CPCO Exam Content Outline

Home > Certifications > CPCO > Exam Content Outline

Certified Pharmacy Compliance Officer (CPCO)

Official Examination Content Outline

This document provides the official content outline for the Certified Pharmacy Compliance Officer (CPCO) examination. The exam certifies that a candidate possesses the expertise to develop, implement, and manage an effective pharmacy compliance program based on the OIG's seven core elements, ensuring adherence to all federal and state laws and regulations and preventing fraud, waste, and abuse.

Examination Specifications

Name of Credential Certified Pharmacy Compliance Officer (CPCO)
Certification-Issuing Body The Council on Pharmacy Standards (CPS)
Designation Awarded CPCO
Target Population Pharmacists in compliance, legal, and operational leadership roles.
Examination Length 120 multiple-choice items
Administration Time 3.0 hours

Examination Content Outline

The CPCO examination is weighted according to the four domains listed below, which are adapted from the OIG's Seven Elements of an Effective Compliance Program and tailored to the complexities of the pharmacy environment.

Domain 1: Standards, Policies, and Governance 25%
Domain 2: Training, Education, and Communication 20%
Domain 3: Auditing, Monitoring, and Risk Assessment 30%
Domain 4: Investigations, Enforcement, and Corrective Action 25%

Domain 1: Standards, Policies, and Governance (25%)

Task 1: Develop and maintain a Code of Conduct and compliance policies.
  • Establish a formal Code of Conduct that articulates the organization's commitment to ethical behavior and compliance.
  • Develop, implement, and maintain a comprehensive set of written pharmacy compliance policies and procedures.
  • Ensure policies address all key pharmacy risk areas, including billing, controlled substances, and patient privacy.
  • Establish a systematic process for the regular review and update of all compliance policies.
  • Translate complex laws and regulations into clear, understandable, and actionable policies.
  • Ensure all compliance policies are readily accessible to all employees and relevant parties.
  • Manage the version control and archiving of all compliance documentation.
  • Integrate the Code of Conduct and compliance policies into the organization's operational framework.
Task 2: Establish and lead a compliance governance structure.
  • Designate a qualified Compliance Officer with sufficient authority and resources.
  • Establish a high-level, multidisciplinary Compliance Committee.
  • Define the roles, responsibilities, and charter of the Compliance Committee.
  • Facilitate regular Compliance Committee meetings to oversee the compliance program.
  • Ensure the Compliance Officer has a direct line of communication to the CEO and Board of Directors.
  • Develop a formal compliance program work plan and annual report.
  • Secure appropriate budget and staffing for the compliance department.
  • Demonstrate the independence and autonomy of the compliance function within the organization.
Task 3: Oversee compliance with fraud, waste, and abuse (FWA) laws.
  • Interpret and apply the False Claims Act to pharmacy billing and dispensing practices.
  • Interpret and apply the Anti-Kickback Statute to relationships with prescribers, patients, and vendors.
  • Interpret and apply the Physician Self-Referral Law (Stark Law) to relevant financial relationships.
  • Develop policies and controls to prevent improper billing to Medicare and Medicaid.
  • Ensure compliance with regulations governing the provision of free items or services to beneficiaries.
  • Understand the OIG's role in enforcement and their published guidance documents.
  • Recognize high-risk areas for FWA in pharmacy operations (e.g., specialty pharmacy, 340B).
  • Implement controls to ensure the medical necessity of all billed claims.
Task 4: Manage compliance with DEA and state board regulations.
  • Develop and oversee a comprehensive controlled substance compliance program.
  • Ensure adherence to all DEA regulations regarding registration, recordkeeping, security, and inventory.
  • Implement robust policies and systems to prevent and detect drug diversion.
  • Stay current with and ensure compliance with all state board of pharmacy rules.
  • Oversee licensure requirements for the pharmacy, pharmacists, and technicians.
  • Ensure compliance with regulations for compounding, telepharmacy, and other specialized practices.
  • Prepare for and manage inspections from the DEA and state boards of pharmacy.
  • Implement a system for tracking and responding to changes in pharmacy laws and regulations.
Task 5: Oversee the HIPAA Privacy and Security programs.
  • Develop and maintain all required HIPAA policies and procedures.
  • Serve as or work closely with the designated HIPAA Privacy and Security Officers.
  • Ensure appropriate administrative, physical, and technical safeguards are in place to protect PHI.
  • Oversee the process for providing patients with a Notice of Privacy Practices.
  • Manage patient rights, including access to records and requests for amendment.
  • Conduct a periodic security risk analysis as required by the HIPAA Security Rule.
  • Oversee the management and use of Business Associate Agreements (BAAs).
  • Manage the process for investigating and reporting potential breaches of PHI.
Task 6: Establish ethical and professional standards.
  • Promote a culture where ethical conduct is a core organizational value.
  • Develop policies for managing conflicts of interest for employees and leadership.
  • Ensure all marketing and promotional activities are conducted ethically and compliantly.
  • Establish standards for professional conduct in all interactions with patients and providers.
  • Integrate compliance and ethical considerations into performance evaluations.
  • Provide guidance to employees on resolving ethical dilemmas.
  • Ensure that all business decisions are filtered through a compliance and ethics lens.
  • Lead by example to demonstrate the organization's commitment to "doing the right thing."

