Healthcare Diagnostic and Treatment Coding



  • Level II codes maintained by CMS
  • alphanumeric medical diagnostic codes
  • primarily non-physician services: ambulance, prosthetics
  • items, supplies and non-physician services not covered by CPT-4 codes (Level I)
  • one letter in the range A to V followed by 4 digits

“The Healthcare Common Procedure Coding System (HCPCS, often pronounced by its acronym as “hick picks”) is a set of health care procedure codes based on the American Medical Association‘s Current Procedural Terminology (CPT).” –


ICD-9 and ICD-10 – International Classification of Disease

  • Sponsored by WHO
  • Codes up to 6 characters
  • 3 character minimum
  • if there are more specific sub-codes, the 3-digit code will be in boldface followed by subsequent numbers
  • Diagnosis-based


RVS – Relative Value System codes

  • Created by insurers
  • Evolved into CPT


CPT-4 – Current Procedural Terminology (CPT)

  • Owned by AMA
  • Equals HCPCS Level 1
  • 5-digit codes plus modifiers

“The Current Procedural Terminology (CPT) code set is a medical code set maintained by the American Medical Association through the CPT Editorial Panel … CPT coding is similar to ICD-9 and ICD-10 coding, except that it identifies the services rendered rather than the diagnosis on the claim. ICD code sets also contain procedure codes but these are only used in the inpatient setting.” –


A system of Medicare diagnosis groupings using medical codes to define Medicare compensation.


National Codes

  • Created for CMS
  • for billing procedures and supplies for Medicare patients
  • Widely used by insurers


EHR Systems and Security

compress ratio of TIFF, and JPG,  wireless WPA and WPA2 difference,

Risk Assessment

Required by HIPAA.

Assess the risks to confidentiality, integrity and availability of EPHI.


Document Retention

AHIMA – American Health Information Management Association lists recommendations (the “shoulds” below).

HIPAA dictates a few “musts” below.

Birth records should be kept forever.

Xrays should be kept 5 years.

Mammograms should be kept up to 30 years

Emails discussing privacy and security policy must be retained for six (6) years.

Dental records must be retained for four (4) years.

Records containing materials specifically required by HIPAA must be retained for at least six (6) years after they were last in effect.

HIPAA does NOT dictate a retention period for medical records.

AHIMA does, however, recommend ten (10) years after most recent encounter.

AHIMA also recommends that fetal heart monitor records be kept till patient age 28 (10 years after majority).


Records Storage

HIPAA mandates that records be stored in secure, locked storage when not in use.

NOT in lockable mobile cabinets left in a front area.


Media Disposal




NOT Piercing


Common Software/materials System Issues

Patient demographics errors including formatting problems

Comm link errors


Common EHR Client System Types

Native application

Browser-based application

Remote terminal



Confidentiality – the legal and ethical responsibility of providers to maintain patient privacy (note how different this is from the IT definition)

Privacy – the individual’s right to control disclosure of their information

Data Security – technical and procedural methods for controlling confidential information

Conformity – NOT a security term, but a red herring



Use a topographic map for an external site survey.

SSIDs may be up to 32 characters.

SSIDs are case sensitive.


Healthcare Terminology and Acronyms


ADC – Automated dispensing cabinet, for Pharmacy

ADL -activities of daily living

ASC – Advanced Surgical Center

ASTM – American Society for Testing and Materials

ATCB – ONC Authorized Testing and Certification Body

BAA – Business Associate Agreement, required of third parties when providers share records with them (a BAA is NOT required from postal carriers)

CAH – Critical Access Hospitals (paid based on cost, not diagnosis)

CCD – Continuity of Care Document, an XML-based standard

CMS – Center for Medicare and Medicaid Services, a division of HHS

CPOE – Computerized Physician Order Entry: Lab, Rad and Pharmacy

CPT – Current Procedural Terminology

CSW – Clinical Social Worker

EDIS – Emergency department IS

eMAR – an electronic medication administration record, for Pharmacy, using barcode scanners at several points in the process

EPHI – Electronic Protected Health Information; Electronically transmitted or stored information

ERISA – Employee Retirement Income Security Act of 1974

Health Records:

EMR – Electronic Medical Records, usually in a stand-alone situation like a doctor’s office; an electronic version of the paper record.

EHR – Electronic Health Records are a collection of patient or population health information. One patient’s records from multiple sources and providers collectively are her EHR.

