CHC Exam Subject Areas: What the Healthcare Compliance Certification Tests

The Certified in Healthcare Compliance (CHC) examination tests knowledge across four primary domains that define the field of healthcare compliance: Compliance Program Development and Management, the Healthcare Regulatory Environment, Privacy and Security of Health Information, and Clinical Practice and Healthcare Operations. Understanding the subject knowledge required across each domain — and the specific topics, regulations, and frameworks tested within them — is the foundation of effective CHC exam preparation.

The CHC certification is awarded by the Compliance Certification Board (CCB), a body affiliated with the Health Care Compliance Association (HCCA). The credential signals that the holder possesses a comprehensive understanding of healthcare compliance principles, regulations, and best practices at a professional level. Healthcare compliance professionals who hold the CHC credential work in hospitals, health systems, physician practices, health insurers, medical device companies, pharmaceutical firms, and other healthcare-related organisations where regulatory compliance is a critical operational function. The credential is widely recognised in healthcare administration as the benchmark credential for compliance professionals.

The CHC exam consists of 100 scored questions delivered in a 2.5-hour window at a Pearson VUE testing centre or via online proctoring. All questions are multiple-choice with four response options. The exam uses scaled scoring — the passing score is 500 on a 200-800 scale. Raw scores are converted to scaled scores to account for slight difficulty variations between exam forms.

Candidates who do not pass on their first attempt may retake the exam, though there are limitations on the number of retakes within a 12-month period. The CCB publishes its examination blueprint, which specifies the percentage of exam questions allocated to each domain — candidates should consult the current blueprint from the CCB website to confirm the exact domain weightings for the current exam form.

Eligibility requirements for the CHC exam include a combination of education and experience in compliance. The most common eligibility pathway requires a combination of compliance work experience and compliance education contact hours.

The CCB has published specific eligibility tiers based on degree level and experience — candidates with a bachelor's degree or higher, combined with a minimum number of years working in a healthcare compliance-related role and a minimum number of CCB-approved compliance education hours, meet the standard eligibility requirements. Candidates who are less certain about their eligibility should review the current CCB eligibility criteria directly from the CCB website, as requirements can change between exam cycles.

The subject knowledge tested by the CHC exam draws from a broad base of healthcare law, regulation, and compliance practice that spans federal programs (Medicare, Medicaid), HIPAA privacy and security rules, clinical quality and patient safety, billing and coding compliance, research compliance, government enforcement mechanisms, and organisational compliance program design. No single textbook covers all CHC exam content comprehensively, which is why most candidates use a combination of the HCCA's CHC study guides, the HCCA Compliance Institute training materials, and supplemental resources from the Office of Inspector General (OIG) and Centers for Medicare and Medicaid Services (CMS).

The Office of Inspector General (OIG) publishes extensive compliance guidance that directly informs CHC exam content. OIG compliance program guidance documents — published for hospitals, physician practices, nursing facilities, pharmaceutical companies, and other healthcare organisations — define what effective compliance programs look like in practice and are directly reflected in CHC exam questions about compliance program development and management.

The seven elements of an effective compliance program, as described in OIG guidance, are a foundational subject area that appears consistently in CHC examination questions: compliance policies and procedures, compliance oversight by a designated compliance officer and committee, training and education, effective lines of communication, internal monitoring and auditing, enforcement of standards, and prompt response to detected offences.

Federal healthcare fraud and abuse laws are another foundational knowledge area for the CHC exam. The False Claims Act (FCA), the Anti-Kickback Statute (AKS), the Stark Law (physician self-referral law), and the Exclusion Authorities enforced by OIG are all subject areas tested on the CHC examination. Understanding how each statute works, what conduct it prohibits, the penalties for violations, and the safe harbours and exceptions that apply is essential.

The False Claims Act in particular — which creates liability for knowingly submitting false claims to federal healthcare programs and provides for qui tam whistleblower suits and civil monetary penalties — is heavily tested because it is the primary enforcement tool in federal healthcare fraud and abuse cases.

HIPAA privacy and security compliance is the third major content cluster within the CHC exam.