Domain 2: Training, Education, and Communication (20%)

Task 1: Develop and implement an annual compliance training plan.
  • Conduct a needs assessment to identify the training requirements for different roles and departments.
  • Develop a formal compliance training plan that covers all required topics for the year.
  • Create general compliance training for all employees, covering the Code of Conduct and key policies.
  • Ensure all new hires receive compliance training as part of their onboarding process.
  • Implement a system to track the completion of all required training for all employees.
  • Periodically evaluate the effectiveness of the training program and make improvements.
  • Maintain records of all training materials, attendance, and completion dates.
  • Ensure the Board of Directors and senior leadership also receive appropriate compliance training.
Task 2: Create targeted training for high-risk areas.
  • Develop specialized training modules for employees working in high-risk areas (e.g., billing, purchasing).
  • Provide in-depth training on complex regulations like the Anti-Kickback Statute or the 340B program.
  • Create job-specific training on HIPAA privacy and security for staff who handle PHI.
  • Deliver specialized training on controlled substance handling and diversion prevention.
  • Update training materials promptly in response to new laws, regulations, or audit findings.
  • Use real-world case studies and interactive scenarios to enhance learning and engagement.
  • Assess the competency of staff in high-risk roles after training.
  • Provide ongoing, periodic training to reinforce key compliance concepts.
Task 3: Manage compliance communication channels.
  • Establish and publicize multiple lines of communication for employees to ask compliance questions.
  • Implement and manage a confidential reporting system, such as a compliance hotline or web portal.
  • Ensure that reporting channels allow for anonymity and are accessible to all employees.
  • Develop a process for triaging, investigating, and responding to all questions and reports.
  • Communicate the organization's strict non-retaliation policy for good-faith reporting.
  • Use various communication methods (e.g., newsletters, emails, intranet) to disseminate compliance information.
  • Provide regular updates to the organization on compliance program activities and initiatives.
  • Foster an environment where employees feel comfortable raising concerns without fear of reprisal.
Task 4: Ensure screening of employees and vendors.
  • Develop and implement a policy for screening all new and existing employees and contractors.
  • Check individuals and entities against the OIG's List of Excluded Individuals and Entities (LEIE).
  • Check individuals and entities against the GSA's System for Award Management (SAM) and any relevant state exclusion lists.
  • Perform routine, periodic re-screening of all employees and vendors (e.g., monthly).
  • Document all screening activities and the resolution of any potential matches.
  • Understand the consequences of employing or contracting with an excluded individual or entity.
  • Develop a process for immediate removal from service and investigation if a confirmed match is found.
  • Integrate the exclusion screening process into the hiring and contracting workflows.
Task 5: Promote a culture of compliance.
  • Work with leadership to establish a strong "tone at the top" that emphasizes the importance of compliance.
  • Make the compliance program visible and accessible throughout the organization.
  • Recognize and reward ethical behavior and commitment to compliance.
  • Ensure that compliance is viewed as a shared responsibility of all employees, not just the compliance department.
  • Conduct periodic culture surveys to assess the effectiveness of compliance initiatives.
  • Empower employees to be compliance champions within their own departments.
  • Integrate compliance messaging into regular organizational communications.
  • Ensure that leaders at all levels model compliant and ethical behavior.
Task 6: Oversee vendor and business associate management.
  • Develop a process for conducting compliance due diligence on potential vendors and partners.
  • Ensure that Business Associate Agreements (BAAs) are in place with all vendors who handle PHI.
  • Provide vendors with a copy of the organization's Code of Conduct and compliance expectations.
  • Incorporate compliance requirements and audit rights into vendor contracts.
  • Monitor the performance and compliance of key vendors and business associates.
  • Include vendor management in the annual compliance risk assessment.
  • Establish a process for reporting and managing compliance issues involving vendors.
  • Terminate relationships with vendors who fail to meet compliance standards.