EPR – same as EHR

PHR – Personal Health Record, an electronic record maintained by the individual

HCPCS – Healthcare Common Procedure Coding System –

HHS – Department of Health and Human Services, the federal colossus

HITSP – Healthcare Information Technology Standards Panel

Information Systems


Pharmacy IS

Radiology IS

Lab IS (LIS)

IRB – Institutional Review Board

MAR –  Medication Administration Record, for Pharmacy (cf. eMAR)

MOU – Memorandum of Understanding, or MOA, Memorandum of Agreement

NPI – National Provider Identifier

OCR – Office for Civil Rights

ONC – Office of the National Coordinator for Health Information Technologies

PACS – Picture Archiving and Communication System

PERT (chart) – Program Evaluation and Review Technique

Physician portal – a view into HIS/EMR/EHR; unlike CPOE it’s for notes, not orders; allows electronic signatures

PPACA or ACA – Patient Protection and Affordable Care Act

PPS – Prospective Payment System (payment based on diagnosis, not cost), a Medicare Part A system

RECs – HIT Regional Extension Centers

Surgical Process

Surgical summary report – short, for immediate reference during postop

Cold feed – how the report above is sent; there is no ACK confirming receipt

Operative record – complete, detailed account, dictated

SNF – Skilled Nursing Facility

TPO – Treatments, payments and operations



-osis – condition or disease

-itis – inflammation – Arthritis is inflammation

-algia – pain

-crine – secreting, as in endocrine

-blast – an immature or forming condition

-ology – study of



Barium contrast – a video using injected barium to make objects show clearly

Echocardiogram – a video view of the heart

Electronic signature – a scanned copy of a signature on paper

Data Security – technical and procedural methods to control and manage confidential information.

Digital signature – a product of hashing and encryption with full legal legitimacy

Health Information

De-identified Health Information

Individually Identifiable Health Information

Archived Health Information

Demographic Health Information

Informed Consent – the conversation between patient and physician re. medical procedure being performed, reasons for it, benefits of it and risks.

Interface Engine – a “translator” that sits between multiple systems and reformats data for those systems

Nursing home vs. assisted living

Perioperative IS – the info system that manages patients in surgery

Privacy – “the individual’s right to control disclosure”

Specialty Hospital provides treatment for specific issues such as burns, cancer or women’s care

Thinning – reducing a patient’s chart when it gets too big to handle. Thinned records are sent to central medical records area.


Types of Plans

A Preferred Provider Organization (PPO) offers discounted services at in-network providers only.

A Health Maintenance Organization (HMO) provides services for a fixed, prepaid amount.


Types of IT in Medicine

Clinical IT – handling prescriptions, lab tests, images, medical procedures

Infrastructure IT – handling networks and major services

Financial IT – handling billing and finances

Administrative IT – handling staffing and operations IT


Types of Data




Signals – tracking from an instrument, e.g. EEG or EKG


Healthcare Organizations

Pay attention to HL7 codes



  • Federal, a dept of HHS
  • Serves over-65 and disabled


  • Federally monitored
  • Run by states so has many names
  • For low-income and eligible families


  • For active-duty members of US military


  • Federal Employee Health Benefits Program
  • For federal employees, retirees and their families


Organization/Facilities Types


Inpatient (admitted) vs. Outpatient

General Hospital – required to provide diagnosis and treatment for medical services including radiology, lab services and surgery.

Specialty Hospital – provides treatment for specific disorders such as cancer, burns or women’s health

Rehabilitation Hospital – provides diagnosis, treatment, restorative and adjustment services to the disabled

Psychiatric Hospital – provides diagnosis and treatment for individuals with mental illness or behavioral health disorders


Private Practices

Practitioners practice medicine without supervision (doctors, nurse practitioners)

Providers are in supervised settings (nurses, aides)


Acute Care Facility

Provides medical, surgical, pediatric and obstetric services that require fewer than 30 days hospital stay.


Assisted Living Facility

For elderly or those who need assistance with activities of daily living (ADL)



Health Maintenance Organization

Provides healthcare services for fixed, prepaid reimbursement.

Providers and subscribers voluntarily enroll.


Home Health Care

Often for IV care or PT



Care for terminally ill patients, either at home or in facilities.

24/7 care


Medical/hospital equipment

Medicare/Medicaid will reimburse most hospice costs for those eligible.


Nursing Homes/Convalescent Hospitals


Often run by Director of Nursing, an RN

Staffed by LPNs and non-licensed nursing assistants

For Medicare reimbursement, must meet criteria for a Skilled Nursing Facility (SNF)


Nonacute Care Facility

aka Long Term Care Facility

For individuals w/ long-term illnesses requiring hospital stays of over 30 days.

Alzheimer’s Disease etc.



Point of Service healthcare plan

Patient permitted to choose a provider each time healthcare services are needed.



Preferred Provider Organization

A network of providers that give a discount rate in return for higher volume.


Subacute Care Facility

Provides treatment for patients with an acute illness or injury on top of a chronic illness, like surgery patients who get pneumonia.


Surgical Centers and Ambulatory Surgical Centers (ASCs)

Outpatient and inpatient


Healthcare Regulatory Bodies

Department of Commerce

NIST – National Institute of Standards and Technology

  • Coordinates standards
  • Coordinates infrastructure testing
  • Improve EHR usability
  • Extend healthcare’s reach through technology
  • R&D

Defines requirements of SLAs, but does NOT involve financial penalties for failure

Malcolm Baldrige National Quality Award


NIST, ONC and HITSP (Healthcare Information Technology Standards Panel, a public/private partnership) create ISO standards for interoperability.