The Health Insurance Portability and Accountability Act Privacy Rule governs the use and disclosure of protected health information (PHI); the Security Rule governs the administrative, physical, and technical safeguards that covered entities and business associates must implement to protect electronic protected health information (ePHI). CHC candidates should understand the definitions of covered entities and business associates, the requirements for Business Associate Agreements, the patient rights under HIPAA including the right of access and the right to request amendments, the breach notification requirements under the HITECH Act, and the civil and criminal penalty structure for HIPAA violations.

The enforcement landscape tested in Domain 2 of the CHC exam extends beyond the core fraud and abuse statutes to include the exclusion authorities of the OIG. The OIG has the authority to exclude individuals and entities from participation in Medicare, Medicaid, and all federal healthcare programs — either mandatorily (as required by law for certain conviction types) or permissively (at OIG's discretion for other conduct). A healthcare organisation that employs or contracts with an excluded individual is subject to civil monetary penalties for each item or service claimed.

Screening the OIG's List of Excluded Individuals/Entities (LEIE) and the GSA's System for Award Management (SAM) is a required compliance function that is directly tested in CHC exam questions about compliance program operations.

Corporate Integrity Agreements (CIAs) are another enforcement-related subject area that CHC candidates must understand. When OIG resolves a fraud and abuse investigation through a civil settlement rather than prosecution, it often requires the settling party to enter into a CIA — a multi-year agreement that mandates specific compliance program requirements, reporting obligations, and independent review organisation (IRO) monitoring.

Understanding what CIAs require and how they affect compliance program operations at affected organisations is relevant CHC exam content because many compliance professionals work at organisations that are operating under CIAs or that have studied CIA provisions as models for robust compliance programs.

Research compliance is a subject area within the Healthcare Regulatory Environment domain that is often underestimated by CHC candidates who do not work in research-heavy organisations. Research compliance includes regulations governing human subjects research (the Common Rule, IRB oversight requirements), financial conflicts of interest in research, grant compliance requirements from federal funders, and the compliance implications of data use agreements. CHC candidates working at academic medical centres or research institutions should have strong familiarity with these areas; candidates at non-research organisations should have working knowledge sufficient to answer exam questions even without deep practical experience.

Domain 1 of the CHC exam — Compliance Program Development and Management — tests your understanding of how effective healthcare compliance programs are designed, implemented, and maintained. The OIG's seven program elements serve as the structural framework for this domain.

Beyond the elements themselves, candidates must understand the role and responsibilities of the compliance officer, how compliance committees are structured and what their oversight function entails, how to conduct a compliance risk assessment, how compliance training programs are designed for different employee populations, and how internal monitoring and auditing processes are established and documented. The CHC exam will test whether you understand not just what these elements are, but how they function in practice in a real healthcare organisation.

Domain 2 — the Healthcare Regulatory Environment — is the largest substantive knowledge area on the CHC exam and covers the federal and state regulatory frameworks that govern healthcare delivery and payment. Federal healthcare program requirements — Medicare Parts A, B, C, and D, Medicaid, and associated billing and coverage rules — form a significant portion of this domain.

Candidates must understand Medicare conditions of participation for hospitals, the requirements of the Medicare Shared Savings Program for accountable care organisations, the structure of the Medicare Advantage program, and the fraud and abuse enforcement mechanisms available to the OIG, Department of Justice, and state Medicaid fraud control units. State healthcare regulatory requirements — licensure, certificate of need laws, professional practice acts — are also tested, though federal requirements dominate this domain.

The Anti-Kickback Statute (AKS) is one of the most frequently tested statutes in the CHC examination. The AKS prohibits knowingly and wilfully offering, paying, soliciting, or receiving anything of value — directly or indirectly — to induce or reward referrals of items or services covered by federal healthcare programs. Safe harbours define specific arrangements that will not be treated as violations of the AKS: the personal services safe harbour, the space rental safe harbour, the equipment rental safe harbour, the employment safe harbour, the discount safe harbour, and others.

