Lesson 1: How procedures get coded — CPT and HCPCS

Every billable thing a provider does — an office visit, a colonoscopy, an MRI, injecting a drug, fitting a wheelchair — is encoded as a numeric procedure code. There are two main systems:

CPT (Current Procedural Terminology)

CPT is owned by the American Medical Association and updated annually (effective January 1). It's the dominant procedure code set for physician services and outpatient procedures. Codes are five digits.

Category	Range	Example	What it means
Evaluation & Management (E/M)	99202–99499	`99213`	Established patient office visit, low complexity
Anesthesia	00100–01999	`00840`	Anesthesia for lower abdomen procedure
Surgery	10021–69990	`47562`	Laparoscopic cholecystectomy
Radiology	70010–79999	`74177`	CT abdomen and pelvis with contrast
Pathology & Lab	80047–89398	`80053`	Comprehensive metabolic panel
Medicine	90281–99607	`90471`	Immunization administration

The codes you'll touch most often in AI products are the E/M codes (every office visit) and whatever specialty range matches your use case (radiology if you're doing imaging prior auth, surgery if you're doing inpatient predictive denial, and so on).

HCPCS Level II

CPT covers professional services. HCPCS Level II (Healthcare Common Procedure Coding System, maintained by CMS) covers everything else: drugs given by injection or infusion, durable medical equipment (DME), prosthetics, ambulance services, supplies. Codes are one letter followed by four digits.

Letter	Category	Example	Meaning
A	Transportation, supplies	`A0428`	Ambulance, basic life support, non-emergency
E	Durable medical equipment	`E0114`	Crutches, underarm, aluminum
J	Drugs (non-self-administered)	`J9312`	Injection, rituximab, 10 mg
K	DME for Medicare specifically	`K0001`	Standard wheelchair
L	Orthotics, prosthetics	`L8000`	Mastectomy bra
Q	Temporary codes	`Q4081`	Injection, epoetin alfa, ESRD on dialysis

▶ Worked example: an oncology visit

A patient comes in for chemotherapy. The claim will likely include: 99214 (E/M visit, established patient, moderate complexity), 96413 (CPT — chemotherapy administration, IV infusion, up to 1 hour), and J9312 (HCPCS — the rituximab itself, billed per 10mg with a units field of, say, 50 for a 500mg dose). Three different code systems, one encounter.

Modifiers — small codes, big payment impact

A two-character modifier appended to a CPT/HCPCS code changes its meaning. AI systems that ignore modifiers will misprice, mispredict, and misroute claims. The high-frequency ones:

Modifier	Meaning	Why it matters
`-25`	Significant, separately identifiable E/M on the same day as a procedure	Allows separate payment for the visit AND the procedure; heavily audited
`-59`	Distinct procedural service	Bypasses NCCI bundling edits; one of the most-audited modifiers in healthcare
`-26`	Professional component	Splits an imaging study (radiologist's read) from the technical component (equipment + tech)
`-TC`	Technical component	The flip side of -26
`-RT` / `-LT`	Right side / Left side	Required for paired body parts; affects MUE limits
`-50`	Bilateral procedure	Both sides performed in the same session; usually pays 150%
`-XE, -XS, -XP, -XU`	Replacements for -59 (more specific)	CMS prefers these over -59; many MA plans require them

Self-check

A claim has 99213 and 20610 (joint injection) on the same date. Without modifier -25 on the E/M, what likely happens?

The E/M (99213) gets denied as bundled into the procedure. Modifier -25 is required to indicate the office visit was a separately identifiable service from the injection itself. This is one of the most common single-line denial reasons in outpatient billing.

You're building a denial-prediction model and one feature is "modifier on the line." A claim has -59. Why should this raise your prior of audit/denial?

Modifier -59 is the single most-misused modifier in healthcare and is in the top 5 OIG audit targets every year. CMS introduced the X-modifiers (-XE/XS/XP/XU) specifically to replace -59 with more precise meaning. A line with -59 has materially higher odds of post-pay recovery review or pre-pay edit flag.