Domain 3: Auditing, Monitoring, and Risk Assessment (30%)

Task 1: Conduct an annual compliance risk assessment.
  • Develop a systematic methodology for identifying compliance risks across the organization.
  • Gather input from various departments to identify potential areas of vulnerability.
  • Analyze internal data, such as audit results and hotline reports, to identify risk trends.
  • Monitor external sources, such as OIG work plans and fraud alerts, for emerging risks.
  • Prioritize identified risks based on their likelihood and potential impact.
  • Create a risk registry to document and track all identified risks.
  • Use the results of the risk assessment to develop the annual audit work plan.
  • Present the findings of the risk assessment to the Compliance Committee and senior leadership.
Task 2: Develop and execute an annual audit work plan.
  • Create an annual audit work plan that focuses on the high-risk areas identified in the risk assessment.
  • Define the scope, objectives, and methodology for each planned audit.
  • Differentiate between auditing (retrospective review) and monitoring (real-time review).
  • Utilize statistically valid sampling methods when conducting audits.
  • Prepare formal audit reports that summarize the findings, conclusions, and recommendations.
  • Communicate audit results to the relevant department leaders and senior management.
  • Track the implementation of corrective action plans in response to audit findings.
  • Engage external auditors when specialized expertise or independence is required.
Task 3: Monitor for fraud, waste, and abuse in billing and claims data.
  • Develop and implement a continuous monitoring program for pharmacy claims data.
  • Use data analytics to identify outliers, patterns, and anomalies that could indicate FWA.
  • Monitor for high-risk billing practices, such as billing for non-existent prescriptions or upcoding.
  • Analyze data on prescription overrides, reversals, and returns for suspicious activity.
  • Monitor prescribing patterns of high-volume prescribers for potential kickback arrangements.
  • Review claims for appropriate documentation of medical necessity.
  • Identify and investigate any billing that is inconsistent with patient profiles or diagnoses.
  • Develop data-driven dashboards to visualize and track FWA risk indicators.
Task 4: Audit controlled substance handling and records.
  • Conduct regular, unannounced audits of controlled substance inventory and records.
  • Perform audits to reconcile controlled substance purchases, dispensing, and on-hand counts.
  • Review controlled substance records for completeness and compliance with DEA regulations.
  • Analyze data from automated dispensing cabinets to identify patterns of access and waste that could indicate diversion.
  • Audit the process for handling controlled substance waste and returns.
  • Review security measures for all areas where controlled substances are stored.
  • Investigate any unresolved discrepancies identified during an audit.
  • Use audit findings to strengthen diversion prevention controls.
Task 5: Audit for HIPAA and privacy compliance.
  • Conduct audits to assess compliance with the organization's HIPAA policies and procedures.
  • Perform audits of user access to electronic health records to ensure it is appropriate.
  • Review patient charts to ensure that minimum necessary standards are being followed.
  • Monitor for and investigate any potential snooping or unauthorized access to PHI.
  • Conduct physical walkthroughs to assess for privacy risks, such as unsecured workstations or improper disposal of PHI.
  • Review the inventory of Business Associate Agreements to ensure it is complete and up-to-date.
  • Audit the breach notification process to ensure it is compliant with regulations.
  • Use the results of the security risk analysis to guide audit activities.
Task 6: Prepare for and manage external audits and inspections.
  • Serve as the central point of contact and coordinator for all external regulatory audits.
  • Prepare staff for what to expect during an audit or inspection.
  • Gather and organize all requested documentation in a timely manner.
  • Accompany auditors during on-site visits and facilitate interviews with staff.
  • Review and respond to the official audit findings and reports.
  • Develop and oversee the implementation of corrective action plans in response to external findings.
  • Maintain a positive and professional relationship with auditors and regulators.
  • Track all external audits and their outcomes to identify systemic compliance issues.

