CPCO logo
Focused certification exam prep
Start practice
Home / Study Resources / Domain Deep Dives / CPCO Domain 9: References and Resources Complete

CPCO Domain 9: References and Resources Complete Study Guide

Updated 11 min read CPCO Exam Prep
Table of Contents
TL;DR
  • Domain 9 tests your ability to locate, apply, and distinguish among official compliance references - not just recall facts.
  • OIG advisory opinions, work plan updates, and compliance program guidances are primary source documents CPCO candidates must navigate fluently.
  • Federal Register entries and CMS transmittals appear as scenario-based question sources across multiple CPCO domains, not only Domain 9.
  • Professional organizations like HCCA and AHA publish resources the CPCO exam treats as authoritative secondary references.

What Domain 9 Actually Tests

Most candidates reach Domain 9 - References and Resources - and assume it will be a light finish to their studies. That assumption has derailed more than a few exam attempts. Domain 9 is not a bibliography. It is a test of applied research literacy: can you identify the correct authoritative source for a given compliance question, understand what that source requires, and distinguish it from similarly named but legally distinct documents?

The CPCO exam is administered by the American Academy of Professional Coders (AAPC), and the credential is built specifically for healthcare compliance officers, compliance managers, and billing professionals who need a rigorous, legally grounded credential. Domain 9 reflects the real-world expectation that a compliance officer doesn't just know the rules - they know where the rules live, who publishes them, and how to use them when a policy question lands on their desk.

Questions in this domain test whether candidates can match a compliance scenario to the appropriate reference, understand the hierarchy of federal guidance documents, and apply resources the way a working compliance professional would. Expect scenario-based questions where the wrong answer looks correct because it names a real document - just not the right one for the situation described.

Domain 9 in Context: References and Resources is the final domain in the CPCO blueprint, but it draws on material from all eight preceding domains. A candidate who hasn't mastered Domains 1 through 8 will find Domain 9 questions especially difficult, because identifying the right resource requires understanding what that resource actually governs.

Core Reference Categories You Must Know

Domain 9 organizes compliance references into several broad categories. A candidate who approaches this domain by memorizing a list of document titles will struggle. Instead, think in terms of categories and their functions.

Federal Statutes and Regulations

These are the highest-authority sources in the compliance landscape. The False Claims Act, Anti-Kickback Statute, Stark Law, HIPAA, and EMTALA all originate here. For CPCO purposes, candidates must know not just what these laws say (covered heavily in CPCO Domain 8: Investigations Process and Audits Study Guide for the enforcement side) but which federal body publishes implementing regulations and where those regulations appear in the Code of Federal Regulations (CFR).

OIG Guidance Documents

The Office of Inspector General publishes a family of compliance-related documents that are heavily represented across the entire CPCO exam blueprint. Candidates must distinguish among:

  • Compliance Program Guidances (CPGs) - sector-specific frameworks published in the Federal Register
  • Advisory Opinions - binding only to the requesting party, not general law
  • Special Fraud Alerts - targeted warnings about emerging arrangements
  • OIG Work Plans - annual and ongoing documents identifying current audit priorities
  • Corporate Integrity Agreements (CIAs) - enforceable agreements following OIG settlements

CMS Publications and Transmittals

The Centers for Medicare & Medicaid Services is a separate federal body from the OIG. Candidates frequently confuse CMS guidance with OIG guidance. CMS publishes the Medicare Benefit Policy Manual, the Internet-Only Manuals (IOMs), and program transmittals that update billing and coverage rules. These are administrative tools, not enforcement documents - an important distinction the CPCO exam exploits in distractors.

Professional Association Resources

The Health Care Compliance Association (HCCA), the American Health Lawyers Association (AHLA), the American Hospital Association (AHA), and AAPC itself all publish resources that a compliance officer would routinely use. The CPCO exam recognizes these as authoritative secondary references that help translate federal requirements into operational practice.

Domain 9: References and Resources - Core Competency Areas

Candidates must demonstrate fluency with each of the following resource types:

  • OIG Compliance Program Guidances and which healthcare sectors they address
  • Distinction between advisory opinions, special fraud alerts, and work plan items
  • CMS Internet-Only Manuals and their organizational structure
  • Federal Register as the primary publication venue for final rules and program guidances
  • HCCA, AHA, and AHLA as recognized secondary compliance resources
  • Corporate Integrity Agreements and their role as post-settlement compliance frameworks
  • DOJ and FBI resources relevant to healthcare fraud investigations

OIG Resources: The Backbone of CPCO Reference Knowledge

The OIG is the single most important publisher in the CPCO exam universe. Domains 2, 3, and 4 are built almost entirely on OIG compliance program guidances for specific sectors - physicians and small group practices, third-party billing companies and clinical laboratories, and hospitals respectively. Domain 9 asks you to step back and understand that system as a whole.

Advisory Opinions

Advisory opinions are formal written responses from the OIG to a specific party asking whether a proposed arrangement would violate the Anti-Kickback Statute. They are legally binding only to the requesting party. For CPCO purposes, candidates must understand that advisory opinions cannot be cited as precedent by other organizations - but compliance officers do use them to assess risk in analogous situations. The exam will test this nuance.

