.

Unlike a one-time license, the CHPA is structured around a continuous professional development model. The credential does not simply expire on a calendar date; it lapses when a holder fails to demonstrate ongoing engagement with the domains that define healthcare security practice. That distinction matters enormously when planning your professional development calendar.

Why Recertification Rigor Protects Your Career: Healthcare organizations - hospital systems, integrated delivery networks, children's hospitals, and behavioral health campuses - increasingly specify the CHPA in job postings and promotion criteria for security director and manager roles. A lapsed credential is not a minor administrative issue; it can disqualify you from consideration for positions you are otherwise qualified for.

The credential is administered through the International Association for Healthcare Security and Safety (IAHSS), and recertification requirements are set by the IAHSS Certification Council. Candidates preparing for the initial exam or working through renewal should bookmark the CHPA Exam Prep practice test hub as a resource for staying sharp across all eight domains.

The Recertification Cycle Explained

CHPA recertification operates on a defined cycle tied to the date of your original certification. The cycle requires holders to accumulate a set number of continuing education units (CEUs) and submit documentation before their credential's expiration date. Missing that window - even by a short period - triggers lapse status rather than a grace extension.

Key Cycle Milestones

The recertification timeline has several critical checkpoints that credential holders should schedule proactively rather than reactively:

  • Certification anniversary date: Your personal deadline - not a shared calendar date. Every CHPA holder has a unique expiration window based on when they originally passed the exam.
  • Early submission window: Submitting before the expiration date allows time for the council to review documentation and request any corrections without creating a gap in your credential status.
  • Audit notification period: A percentage of recertification submissions are selected for audit. Knowing this in advance shapes how you store and organize your supporting documents throughout the cycle.

Key Takeaway

Treat your CHPA recertification deadline like a project deadline with a two-week buffer, not like a due date you meet on the final day. The certification council reviews submissions - they are not rubber-stamped.

CEU Categories and How to Earn Credit

Not all professional development activities count equally - or at all - toward CHPA recertification. The IAHSS Certification Council structures eligible credit into categories, and healthcare security professionals who plan their development intentionally will find plenty of pathways to meet requirements. Those who treat CEUs as an afterthought often scramble in the final months of their cycle.

Recognized Activity Types

The following activity types are generally recognized as eligible for CHPA CEU credit, though documentation requirements vary by category:

  • Formal educational programs: Courses, seminars, and workshops delivered by recognized healthcare security, emergency management, or healthcare administration bodies. IAHSS-sponsored events carry strong credentialing alignment.
  • Professional conferences: Attendance at healthcare security conferences where session content maps to one or more of the eight CHPA domains. Simply registering is not sufficient - session-level documentation is typically required.
  • Published authorship: Peer-reviewed articles, book chapters, or formal white papers in the healthcare security field. Authorship carries more weight than co-authorship in most frameworks.
  • Teaching and instruction: Delivering formal training to healthcare security staff - particularly in areas like Domain 7 (Healthcare Workplace Violence) or Domain 6 (Emergency Preparedness: Planning and Management) - may qualify for instructional credit.
  • College coursework: Relevant credit-bearing courses in criminal justice, security management, healthcare administration, or emergency management may count toward the total.
Tip on Conference Credit: When attending the IAHSS Annual Conference or regional training events, collect session handouts, certificate of attendance PDFs, and the event agenda. These are the specific documents an audit reviewer will look for, not just your registration confirmation.

Aligning Your CEUs to the Eight Exam Domains

This is where CHPA recertification becomes meaningfully different from generic security certification renewals. The eight domains are not arbitrary categories - they represent the actual scope of healthcare security practice as validated through IAHSS job task analyses. Your CEUs should reflect genuine engagement with these domains, and if selected for audit, reviewers will assess whether your documented activities are credibly connected to the domain knowledge base.

Domain 1: Security and Safety in the Healthcare Environment (15%)

This domain covers the regulatory, accreditation, and standards environment that shapes healthcare security operations. CEUs here might include Joint Commission Environment of Care training, OSHA healthcare standards updates, or CMS compliance programs.