Domain 4: Investigations, Enforcement, and Corrective Action (25%)

Task 1: Develop and manage an internal investigation process.
  • Establish a formal policy and procedure for conducting internal compliance investigations.
  • Develop a system for logging and tracking all reported compliance concerns.
  • Ensure that investigations are conducted in a timely, thorough, and objective manner.
  • Maintain strict confidentiality throughout the investigation process.
  • Work with legal counsel and human resources during investigations as appropriate.
  • Preserve all relevant evidence and documentation related to an investigation.
  • Understand the principles of attorney-client privilege and when it applies.
  • Develop a standardized format for investigation reports and documentation.
Task 2: Lead and conduct internal investigations.
  • Develop a clear investigation plan for each reported concern.
  • Conduct interviews with the complainant, witnesses, and the subject of the investigation.
  • Gather and analyze relevant documentary evidence, such as billing records, emails, and policies.
  • Synthesize all evidence to reach a well-supported conclusion.
  • Prepare a final investigation report that summarizes the process, findings, and conclusions.
  • Determine whether a compliance violation has occurred based on the investigation findings.
  • Present the investigation findings to the Compliance Committee or leadership.
  • Ensure that all investigations are conducted ethically and impartially.
Task 3: Enforce compliance standards through disciplinary action.
  • Develop and publicize disciplinary guidelines for compliance violations.
  • Ensure that disciplinary actions are applied consistently and fairly across the organization.
  • Work with Human Resources and management to determine the appropriate level of discipline for a violation.
  • Ensure that discipline is documented in the employee's personnel file.
  • Communicate that failure to report a known violation can also be grounds for discipline.
  • Hold managers accountable for the compliance of their direct reports.
  • Ensure that disciplinary action serves as a deterrent to future non-compliance.
  • Periodically review disciplinary actions to ensure consistency and fairness.
Task 4: Develop and track corrective action plans (CAPs).
  • Oversee the development of CAPs to address the root cause of identified compliance issues.
  • Ensure that CAPs include specific, measurable, achievable, relevant, and time-bound (SMART) actions.
  • Assign clear ownership and deadlines for each action item in a CAP.
  • Establish a system for tracking the progress and completion of all CAPs.
  • Validate that the corrective actions have been implemented and are effective in preventing recurrence.
  • Report on the status of all open CAPs to the Compliance Committee.
  • Provide support and guidance to departments as they work to implement their CAPs.
  • Formally document the closure of a CAP once all actions are complete and validated.
Task 5: Manage self-disclosure and reporting to government agencies.
  • Understand when a compliance violation may need to be reported to a government agency.
  • Evaluate the different self-disclosure protocols offered by agencies like the OIG and CMS.
  • Work with legal counsel to determine the risks and benefits of self-disclosure.
  • Manage the process of quantifying any overpayments that need to be repaid to federal health care programs.
  • Prepare and submit a comprehensive self-disclosure report to the appropriate agency.
  • Negotiate with the government to resolve the disclosed matter, potentially through a Corporate Integrity Agreement (CIA).
  • Oversee the fulfillment of all obligations under a settlement or CIA.
  • Understand the 60-day rule for reporting and returning overpayments.
Task 6: Ensure a non-retaliation policy is enforced.
  • Develop and prominently communicate a strict policy prohibiting retaliation against employees who report concerns in good faith.
  • Provide training to all managers on the importance of the non-retaliation policy.
  • Take immediate action to investigate any claims of retaliation.
  • Implement disciplinary action against any individual found to have engaged in retaliation.
  • Reassure employees who report concerns that they are protected from retaliation.
  • Monitor the employment status of employees who have reported concerns to look for signs of subtle retaliation.
  • Incorporate the non-retaliation policy into the Code of Conduct and general compliance training.
  • Create a workplace culture where reporting is encouraged and valued.

Next Steps