Lesson 2: How diagnoses get coded — ICD-10-CM

Diagnoses are coded with ICD-10-CM (Clinical Modification), maintained by CDC's NCHS and CMS, updated each October 1. Codes are alphanumeric, 3 to 7 characters, with very specific anatomy and laterality.

Code	Meaning
`E11.9`	Type 2 diabetes mellitus without complications
`E11.22`	Type 2 diabetes mellitus with diabetic chronic kidney disease
`I10`	Essential (primary) hypertension
`I50.23`	Acute on chronic systolic (congestive) heart failure
`S72.001A`	Fracture of unspecified part of right femur, initial encounter for closed fracture
`Z79.4`	Long term (current) use of insulin (status code, not a disease)

Three structural facts that matter for AI design:

Specificity is hierarchical. E11 is "type 2 diabetes." Adding digits adds detail (with kidney disease, with neuropathy, etc.). Coding to the highest level of specificity supported by the documentation is the coder's job — and a frequent target of clinical documentation improvement (CDI) and risk adjustment programs.
Laterality is encoded in the digit. S72.001A is the right femur; S72.002A is the left. Models that aggregate at the three-character level lose this.
The seventh character matters. For injuries, A = initial encounter, D = subsequent, S = sequela. Wrong seventh character is a frequent denial reason.

Inpatient hospital claims also use ICD-10-PCS (Procedure Coding System, 7-character alphanumeric) for inpatient procedures — entirely separate from CPT. If you're building anything that touches hospital inpatient data, you'll see PCS.

Lesson 3: The claims lifecycle and X12 transactions

When a provider bills a payer, the information moves through a defined set of X12 EDI transactions. HIPAA mandates these formats. If you're building anything that interfaces with a clearinghouse, a payer, or a provider's RCM system, you'll touch them.

Transaction	What it is	Who sends it
`270 / 271`	Eligibility & benefit inquiry / response	Provider → Payer / Payer → Provider
`278`	Prior authorization request & response	Provider ↔ Payer
`837P / 837I / 837D`	Claim — Professional, Institutional, Dental	Provider → Payer
`277CA`	Claim acknowledgement (accepted or rejected at front door)	Payer → Provider
`835`	Electronic Remittance Advice (ERA) — how the claim adjudicated	Payer → Provider
`276 / 277`	Claim status inquiry / response	Provider → Payer / Payer → Provider

The journey of a claim, simplified

Eligibility check — Provider sends 270 before the visit; payer returns 271 with active coverage, deductible status, copay.
Authorization (if required) — Provider submits 278 (or uses a portal / fax / phone). Payer approves, denies, or pends.
Service delivered, claim submitted — Provider's billing system creates an 837 with all the codes from Lesson 1 and 2, sends it to a clearinghouse, which forwards to the payer.
Front-door check — Payer returns 277CA saying "accepted" or "rejected" (e.g. invalid member ID, missing NPI). Rejections never enter adjudication.
Adjudication — Payer runs edits (NCCI, MUE, plan-specific), applies policy, computes payment. Days to weeks depending on plan and complexity.
Remittance — Payer sends 835 back with per-line payment, adjustments, and reason codes. Provider posts to AR.
Denials & appeals — Anything denied may be appealed (see Step 4).

▶ Why builders need to read the 835

Almost every payer-side AI use case (denial prediction, payment integrity, appeals automation) is fundamentally about parsing 835s and 837s and finding patterns. If your pipeline can't reliably extract CLP segments (claim payment), SVC segments (per-line service), and CAS segments (adjustments with reason codes) from an 835, you don't have a product.