Department of Health and Human Services (HHS)

“Responsible for protecting the health of all Americans.”

12 Operating Divisions, including CMS

Center for Medicare and Medicaid Services (CMS)

CMS runs Medicare for people over 65

Part A – Inpatient care

Part B – Outpatient care

Prescription Drug Coverage

Heavily involved in HIPAA implementation

Their standards are often adopted across the medical industry.

17 Staff Divisions

ONC – Office of the National Coordinator for Health Information Technology

“The Office of the National Coordinator for Health Information Technology (ONC) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).”

ONC certifies EHR systems

  • Standards and certification criteria for EHS
  • Certification programs
  • Metadata definitions

National Committee on Vital and Health Statistics

Governing body that sets standards for the transmission of PHI.


The agency that certified Xrays for use on humans.

Title 21 CFR

Part 21: Individual records maintained, used and disclosed by the FDA

Part 7: Recalls of drugs, food or cosmetics

Part 11: Electronic records and digital signatures defined

Digital signatures are used for:

  • Medicare certifications
  • Remote site patient records,
  • Referrals
  • Computerized Physician Order Entry

ASTM – American Society for Testing and Materials

E1384 – Components and contents of patient records; definitions of nomenclature

Basically this involves ensuring records contain required information.

NCQA – National Committee for Quality Assurance

A U.S. independent nonprofit accrediting body for managed health care organizations

Uses HEDIS, Healthplan Employer Data and Information Set, to measure and publish info about managed care plans for employers and consumers.

The Joint Commission for the Accreditation of Healthcare Organizations

Monitors the safety and effectiveness of treatments provided by healthcare providers.

Requires a review of all delinquent medical records at least once every 90 days.

Requires dictation and transcription of acute history and physicals within 24 hours.

Requires that history and physical of chronic care patients be dictated and transcribed within 30 days.

Requires that a patient’s medical record be completed within 30 days (for instance, after discharge).


Digital Images and Communication in Medicine

Dictates standards for handling, storing, printing and transmitting medical images.

HL7 (Health Level 7)

International community of healthcare SMEs and info scientists.

Promotes informatics standards to improve healthcare info delivery.

Creates standards for exchange, management and integration of EHI.

Dictates data field types and contents.

Provider Type specifies the major grouping of the service or occupation of the practitioner.

Other bodies

OSHA dictates safety for all workers.



CompTIA Healthcare IT Technician Certification

63531 Healthcare IT Technician

Course/Class Number: 63531/59724
Class Title: 63531 Healthcare IT Technician, Section SPA
Monday, Wednesday, Friday 8:00 am – 12:00 pm; 3 sessions starting April 14, 2014, ending April 18, 2014

Text: CompTIA Healthcare IT Technician HIT-001 Authorized Cert Guide, Joy Dark and Jean Andrews, 2012


  • Understand regulatory requirements
  • Know healthcare terminology/acronyms
  • Be familiar with practice workflow
  • Adhere to code of conduct policies
  • Engage security best practices
  • Support Electronic Health Records (EHR) systems

According to CompTIA:

The CompTIA Healthcare IT Technician certification exam covers:

  • U.S. regulatory requirements
  • Organizational behavior
  • IT operations
  • Medical business operations
  • Security

Or stated differently:

  • Regulations, agencies and laws
  • HIPAA controls and compliance
  • Backup and record retention, disposal and archiving
  • Healthcare IT security
  • EMR access roles
  • Setup and management of EHR/EMR PCs, servers and networks
  • Legal practices, requirements and documentation

 According to Dark and Andrews:

  • Healthcare Organizational Behavior
  • Healthcare Regulatory Requirements
  • Healthcare Business Operations
  • Healthcare IT Security, Privacy, and Confidentiality
  • Healthcare IT Operations

Texts and Materials


Wireless Telephone Security: The New Frontier of Pen Testing

I’ve been working on the project to update ISECOM’s OPST (OSSTMM Professional Security Tester) curriculum, and it’s becoming more and more clear that pen testing curricula – ALL of them – neglect the area of wireless telephone penetration testing. Most of the phone tools are about forensics, not pen testing phones.

So should we just treat them as hosts? Maybe, but they run a lot of services and functions that few or no computer hosts run. How do we test them?

The starting point is learning the phone technology itself. There’s a decent introduction, circa 2007, at


How-To Geek’s 8 Deadly Linux Commands

For all my visitors and students interested in Linux, here’s a cautionary article to steer you away from some innocuous-looking commands that will do catastrophic things to your system. This is far from an exhaustive list, but consider just one:

rm -rf /

-for a nasty surprise, if you’re not aware of what it will do. Put a “sudo” in front of that and it’s even better.

See the article at: