- Exam Content Overview
- Strategic Study Time Allocation
- Domain 3: Monitoring, Auditing & Internal Reporting (22%)
- Domain 4: Investigations & Remedial Measures (20%)
- Domain 1: Compliance Program Administration (19%)
- Domain 2: Laws, Regulations & Guidance (14%)
- Domain 5: Compliance Risk Assessment (11%)
- Domain 6: Training & Education (8%)
- Domain 7: Screening & Registration (6%)
- Strategic Study Approach
One of the most common questions from CHC exam candidates is deceptively simple: "What's actually on the exam?"
The Health Care Compliance Association (HCCA) provides a content outline, but understanding what to study is only half the battle. The more important question is: "Where should I focus my limited study time to maximize my score?"
This comprehensive guide breaks down all seven CHC exam content domains, reveals the weighted question distribution that determines which areas matter most, provides detailed topic lists for each domain, and offers strategic guidance on allocating your study time for maximum impact.
Exam Content Overview: The Seven Domains
The CHC certification exam tests knowledge across seven distinct domains of healthcare compliance. These aren't equal—some domains contain significantly more questions than others, making strategic study allocation critical.
Quick Reference: All Seven Domains
| Domain | Questions | Percentage | Study Priority |
|---|---|---|---|
| Domain 3: Monitoring, Auditing, and Internal Reporting | 22 | 22% | ⬆️ Highest |
| Domain 4: Investigations and Remedial Measures | 20 | 20% | ⬆️ Highest |
| Domain 1: Compliance Program Administration | 19 | 19% | ⬆️ Highest |
| Domain 2: Laws, Regulations, and Guidance | 14 | 14% | ■ Medium |
| Domain 5: Compliance Risk Assessment | 11 | 11% | ■ Medium |
| Domain 6: Training and Education | 8 | 8% | ⬇️ Lower |
| Domain 7: Screening and Registration | 6 | 6% | ⬇️ Lower |
| TOTAL (Scored Questions) | 100 | 100% | — |
Note: The actual exam contains 120 questions, but 20 are unscored pretest items. Only 100 questions count toward your score.
Visual Distribution of Exam Questions
The top three domains—Monitoring/Auditing (22%), Investigations/Remedial Measures (20%), and Compliance Program Administration (19%)—account for 61% of your entire exam score. Master these three domains and you're more than halfway to passing. This doesn't mean you can ignore the other domains, but it does mean your study time allocation should heavily favor these areas, especially if you're short on preparation time.
Strategic Study Time Allocation
If you have 80 hours total to study (a common benchmark), here's how to allocate your time based on question weights and typical candidate weakness patterns:
Why these allocations differ from exact percentages:
- Domains 3 and 4 get slightly more time because they're typically harder and candidates report more difficulty
- Domain 2 (Laws/Regulations) gets extra time because it's dense, complex material requiring memorization
- Domains 6 and 7 get minimum viable time because they're smaller and more straightforward
This allocation assumes average candidate preparation. Adjust based on your experience: If you conduct audits daily, you might spend less time on Domain 3 and more on Domain 5 (Risk Assessment) if you've never done a formal assessment. If you're a HIPAA specialist, spend less on Domain 2 and more on Domains 4 and 6. Honest self-assessment is critical.
Domain 3: Monitoring, Auditing, and Internal Reporting
Why This Domain Matters Most
Monitoring and auditing are the backbone of any effective compliance program. This domain has the most questions on the exam because it represents the ongoing, day-to-day work of verifying compliance with policies, identifying problems before they escalate, and reporting findings appropriately.
- Types of audits: Proactive vs. reactive, baseline audits, focused audits, claims audits, medical record reviews
- Audit planning: Risk-based audit selection, audit scope determination, resource allocation
- Audit methodologies: Random sampling, targeted sampling, statistical vs. judgmental sampling
- Sample size determination: Confidence levels, error rates, statistically valid samples
- Audit execution: Data collection, documentation standards, audit work papers
- Audit findings: Root cause analysis, identifying patterns vs. isolated incidents
- Audit reporting: Who receives reports, reporting timelines, escalation protocols
- Internal reporting systems: Hotlines, reporting mechanisms, anonymous reporting, non-retaliation policies
- Monitoring plans: Ongoing monitoring vs. periodic audits, key performance indicators
- Privilege considerations: Attorney-client privilege, work product protection, when to involve legal counsel
Common Question Types
Expect scenario-based questions like:
- "A compliance audit reveals a 15% error rate in a specific billing code. What should the compliance officer do FIRST?"
- "Which sampling methodology is most appropriate for a baseline audit of coding accuracy?"
- "An employee reports a compliance concern through the hotline. What is the BEST approach to handling this report?"
- "How should audit findings be documented to preserve attorney-client privilege?"
Focus on understanding WHY different audit approaches are used in different situations. Questions often present scenarios where multiple approaches could work—you need to identify the BEST approach based on the specific circumstances (e.g., baseline audit for new programs, focused audit for known problem areas).
Key Resources
- Compliance 101, Chapter on Monitoring and Auditing
- OIG Compliance Program Guidance: Element 4 (Effective Monitoring and Auditing)
- HCCA publications on audit sampling methodologies
Domain 4: Investigations and Remedial Measures
Why This Domain Is Critical
When compliance problems are identified—whether through audits, reports, or external sources—how the organization responds determines both legal liability and program effectiveness. This domain tests your understanding of investigation procedures, corrective actions, disclosure obligations, and remediation strategies.
- Investigation triggers: When to initiate investigations, preliminary assessments vs. full investigations
- Investigation process: Evidence gathering, witness interviews, documentation requirements
- Investigation team composition: When to involve legal, HR, external consultants
- Root cause analysis: Identifying underlying causes vs. symptoms, systemic vs. individual issues
- Corrective action plans (CAPs): Development, implementation, monitoring effectiveness
- Disclosure obligations: When to self-disclose, to whom, within what timeframes
- Voluntary self-disclosure protocols: OIG Self-Disclosure Protocol, DOJ Voluntary Self-Disclosure
- Repayment procedures: Overpayment identification, quantification, repayment timelines
- Disciplinary actions: Progressive discipline, termination decisions, documentation
- System improvements: Policy changes, training enhancements, process modifications
- Ongoing monitoring: Post-remediation audits, effectiveness measurement
Common Question Types
This domain features highly nuanced questions requiring judgment:
- "An employee reports potential upcoding. What should the compliance officer do FIRST?"
- "Investigation reveals systematic overbilling totaling $75,000. What is the BEST course of action?"
- "Which factor is MOST important when deciding whether to make a voluntary self-disclosure?"
- "A corrective action plan is implemented but similar violations continue. What should happen NEXT?"
Many candidates struggle with this domain because questions involve judgment calls about when to escalate, when to disclose, and what remedial measures are appropriate. Study the OIG Self-Disclosure Protocol requirements carefully—understanding the threshold for disclosure ($100,000+ potential damages) and the disclosure process is frequently tested.
Key Resources
- OIG Self-Disclosure Protocol (available on OIG.hhs.gov)
- DOJ Voluntary Self-Disclosure guidelines
- Compliance 101, Chapter on Investigations
- Federal Sentencing Guidelines Chapter 8 (credit for self-reporting)
Domain 1: Compliance Program Administration
Why This Domain Is Foundational
This domain tests your understanding of how compliance programs are structured, governed, resourced, and measured. It's built around the Seven Elements of an Effective Compliance Program from OIG guidance—the fundamental framework for all healthcare compliance programs.
- The Seven Elements of an Effective Compliance Program (CRITICAL):
- Written policies and procedures
- Compliance officer and compliance committee
- Effective training and education
- Effective lines of communication
- Internal monitoring and auditing
- Enforcement of standards through well-publicized disciplinary guidelines
- Responding promptly to detected problems and undertaking corrective action
- Code of conduct: Development, distribution, acknowledgment, updates
- Policies and procedures: Creation, approval, distribution, training, updates
- Compliance officer role: Reporting structure, authority, independence, qualifications
- Compliance committee: Composition, responsibilities, meeting frequency, documentation
- Board oversight: Board responsibilities, reporting to board, governance
- Resource allocation: Budgeting for compliance, staffing decisions
- Program effectiveness: Measuring success, key performance indicators
- Response to government inquiries: Responding to audits, investigations, subpoenas
Common Question Types
- "What is the MOST important characteristic of an effective compliance officer?"
- "The compliance committee should meet at MINIMUM how frequently?"
- "Which reporting structure BEST ensures compliance officer independence?"
- "What should be included in an effective code of conduct?"
MEMORIZE the Seven Elements of an Effective Compliance Program verbatim. These appear in multiple questions throughout the exam, not just in Domain 1. Understanding each element's purpose and implementation is critical. The November 2023 update to the OIG General Compliance Program Guidance is the authoritative source—make sure you're studying the LATEST version.
Key Resources
- OIG General Compliance Program Guidance (November 2023) — ESSENTIAL
- Compliance 101, Chapters on Program Structure and Governance
- Federal Sentencing Guidelines Chapter 8 (organizational compliance programs)
Domain 2: Laws, Regulations, and Guidance
Why This Domain Requires Deep Study
This is the most legally technical domain, requiring detailed knowledge of multiple federal healthcare laws. While it represents "only" 14% of the exam, the complexity and detail required make it time-intensive to master.
- False Claims Act (FCA):
- Prohibited conduct (knowingly submitting false claims)
- Qui tam provisions (whistleblower lawsuits)
- Penalties: Treble damages plus $13,946 - $27,894 per false claim (2024 amounts)
- Scienter requirement ("knowing" and "reckless disregard")
- Anti-Kickback Statute (AKS):
- Prohibited remuneration for referrals
- Criminal statute (intent required)
- Penalties: Up to $100,000 fine and 10 years imprisonment per violation
- Safe harbors (statutory exceptions)
- One purpose test vs. primary purpose test
- Stark Law (Physician Self-Referral Law):
- Prohibited physician self-referrals for designated health services (DHS)
- Strict liability (no intent required)
- Civil penalties only
- Exceptions (compensation arrangements, ownership interests)
- Key difference from AKS: Stark is strict liability
- HIPAA Privacy and Security Rules:
- Protected Health Information (PHI) requirements
- Minimum necessary standard
- Business associate agreements
- Breach notification requirements
- Patient rights (access, amendment, accounting)
- Enforcement and penalties
- Civil Monetary Penalties Law (CMPL): Administrative penalties, scope
- Exclusion Statute: Mandatory vs. permissive exclusions, OIG exclusion authority
- Federal Sentencing Guidelines: Organizational liability, compliance program credit
- EMTALA: Emergency treatment and transfer requirements
Common Question Types
- "What is the key difference between Stark Law and the Anti-Kickback Statute?"
- "Under the False Claims Act, what is the penalty range per false claim?"
- "Which of the following is a safe harbor under the Anti-Kickback Statute?"
- "When must a HIPAA breach be reported to affected individuals?"
Create a comparison chart for Stark Law vs. Anti-Kickback Statute. This is one of the most frequently tested distinctions. Key differences: Stark is strict liability (no intent required), civil penalties only, limited to physician self-referrals for DHS. AKS requires intent, includes criminal penalties, applies broadly to all healthcare referrals. Many questions test whether you understand which law applies to a given scenario.
Key Resources
- OIG website sections on FCA, AKS, Stark Law
- CMS.gov for Stark Law exceptions
- HHS.gov for HIPAA requirements
- DOJ False Claims Act primer
- Compliance 101, Legal Framework chapters
Domain 5: Compliance Risk Assessment
Why This Domain Matters
Effective compliance programs are risk-based. Organizations can't monitor everything equally—they must identify and prioritize risks to allocate limited resources effectively. This domain tests your understanding of risk assessment methodologies and how to use assessment results.
- Risk assessment frameworks: Qualitative vs. quantitative approaches, hybrid models
- Risk identification: Environmental scanning, internal data analysis, industry trends
- Inherent risk vs. residual risk: Risk before controls vs. risk after controls
- Risk likelihood and impact: Probability assessment, severity evaluation
- Risk prioritization: Risk matrices, heat maps, scoring methodologies
- Emerging risks: New regulations, changing enforcement priorities, organizational changes
- Risk appetite and tolerance: Organizational risk acceptance levels
- Using risk assessment results: Work plan development, audit prioritization, resource allocation
- Frequency of assessments: Annual vs. continuous risk assessment
- Risk assessment documentation: Recording methodology, findings, decisions
Common Question Types
- "What is the FIRST step in conducting a compliance risk assessment?"
- "How should a compliance officer prioritize risks with high likelihood but low impact?"
- "How frequently should a comprehensive risk assessment be conducted?"
- "What is the difference between inherent risk and residual risk?"
Understand the complete risk assessment cycle: (1) Identify risks, (2) Assess likelihood and impact, (3) Prioritize risks, (4) Develop mitigation strategies, (5) Implement controls, (6) Monitor effectiveness, (7) Reassess periodically. Questions often test whether you understand how risk assessment informs other compliance activities (audit plans, training priorities, policy development).
Key Resources
- OIG Compliance Program Guidance (risk assessment sections)
- HCCA publications on risk assessment methodologies
- Compliance 101, Risk Assessment chapter
Domain 6: Training and Education
Why This Domain Still Matters
Training is one of the Seven Elements and represents a key defense against liability. If employees were properly trained on a policy they violated, organizational culpability is reduced. While this domain has fewer questions, they're relatively straightforward compared to other domains.
- Training design: Adult learning principles, effective delivery methods
- General compliance training: Annual requirements, content (Code of Conduct, reporting mechanisms, etc.)
