- Why 90 Days Is the Right Window for CPCO Prep
- Know What You're Actually Being Tested On
- Phase One (Days 1-30): Foundation Domains
- Phase Two (Days 31-60): Regulatory Core
- Phase Three (Days 61-90): Integration and Exam Readiness
- Matching Study Methods to CPCO Domain Types
- Where Candidates Lose the Most Ground
- Building Your Practice Question Cadence
- Frequently Asked Questions
- The CPCO covers nine distinct domains - your 90-day plan must allocate time proportionally across all of them, not just Fraud and Abuse.
- Domains 5 and 6 (Key Risk Areas and Fraud and Abuse Laws) demand the most applied, scenario-based study due to their legal complexity.
- Phase One should lock in OIG Compliance Program Guidance for Physicians before you ever touch hospital-level supplemental guidance.
- Daily practice questions starting in Week 3 - not Week 10 - is the strategy that separates prepared candidates from those who cram.
Why 90 Days Is the Right Window for CPCO Prep
The Certified Professional Compliance Officer (CPCO) credential is issued by the American Academy of Professional Coders (AAPC) and is one of the most respected compliance certifications in healthcare. Unlike certifications that test a single specialty, the CPCO spans nine content domains - ranging from the historical foundations of healthcare compliance programs all the way through federal fraud statutes, OIG guidance documents, and live audit methodologies. That breadth requires a structured runway.
Ninety days gives you enough calendar space to move through all nine domains deliberately, layer in practice questions from the start, revisit weak areas in your final month, and arrive at exam day with confidence rather than last-minute panic. Less than 60 days is technically possible for someone already working in compliance full-time, but for most candidates it leaves the later domains - particularly Domain 7 (Other Laws and Regulations) and Domain 8 (Investigations Process/Audits) - dangerously under-prepared.
If you haven't yet confirmed you're eligible to sit for the exam, pause here and check the CPCO Exam Eligibility Requirements 2026: Who Can Apply before investing in a full study schedule.
Know What You're Actually Being Tested On
Before you block off a single calendar day, you need an honest inventory of what the CPCO exam covers. Many candidates underestimate how heavily the exam leans on specific OIG guidance documents - not just general compliance awareness. Here are all nine domains with the study emphasis each one demands:
Domain 1: Healthcare Compliance Program History
This domain establishes why compliance programs exist in their current form. Candidates must understand the legislative and regulatory milestones that shaped modern healthcare compliance, including the role of the OIG and the evolution of Corporate Integrity Agreements.
- Origins of the Seven Elements of an Effective Compliance Program
- Timeline of major OIG enforcement actions and their policy effects
- Connection between False Claims Act history and today's compliance obligations
Domain 2: OIG Compliance Program Guidance - Physicians and Small Group Practices
This is the first of several OIG-specific domains and one of the most heavily tested. Candidates must know the OIG's published guidance for physician practices in granular detail - not just that such guidance exists, but what it specifically recommends, why, and how it applies in practice scenarios.
- OIG's seven elements applied to physician office settings
- Risk areas specific to small practices: coding accuracy, documentation, billing for services not rendered
- Employee training obligations and internal audit recommendations
Domain 3: Compliance Program Guidance - Third-Party Billing Companies and Clinical Laboratories
Third-party billers and labs face unique compliance pressures around upcoding, unbundling, and referral arrangements. This domain tests whether candidates can apply OIG guidance in non-physician organizational contexts.
- Billing company obligations under OIG guidance
- Laboratory-specific risk areas including test ordering patterns and medical necessity
- Contractual compliance requirements between labs and referring providers
Domain 4: OIG Supplemental Compliance Program Guidance for Hospitals
The hospital supplemental guidance is significantly more complex than the physician guidance due to the scale and variety of hospital operations. Expect scenario-based questions about governance structures, physician relationships, and hospital-specific billing risk.
- Hospital-specific risk areas: DRG coding, outlier payments, teaching physician rules
- Governance and board compliance oversight responsibilities
- Emergency department compliance and EMTALA intersections
Domain 5: Key and Other Risk Areas
This domain requires broad applied knowledge across the entire compliance landscape. Questions frequently present workplace scenarios and ask candidates to identify the specific risk type, the governing rule, and the appropriate compliance response.
- Physician self-referral patterns and Stark Law triggers
- Reimbursement risk areas across multiple payer types
- Medicare and Medicaid exclusion risks and reporting obligations
Domain 6: Fraud and Abuse Laws
Candidates must know the substantive elements of federal fraud and abuse statutes - not just their names. This means understanding the specific intent standards, safe harbors, exceptions, and enforcement mechanisms for each law.
- False Claims Act: qui tam provisions, reverse false claims, civil monetary penalties
- Anti-Kickback Statute: statutory exceptions vs. regulatory safe harbors
- Stark Law: ownership exceptions, compensation arrangement exceptions
- Exclusion authorities and mandatory vs. permissive exclusions
Domains 7, 8, and 9
Domain 7 covers HIPAA, HITECH, the Affordable Care Act's compliance implications, and other intersecting regulations. Domain 8 addresses internal investigations, audit methodologies, corrective action plans, and voluntary disclosure protocols. Domain 9 covers key compliance references - the primary OIG documents, CMS guidance, and authoritative resources that a compliance officer must know and use.