Understanding which safe harbours apply to specific fact patterns, and what conditions must be met for a safe harbour to apply, is a tested skill. The Stark Law — which prohibits physician self-referral for designated health services to entities with which the physician or an immediate family member has a financial relationship — operates differently from the AKS (strict liability, no intent element required) and has its own complex set of exceptions.

Domain 3 — Privacy and Security of Health Information — requires detailed knowledge of HIPAA as amended by HITECH.

Key subject areas include the definition of protected health information (PHI) and what constitutes de-identification under the Safe Harbor and Expert Determination methods, the required versus permitted disclosures of PHI, the minimum necessary standard, the Notice of Privacy Practices requirements, patient rights (access, amendment, accounting of disclosures, restriction requests), Business Associate Agreements and when they are required, the HIPAA Security Rule's administrative, physical, and technical safeguard categories and their required versus addressable specifications, breach notification requirements including what constitutes a breach and the timeline for notification, and the penalty tiers for HIPAA violations ranging from unknowing violations to wilful neglect.

Domain 4 — Clinical Practice and Healthcare Operations — covers billing and coding compliance, which is a significant source of healthcare fraud and abuse enforcement actions. Candidates must understand the structure of medical coding systems including ICD-10-CM diagnostic codes, CPT procedure codes, and HCPCS Level II codes, and how coding inaccuracies create compliance risk.

Common coding fraud indicators — upcoding (billing for a higher-acuity service than performed), unbundling (billing separately for services that should be billed together), billing for services not rendered, and duplicate billing — are tested in scenario-based questions. Clinical quality and patient safety programs, credential verification processes for medical staff, and the compliance implications of clinical documentation requirements are also covered in this domain.

Study resources for CHC exam preparation include the HCCA's CHC Study Guide (available through the HCCA website), the HCCA Compliance Institute conference materials, OIG compliance guidance documents (available free from oig.hhs.gov), CMS Medicare regulations and manuals (available free from cms.gov), and the HIPAA regulations themselves (available at hhs.gov). The HCCA also offers the Compliance Institute, an annual conference that provides continuing education and is widely used by CHC candidates for preparation.

Third-party practice question banks are also available. Because the CHC exam draws from a wide regulatory knowledge base, candidates who work in healthcare compliance and have practical familiarity with the regulations they are studying have an advantage — the exam tests applied knowledge, not just the ability to recite regulatory text.

Most CHC candidates with healthcare compliance work experience report needing 60-120 hours of dedicated study time to adequately prepare for the examination. Candidates who are newer to the healthcare compliance field or who lack direct experience with specific regulatory areas tested in the exam may need more.

A practical study plan typically includes reviewing the CCB examination blueprint to confirm current domain weightings, reading the HCCA study guide, supplementing with OIG and CMS regulatory reading in weak knowledge areas, completing practice questions throughout the study period to reinforce learning, and taking at least one full-length timed practice exam before scheduling the actual examination. Candidates who pace their preparation over 8-12 weeks report better retention and exam performance than those who attempt intensive short-duration cramming.

Documentation requirements are a cross-cutting compliance subject area that appears across multiple CHC exam domains. In billing and coding compliance, adequate documentation of medical necessity, level of service, and the identity of the rendering provider is required to support claims submitted to federal healthcare programs. Inadequate documentation is one of the most common findings in OIG Work Plan audits and program integrity contractor reviews.

CHC candidates must understand what constitutes adequate medical record documentation for common claim types, how documentation deficiencies create compliance risk, and what corrective action processes organisations should have in place to address documentation problems identified through monitoring and auditing.

The CHC exam also tests knowledge of the compliance program management cycle — the ongoing process of identifying compliance risks, prioritising them through a risk assessment process, designing and implementing controls to mitigate high-priority risks, monitoring the effectiveness of those controls through auditing and surveillance, and updating the compliance program based on the results of monitoring activities, regulatory changes, and organisational changes.

This management cycle concept — sometimes referred to as a plan-do-check-act (PDCA) model applied to compliance — is foundational to Domain 1 content and underlies many scenario-based questions in which candidates must identify the appropriate next step in a compliance program management situation.