- Role-specific training: Targeted training for high-risk positions
- New hire onboarding: Timing, content, acknowledgment
- Board and leadership training: Governance responsibilities, fiduciary duties
- Training delivery methods: In-person, online, hybrid, lunch-and-learns
- Training effectiveness: Measuring comprehension, post-training assessments, behavioral change
- Documentation: Attendance records, completion tracking, acknowledgments
- Training updates: When to provide refresher or updated training
Common Question Types
- "What is the MOST effective way to measure training effectiveness?"
- "When should new employees receive compliance training?"
- "Which employees require role-specific compliance training?"
- "How frequently should general compliance training be provided?"
Focus on the purpose of training (not just checking a box) and how to measure true effectiveness. Questions often distinguish between completion rates (weak metric) and behavioral change or comprehension testing (stronger metrics). Understand that training should be tailored to audience—Board training differs from frontline staff training.
Key Resources
- OIG Compliance Program Guidance: Element 3 (Training and Education)
- Compliance 101, Training chapter
- Adult learning theory basics
Domain 7: Screening and Registration
Why This Domain Is Straightforward
This is the smallest domain but contains non-negotiable, objective requirements. Healthcare organizations face severe penalties for employing or contracting with excluded individuals. The requirements are clear-cut, making this one of the more straightforward domains to master.
- OIG List of Excluded Individuals/Entities (LEIE): Checking requirements, access
- SAM.gov (System for Award Management): Federal exclusion database
- State Medicaid exclusion lists: Checking state-specific lists
- Screening frequency: Pre-employment, monthly ongoing, re-screening protocols
- Who must be screened: Employees, contractors, vendors, board members
- What to do when a match is found: Verification, termination/non-hire procedures
- Documentation requirements: Record retention, screening logs
- Penalties for non-compliance: Severe consequences for employing excluded individuals
Common Question Types
- "How frequently should the OIG LEIE be checked for existing employees?"
- "Which database must be checked for federal contract exclusions?"
- "What should be done if an employee appears on the OIG exclusion list?"
- "Who must be screened against exclusion lists?"
This domain is mostly factual. Key facts to memorize: (1) Monthly screening is industry best practice, (2) Both OIG LEIE and SAM.gov must be checked, (3) State Medicaid lists also apply if you participate in Medicaid, (4) All workforce members must be screened (employees, contractors, vendors, volunteers), (5) Immediate action required upon discovering an excluded individual. Don't overthink these questions—they're typically the most straightforward on the exam.
Key Resources
- OIG.hhs.gov LEIE database
- SAM.gov exclusion information
- OIG Special Advisory Bulletin on Exclusions
- Compliance 101, Screening chapter
Strategic Study Approach: Putting It All Together
Now that you understand what's tested in each domain, here's how to approach your preparation strategically:
Week-by-Week Study Plan (8 Weeks)
| Week | Focus Domains | Activities |
|---|---|---|
| 1-2 | Foundation Building | Read Compliance 101, OIG General Guidance, understand Seven Elements |
| 3 | Domain 3 + Domain 1 | Study monitoring/auditing and program administration; 50+ practice questions |
| 4 | Domain 4 + Domain 2 | Study investigations and laws/regulations; 50+ practice questions |
| 5 | Domain 5 + Domains 6-7 | Study risk assessment, training, screening; 40+ practice questions |
| 6 | Full Practice Exam | Take 120-question practice exam under timed conditions; analyze results |
| 7 | Targeted Review | Focus on domains where you scored <70%; additional practice questions |
| 8 | Final Review | Second practice exam; review Seven Elements; focus on weak topics |
Final Study Priorities
- The Seven Elements of an Effective Compliance Program (verbatim)
- Stark Law vs. Anti-Kickback Statute key differences
- False Claims Act penalties and qui tam provisions
- OIG exclusion screening requirements (monthly, all workforce members)
- When to self-disclose (OIG Self-Disclosure Protocol thresholds)
- Types of audits and when each is appropriate
- HIPAA breach notification requirements
The CHC exam tests breadth of knowledge across all seven domains. You cannot afford to completely skip any domain—even the smallest (Domain 7 with 6 questions) represents 6% of your score. However, you can strategically allocate more time to high-weight, high-difficulty domains (3, 4, 1) and less time to low-weight, straightforward domains (6, 7).
Most importantly: understand concepts, don't just memorize facts. The exam tests your ability to apply compliance principles to realistic scenarios. You must be able to identify the BEST course of action among multiple plausible options—that requires deep understanding, not surface-level knowledge.
Master All Seven Domains
Practice with domain-specific questions and track your progress in each content area