- HIPAA Privacy and Security Rule applicability in a compliance program context
- Difference between compliance audits and compliance investigations
- OIG Self-Disclosure Protocol mechanics and timing requirements
- How to use OIG Work Plans and advisory opinions as ongoing compliance tools
Phase One (Days 1-30): Foundation Domains
Your first month is entirely about building the conceptual scaffolding that everything else will hang on. Rushing through Domains 1 through 3 to get to the "more important" fraud laws is one of the most common mistakes CPCO candidates make. The history domain tells you why the laws exist. The physician and billing company guidance domains show you how those laws translate into operational practice. Without that foundation, the statute-heavy content in Phase Two will feel abstract and disconnected.
Domain 1 - Healthcare Compliance History
- Read and annotate primary OIG materials on the seven elements
- Map the legislative timeline from the False Claims Act to modern enforcement
- Begin a personal glossary of compliance terms you'll encounter repeatedly
Domain 2 - OIG Guidance for Physicians and Small Group Practices
- Read the full OIG Compliance Program Guidance for Individual and Small Group Physician Practices document
- Create a summary chart: each of the seven elements applied to a physician office context
- Identify three common physician billing risk areas and note how OIG guidance addresses each
Domain 3 - Third-Party Billing and Clinical Laboratories
- Study OIG guidance specific to third-party medical billing companies
- Compare billing company obligations to physician practice obligations - note the differences
- Begin daily practice questions (10 per day) across Domains 1-3
Domain 4 - OIG Supplemental Hospital Guidance + Phase One Review
- Read the OIG Supplemental Compliance Program Guidance for Hospitals
- Focus specifically on hospital-specific risk areas not present in physician guidance
- Complete a 40-question timed practice block covering all four Phase One domains
- Flag every question you guessed on or got wrong - these become your Week 13 review list
Phase Two (Days 31-60): Regulatory Core
Phase Two is the heaviest cognitive lift in your entire 90-day plan. Domains 5, 6, and 7 require you to move from understanding OIG guidance documents to understanding federal law - and the distinction matters enormously on exam day. The CPCO asks you to apply these laws to real-world scenarios, not just recite their names and elements.
Spend at least ten days on Domain 6 alone. The False Claims Act, Anti-Kickback Statute, and Stark Law are not interchangeable. Candidates who conflate their intent standards, their safe harbor structures, or their enforcement mechanisms under exam pressure will answer scenario questions incorrectly even when they think they know the material. Build out a detailed comparison table as you study:
| Law | Type | Intent Required | Key Safe Harbors / Exceptions | Primary Enforcement Body |
|---|---|---|---|---|
| False Claims Act | Civil / Criminal | Knowing (knowingly, reckless disregard, deliberate ignorance) | No formal safe harbors; voluntary disclosure reduces exposure | DOJ, OIG, qui tam relators |
| Anti-Kickback Statute | Criminal | One purpose test: willful intent to induce or reward referrals | Regulatory safe harbors (e.g., personal services, employment, space rental) | OIG, DOJ |
| Stark Law (Physician Self-Referral) | Civil (strict liability) | None required - strict liability statute | Statutory exceptions (in-office ancillary, group practice); compensation exceptions | CMS, OIG |
| Civil Monetary Penalties Law | Civil | Knowing presentation of false claims | No safe harbors; OIG has broad authority | OIG |
Phase Three (Days 61-90): Integration and Exam Readiness
Your final 30 days shift the goal from learning to integrating. You should not be encountering genuinely new concepts in Phase Three - you should be stress-testing your existing knowledge against exam-style questions and identifying the gaps that Phase Two left behind.
Domain 8 - Investigations, Audits, and Corrective Action
- Study the difference between a compliance audit and a compliance investigation - examinees frequently confuse these
- Review OIG Self-Disclosure Protocol, including when it applies and what it requires
- Understand corrective action plan components and documentation obligations
- Domain 9: Know your primary reference sources - OIG Work Plans, advisory opinions, CMS manuals
Full-Length Timed Practice Exam #1
- Complete a full-length timed practice exam at CPCO Exam Prep under realistic conditions
- Score by domain - map your weak areas before Week 12
- Do not review answers immediately; wait 24 hours to simulate real post-exam reflection
Targeted Weak-Domain Review
- Spend at least three days re-reading primary OIG source documents for your two lowest-scoring domains
- Redo only the questions you got wrong in your Week 11 practice exam
- Write out explanations for each incorrect answer in your own words
Full-Length Practice Exam #2 + Final Review
- Complete a second full-length timed practice exam
- Review your personal glossary and comparison tables from Phases One and Two
- No new material - consolidation only
- Rest adequately before exam day; compliance fatigue is real
Matching Study Methods to CPCO Domain Types
Not all nine CPCO domains benefit from the same study approach, and using a single method across all of them is inefficient. Here is a brief, domain-specific application of study techniques:
For document-heavy domains (Domains 2, 3, 4, 9): Active reading with annotation is most effective. The OIG guidance documents are the primary source material - read them, annotate them, and summarize each section in your own words. The Feynman technique (explaining a concept as if teaching it to someone unfamiliar with healthcare) works exceptionally well here because it exposes gaps in your understanding of how the seven elements apply differently across organizational types.