Special Fraud Alerts

Special Fraud Alerts are published when the OIG identifies a particular practice or arrangement that poses significant fraud and abuse risk. Historic alerts have addressed issues including physician recruitment arrangements, joint venture structures, and home health agency practices. Candidates should be familiar with the most significant alerts and understand that they signal elevated enforcement risk in specific areas.

The OIG Work Plan

The OIG Work Plan has evolved from an annual document into a continuously updated online resource. It identifies the specific audit and review activities the OIG is actively pursuing. For a practicing compliance officer - and for the CPCO exam - the Work Plan is one of the first places to look when assessing current risk exposure. Candidates should understand its structure and how to interpret an active work plan item.

OIG vs. CMS - Know the Difference: The OIG enforces fraud and abuse laws and publishes compliance guidance. CMS administers Medicare and Medicaid and publishes billing, coverage, and enrollment rules. Many CPCO exam distractors hinge on candidates misattributing a document to the wrong agency. When a question involves enforcement authority or compliance program structure, the answer almost always points to an OIG source.

Federal Register, CMS, and Regulatory Sources

The Federal Register is the official daily journal of the U.S. federal government and the publication venue for proposed rules, final rules, and formal guidance documents including OIG compliance program guidances. CPCO candidates must understand how the Federal Register relates to the Code of Federal Regulations: the Federal Register is where rules are published, and the CFR is where they are codified.

CMS publishes a large volume of operational materials that compliance officers must navigate. The most important for CPCO purposes include:

  • Medicare Benefit Policy Manual - defines covered services and documentation requirements
  • Medicare Claims Processing Manual - billing and coding procedures
  • Program Transmittals - updates to policies, effective on specified dates
  • Medicare Learning Network (MLN) materials - educational resources that summarize policy changes

Understanding that MLN materials are educational summaries - not the authoritative policy source themselves - is a common exam distinction. When policy accuracy matters, the underlying manual or transmittal governs, not the MLN article.

Candidates who want to test their ability to apply these distinctions in timed conditions should work through CPCO practice tests that simulate the scenario-based format the actual exam uses.

Professional Organizations and Their Roles

Several professional organizations are referenced throughout the CPCO exam as publishers of standards, best practices, and compliance tools.

HCCA - Health Care Compliance Association

HCCA is the primary professional association for healthcare compliance officers. Its publications, including the Compliance Today journal and formal practice guidance documents, are recognized as authoritative secondary resources. HCCA also offers the CHC (Certified in Healthcare Compliance) credential, which sometimes creates confusion with the CPCO - candidates should understand these are different credentials from different organizations, each with its own scope.

American Health Lawyers Association (AHLA)

AHLA publishes legal analyses and practice tools relevant to healthcare compliance, particularly in areas where law and operations intersect. Its resources are commonly referenced in advanced compliance work and may appear as named resources in CPCO exam scenarios.

American Hospital Association (AHA)

The AHA publishes guidance and advocacy materials specific to hospital compliance and regulatory affairs. Given that Domain 4 of the CPCO covers OIG supplemental compliance program guidance for hospitals, the AHA's related resources are relevant context for Domain 9.

AAPC and CPT Resources

Since the CPCO is an AAPC credential, candidates should recognize AAPC's own publications - including the Healthcare Business Monthly - as part of the broader resource ecosystem. The AMA's CPT code set and its associated guidelines also constitute authoritative references for coding-related compliance questions.

Key Takeaway

Professional association resources are secondary authorities - they interpret and operationalize federal requirements, but they do not override them. On the CPCO exam, when a federal statute or OIG guidance conflicts with an association recommendation, the federal source governs.

How Domain 9 Connects to Every Other Domain

Understanding Domain 9 as an isolated topic is a strategic mistake. The reference literacy it tests is embedded throughout the entire exam. Consider how each domain maps to specific authoritative resources:

CPCO Domain Primary Reference Sources Domain 9 Connection
Domain 1: Healthcare Compliance Program History Sentencing Guidelines, early OIG CPGs Historical Federal Register publications; foundational OIG documents
Domain 2: OIG CPG for Physicians and Small Groups OIG Compliance Program Guidance (physicians) Knowing where to locate the specific CPG and its Federal Register citation
Domain 3: CPG for Third-Party Billing and Labs OIG CPGs for billing companies and clinical labs Distinguishing between two separate guidance documents for two distinct sectors
Domain 4: OIG Supplemental CPG for Hospitals OIG Supplemental Compliance Program Guidance Understanding "supplemental" as a formal OIG document type
Domain 5: Key and Other Risk Areas OIG Work Plan, Special Fraud Alerts, RAC audit findings Identifying which OIG resource flags specific risk areas
Domain 6: Fraud and Abuse Laws 42 U.S.C. statutes, CFR regulations, DOJ resources Locating statutory text vs. implementing regulations vs. OIG guidance
Domain 7: Other Laws and Regulations HIPAA, EMTALA, Stark Law regulatory sources Distinguishing CMS-administered from OIG-enforced regulatory bodies
Domain 8: Investigations Process and Audits DOJ guidance, RAC/MAC resources, CIA templates Understanding CIAs as post-settlement OIG documents

This cross-domain integration is why the CPCO Domain 8: Investigations Process and Audits Study Guide recommends reviewing Domain 9 reference materials before attempting Domain 8 practice questions - the two domains are deeply intertwined through enforcement documents and post-investigation compliance requirements.

Structuring Your Domain 9 Study Plan

Domain 9 is most effectively studied in two phases: a reference mapping phase and an application practice phase. The first phase is conceptual; the second is exam-simulated.

Phase 1

Reference Mapping (Days 1-3)

  • Create a one-page matrix of resource types: federal statutes, OIG documents, CMS manuals, and professional association publications
  • For each OIG document type (advisory opinion, special fraud alert, CPG, work plan item, CIA), write one sentence defining its authority level and audience
  • Revisit the Federal Register citations introduced in Domains 2, 3, and 4 - locate the actual document categories, not just the topic summaries
  • Review the CMS Internet-Only Manual structure to understand how manuals are numbered and updated
Phase 2

Application Practice (Days 4-7)

  • Complete Domain 9-focused practice questions on CPCO practice tests with strict time limits to simulate exam pacing
  • For every question answered incorrectly, identify not just the correct answer but the specific document type it represents
  • Practice distinguishing OIG from CMS sources in mixed scenario sets - these are the highest-frequency distractor combinations in this domain
  • Review any Domain 5 risk area questions you missed during earlier study and identify which reference document would be the correct source for that risk

Spaced repetition works well for the document taxonomy in Domain 9. Use flashcards to drill OIG document types during the days between full practice sessions. Anchor each card to a real-world compliance scenario - for example, "A hospital wants to know if its proposed physician compensation arrangement violates the AKS. What document type should they request from the OIG?" (Answer: an advisory opinion.) This scenario-anchored drilling is far more effective than memorizing definitions in isolation.

Who Hires CPCO-Credentialed Professionals: Healthcare compliance officers, hospital compliance departments, physician group practices, third-party billing companies, and healthcare law firms all seek CPCO-credentialed candidates. Employers in these settings expect compliance staff to navigate OIG and CMS resources independently - exactly what Domain 9 tests. Your mastery of references and resources signals operational readiness, not just exam readiness.

Frequently Asked Questions

How many questions does Domain 9 represent on the CPCO exam?

The CPCO exam blueprint distributes questions across all nine domains, but the exact breakdown per domain is not publicly specified at the per-domain level. Domain 9 questions appear throughout scenario-based sections and often overlap with earlier domains because reference knowledge is embedded in how questions about other topics are framed. Treat Domain 9 as a horizontal competency, not an isolated section.

What is the difference between an OIG advisory opinion and a special fraud alert?

An advisory opinion is issued in response to a specific party's written request about a specific proposed arrangement. It is binding only on the requesting party. A special fraud alert is proactively published by the OIG to warn the industry about a category of practices the OIG considers high-risk under the Anti-Kickback Statute or other fraud and abuse laws. Special fraud alerts are not binding legal determinations, but they signal where enforcement attention is concentrated.

Are CMS Internet-Only Manuals the authoritative source for billing compliance?

The IOMs are CMS's primary administrative reference for Medicare program requirements, but final authority rests with the underlying statute and regulation. When a program transmittal updates an IOM chapter, the transmittal governs until the IOM is updated. For CPCO exam purposes, understand that IOMs are policy references, not enforcement documents - enforcement authority belongs to the OIG and DOJ.

Does the CPCO exam expect candidates to memorize specific CFR citations?

The exam tests conceptual fluency with regulatory sources more than verbatim citation recall. You should know, for example, that HIPAA privacy regulations appear in 45 CFR Parts 160 and 164, and that Anti-Kickback Statute safe harbors are codified at 42 CFR Part 1001 - but the exam is more likely to test whether you can identify the correct regulatory body or document type than ask you to recall an exact section number.

How does the CPCO Domain 9: References and Resources Complete Study Guide differ from studying individual domain content?

Individual domain study builds subject matter knowledge - the rules, requirements, and frameworks within each area. Domain 9 study builds navigational literacy - knowing which document contains which type of authority and how a compliance officer would locate and apply that document in practice. The two types of knowledge reinforce each other: the deeper your domain content knowledge, the more meaningful your Domain 9 reference mapping becomes.

Ready to Start Practicing?

Domain 9 questions reward candidates who have practiced navigating compliance scenarios under realistic exam conditions. Our CPCO practice tests are built around the same scenario-based format as the actual exam, with questions spanning all nine domains - including References and Resources. Start a free practice session today and find out exactly where your knowledge gaps are before exam day.

Start Free Practice Test
Continue reading:

Ready to pass your CPCO exam?

Put this into practice with free CPCO questions across every exam domain.