  • Understand how TJC Environment of Care standards interface with security program design
  • Stay current on CMS Conditions of Participation as they relate to patient and visitor safety
  • Track state-level healthcare security legislation, which is evolving rapidly in many jurisdictions

Domain 2: Healthcare Security Leadership (20%)

The highest-weighted domain. CEUs should reflect strategic leadership development - not just operational skills. Executive education, healthcare administration leadership programs, and board-level security briefing formats are relevant here.

  • Security program governance structures and reporting relationships within healthcare organizations
  • Budget development, business case construction for security investments
  • Stakeholder engagement with clinical, administrative, and risk management leadership

Domain 7: Healthcare Workplace Violence (15%)

Given the ongoing national focus on healthcare workplace violence, this domain sees frequent policy and legislative updates. CHPAs should prioritize CEUs here and consider reviewing the CHPA Domain 8: Investigation Management Complete Study Guide as a complement, since investigations often stem from workplace violence incidents.

  • Violence prevention program design and implementation
  • Threat assessment team structures in healthcare settings
  • De-escalation training program oversight and evaluation

For Domain 8 specifically, which covers Investigation Management (5% of exam weight), the activities that generate CEUs are often embedded in broader security management programs rather than standalone courses. Reviewing the CHPA Domain 8: Investigation Management Complete Study Guide can help you identify specific competency areas where your professional development has gaps.

Domain Weight High-Value CEU Activity Types
Security and Safety in the Healthcare Environment 15% Joint Commission EC training, OSHA healthcare updates
Healthcare Security Leadership 20% Executive education, healthcare admin programs, governance training
Healthcare Security Workforce Management 16% HR compliance training, performance management courses, contract management
Physical Security 14% ASIS physical security certifications, site assessment training
Electronic Security System Integration 5% Access control/CCTV vendor certifications, technology integration seminars
Emergency Preparedness: Planning and Management 10% FEMA ICS courses, HVA development workshops, tabletop exercise facilitation
Healthcare Workplace Violence 15% Threat assessment training, de-escalation program leadership, legislative briefings
Investigation Management 5% Healthcare fraud investigation courses, interview technique training, evidentiary chain-of-custody seminars

Documentation, Submission, and Audit Readiness

Regardless of how well you've planned your CEU activities, your recertification application is only as strong as your documentation. This is not an area where credential holders should improvise or reconstruct records at the end of a cycle.

What to Collect at the Time of Each Activity

  1. Certificate of completion or attendance - must include your full name, the program or course title, the sponsoring organization, the date(s), and the number of contact hours or CEUs awarded.
  2. Program agenda or course description - helps demonstrate domain relevance if reviewed by an auditor.
  3. Proof of active participation - for multi-day conferences, consider keeping your name badge, session sign-in sheets, or post-event evaluation confirmation emails.
Build a Running Recertification File: Create a dedicated folder - physical or cloud-based - on the day you earn your CHPA. Add documentation to it within 48 hours of completing any qualifying activity. Reconstructing three years of professional development activities from memory and email archives is a stressful and error-prone process that routine filing eliminates entirely.

The Audit Process

If selected for audit, you will be asked to produce original documentation for your claimed CEUs. The audit is not designed to be punitive - it exists to ensure the credential maintains its integrity across all holders. Professionals who document in real time pass audits with minimal friction. Those who reconstruct documentation after the fact often discover gaps they cannot fill.

Renewal vs. Letting Your Credential Lapse

The stakes of failing to recertify are significant and worth spelling out clearly. A CHPA holder who misses the recertification window does not receive a warning letter and a grace period to complete a streamlined process. The credential lapses, and reinstatement requires sitting for and passing the full CHPA examination again - the same multi-domain, proctored exam that required significant preparation the first time.

Beyond the examination burden, a lapsed credential creates a visible gap in your professional profile. Healthcare security director positions, especially at larger health systems, are increasingly filled through formal search processes that involve credential verification. A lapsed CHPA during an active job search is a material disadvantage.

Proactive recertification is simply the less expensive and less stressful path - in time, money, and professional capital.

A Recertification Study Block for Credential Holders

Recertification is not just about accumulating contact hours - it is about genuine professional development. If you have identified domains where your daily role does not give you regular exposure, a structured review block can help you both fill CEU gaps and keep your knowledge sharp for any future CHPA examination retake requirement.

Month 1

Domains 2 and 3 - Leadership and Workforce (highest combined weight at 36%)

  • Enroll in a healthcare leadership development course or IAHSS webinar series focused on program management
  • Review CHPA practice questions targeting leadership strategy and workforce supervision on CHPA Exam Prep
  • Document your existing qualifying activities from the past 12 months in these domains
Month 2

Domains 1 and 7 - Regulatory Environment and Workplace Violence (30% combined)

  • Review recent Joint Commission Environment of Care standards updates and any state legislative changes affecting healthcare security
  • Complete or facilitate a workplace violence prevention training update - this creates both operational value and CEU documentation
  • Cross-reference your Domain 7 CEUs with Domain 8 investigation skills using the CHPA Recertification Requirements 2026: A Complete Guide as your planning framework
Month 3

Domains 4, 5, 6, and 8 - Physical, Electronic, Emergency, and Investigation (34% combined)

  • Attend a physical security or access control training event; many security technology vendors offer certified training that generates documented hours
  • Complete FEMA ICS 100 or 200 refresher (free, fully documented, directly applicable to Domain 6)
  • Submit your complete recertification package at least 30 days before your expiration date

Mistakes That Delay or Derail Renewal

After reviewing what successful recertification looks like, it is worth cataloging the specific errors that create problems - because most of them are entirely preventable.

  • Claiming CEUs for activities that are not documented: If you attended a training session but never received a certificate and cannot locate the agenda, that activity cannot be submitted. No documentation, no credit.
  • Submitting activities with unclear domain relevance: A general management course, a generic customer service seminar, or a leadership retreat without clear security or healthcare content will face scrutiny. Add a brief notation explaining domain relevance at submission time.
  • Waiting until the final month of the cycle: This compresses your timeline for gathering documentation, completing any remaining credit hours, and allowing the council time to process your application before your expiration date.
  • Confusing contact hours with CEUs: Some providers report hours in different formats. Know the conversion your recertification application requires and apply it consistently across all activities.
  • Failing to update contact information with the certification council: Renewal reminders and audit notifications are sent to the address on file. Professionals who change employers and do not update their records miss critical communications.

Frequently Asked Questions

Can I count activities I completed before earning my CHPA toward recertification?

Generally, no. The recertification cycle begins on the date your certification was awarded. Activities completed before that date counted toward your eligibility for the initial exam, not toward renewal. CEUs must be earned within the active certification period.

Does earning a second security certification count as a CEU activity for CHPA recertification?

It may, depending on the certification and the documentation available. The preparation coursework, study programs, and examination preparation activities associated with credentials like the CPP (Certified Protection Professional) or CHSP (Certified Healthcare Security Professional) may generate documented contact hours that qualify - but the credential itself is not automatically a CEU. Review what preparation activities generated verifiable documentation.

What happens if I submit my recertification application and the council has questions about a specific activity?

The council will contact you at the address on file with a request for additional documentation or clarification. This is not an automatic denial - it is part of the review process. Responding promptly with the requested materials typically resolves the question. This is another reason to submit early rather than at the deadline.

Are online courses and webinars acceptable for CHPA recertification credit?

Yes, provided they generate verifiable documentation - a completion certificate with your name, the course title, sponsoring organization, date, and contact hours. Many IAHSS-sponsored webinars and online education programs are specifically designed to meet these requirements. Ensure asynchronous courses include a completion mechanism that generates this documentation automatically.

How should I approach recertification if I have moved from a clinical healthcare security role into a consulting or vendor role?

Your eligibility to maintain the CHPA depends on continuing to meet the credentialing body's professional experience standards, not just accumulating CEUs. If your role has shifted significantly, review the current CHPA eligibility criteria with the IAHSS Certification Council directly. CEU activities should still reflect the eight domains of healthcare security practice - consulting work that directly supports healthcare clients may count toward demonstrating ongoing engagement with the field.

Ready to Start Practicing?

Whether you're preparing for the initial CHPA exam or identifying domain gaps before recertification, our practice tests cover all eight domains with exam-style questions mapped to current IAHSS content specifications. Start a free session today and see exactly where your knowledge stands.

Start Free Practice Test
Continue reading:

Ready to pass your CHPA exam?

Put this into practice with free CHPA questions across every exam domain.