For statute-heavy domains (Domains 6 and 7): Spaced repetition using flashcards - whether physical or digital - works best for memorizing the elements of each law, its safe harbors, and its enforcement mechanisms. Build your cards during Phase Two and review them daily in Phase Three.
For scenario-based domains (Domains 5 and 8): Practice questions are the primary study tool. There is no substitute for repeatedly working through fact patterns and identifying which law applies, which safe harbor might or might not protect the arrangement, and what the compliance officer's correct next step would be. Access our full question bank at CPCO Exam Prep and filter by these domains specifically.
Key Takeaway
The biggest scheduling mistake is spending equal time on every domain. Domains 5 and 6 are scenario-heavy and legally dense - they demand roughly twice the daily study time of Domain 1. Build your calendar accordingly, and don't let the relative brevity of the history domain fool you into thinking it's low stakes. It provides the "why" behind everything else on the exam.
Where Candidates Lose the Most Ground
After working through this schedule, several consistent trouble spots emerge for CPCO candidates preparing in 2026:
- Treating OIG guidance as optional background reading. The CPCO is explicitly built around OIG Compliance Program Guidance documents. If you skim them and rely only on secondary summaries, you will encounter questions where the nuance of the original document is exactly what's being tested.
- Conflating the Anti-Kickback Statute and Stark Law. These two laws are frequently discussed together in compliance settings, but they have fundamentally different intent standards, different safe harbor/exception structures, and different enforcement pathways. The exam will test this distinction directly.
- Skipping Domain 8 because it "sounds familiar." Most compliance professionals have participated in audits, but the CPCO tests the formal framework of an investigations process - including when to escalate to legal, when to self-disclose, and what documentation a corrective action plan must contain. Familiarity with audits in practice does not equal exam readiness on this domain.
- Saving practice questions for the final two weeks. Practice questions are diagnostic tools. Starting them in Week 3 means you have ten weeks to identify and correct knowledge gaps. Starting them in Week 11 means you have two weeks - which is not enough time to meaningfully change your outcome.
Building Your Practice Question Cadence
The CPCO exam format involves multiple-choice questions that frequently present clinical or operational scenarios requiring you to apply specific compliance knowledge - not just recall definitions. This means your practice question strategy must emphasize explanation review, not just answer checking.
A productive daily cadence looks like this: answer 10-15 questions per day starting in Week 3, review every explanation regardless of whether you answered correctly, and keep a running log of the domain and sub-topic associated with every question you got wrong. By Week 11, that log becomes your personalized study guide for Phase Three targeted review.
Use the CPCO Exam Prep practice test platform to access domain-filtered question sets. Practicing against Domain 5 and Domain 6 questions specifically - rather than always taking mixed-domain tests - helps you identify whether your weakness is with a specific law, a specific setting, or a specific type of scenario.
For a complete overview of who this certification is designed for and what credentials you need to sit for it, the CPCO Exam Eligibility Requirements 2026: Who Can Apply article covers that ground in full.
Frequently Asked Questions
Not equally. Domains 5 (Key Risk Areas) and 6 (Fraud and Abuse Laws) are the most content-dense and scenario-driven - plan to spend more daily hours on those than on Domain 1 or Domain 9. Use the 90-day phased schedule above to guide your allocation, and let your practice question scores tell you where to double down in Phase Three.
Some candidates with extensive compliance experience do prepare in 60 days. However, working in compliance does not guarantee deep familiarity with all nine exam domains - particularly the OIG guidance documents for settings outside your current role. If you're shortening the timeline, be especially deliberate about studying the domains that don't overlap with your daily job functions.
Both. You need to know the substance of what each OIG guidance document recommends, but you also need to know which document governs which entity type (physician practice vs. hospital vs. billing company). Domain 9 specifically covers References and Resources, which means knowing the primary compliance documents by name and purpose is itself exam content.
Your first full-length timed practice exam should happen around Day 70-75 - early enough in Phase Three that you have time to act on the results. A second full-length exam in the final week before your scheduled exam date serves as your final calibration. Avoid taking full-length timed exams before Day 60; your knowledge base won't be complete enough for the results to be useful diagnostically.
Domain 8 (Investigations Process/Audits) is frequently under-studied because compliance professionals assume their real-world audit experience covers it. The exam tests the formal compliance investigation framework - including self-disclosure protocols, corrective action plan requirements, and the distinction between an audit and an investigation - in ways that day-to-day work experience doesn't always address. Give it dedicated study time in Phase Three.
Ready to Start Practicing?
Your 90-day CPCO study plan is only as strong as the practice questions backing it up. Test your knowledge across all nine exam domains - including Fraud and Abuse Laws, OIG Compliance Guidance, and Investigations Process - with our full-length CPCO practice exams built specifically for 2026 candidates.
Start Free Practice Test