Reading an 835 segment — the parts that matter

Real 835 fragment, simplified:

CLP*PATACCT123*1*450.00*135.00*50.00*MC*PAYERREF456*11~
NM1*QC*1*DOE*JANE*M***MI*MEM98765~
SVC*HC:99214*250.00*75.00**1~
DTM*472*20250915~
CAS*CO*45*175.00~
SVC*HC:90471*30.00*0.00**1~
CAS*PR*204*30.00~
SVC*HC:90686*170.00*60.00**1~
CAS*CO*45*110.00~

What this is telling you:

CLP: This claim (account PATACCT123) was billed for $450, the payer paid $135, patient owes $50. Status 1 = primary claim, processed as primary. MC = Medicare claim type.
SVC + CAS for line 1: 99214 billed at $250, paid $75. The CAS*CO*45*175 means Contractual Obligation (CO), reason code 45 ("Charge exceeds fee schedule"), $175 written off.
SVC + CAS for line 2: 90471 billed at $30, paid $0. CAS*PR*204*30 = Patient Responsibility (PR), reason 204 ("Service not covered under patient's current benefit plan"), $30 to patient.
SVC + CAS for line 3: 90686 (influenza vaccine) billed at $170, paid $60. Another contractual write-off.

CARC and RARC: the codes that explain payment outcomes

In the CAS segment, the reason code is a Claim Adjustment Reason Code (CARC). They tell you why a claim or line was adjusted (denied, reduced, or written off). Provider-side denial AI lives and dies on understanding these.

CARC	Description	Common cause
`16`	Claim/service lacks information or has submission/billing error	Missing modifier, NPI, or other required field
`18`	Exact duplicate claim/service	Same claim submitted twice
`22`	This care may be covered by another payer per coordination of benefits	COB issue — wrong primary
`27`	Expenses incurred after coverage terminated	Eligibility error — patient no longer covered on date of service
`45`	Charge exceeds fee schedule / contracted amount	Normal contractual write-off (not a true denial)
`50`	Non-covered services — not deemed medically necessary	Medical necessity denial — most appealable
`96`	Non-covered charges	Service not a benefit under this plan
`97`	Benefit included in payment for another service/procedure	NCCI bundling edit
`197`	Precertification/authorization/notification absent	No auth on file — most common avoidable denial
`204`	Service not covered under the patient's current benefit plan	Benefit exclusion

A Remittance Advice Remark Code (RARC) provides additional context. CARCs say what happened; RARCs say why or what to do next. Example: CARC 50 + RARC N115 = denied as not medically necessary, per a Local Coverage Determination (LCD).

Self-check

A claim comes back with CARC 197 on every line. What's the most likely root cause and what's the cheapest place to prevent it?

No prior authorization was on file when the claim adjudicated. Cheapest prevention is at the front desk / pre-service: an eligibility (270/271) check plus auth status check before the service. Many denials of this type are downstream of a known auth requirement that wasn't routed correctly. Provider-side denial AI should prioritize CARC 197 in any prevention model.

Why is CARC 45 usually NOT considered a "denial" by sophisticated RCM teams?

CARC 45 is a contractual write-off — the difference between the billed charge and the contracted rate the provider already agreed to. It's expected, not avoidable. Counting it as a denial inflates denial rates and points AI at the wrong problem.

Lesson 4: The Explanation of Benefits — what the patient (and the model) sees

The EOB (Explanation of Benefits) is the patient-facing document that summarizes how a claim was paid. It's not a bill. It maps to the same data as the 835 but is formatted for humans. Anyone selling or building patient-facing AI needs to be able to read one.

An EOB typically shows, per service line:

Amount billed — what the provider charged
Plan discount / allowed amount — what the contract reduces it to
Plan paid — what insurance actually paid
Your responsibility — copay, coinsurance, deductible, non-covered
Reason code(s) / notes — plain-language explanation of any denial or write-off

When a member calls about a "denial," they're usually reading an EOB. When AI parses or generates appeals letters, it's often working from EOB text plus underlying 835 data.

Lesson 5: The regulatory floor every builder must know

Healthcare AI lives under multiple overlapping regulations. You don't need to be a lawyer, but you need to know what governs what. The four you'll bump into most:

HIPAA (Health Insurance Portability and Accountability Act, 1996)

Three rules that matter:

Privacy Rule (45 CFR Part 164, Subpart E) — defines Protected Health Information (PHI) and the conditions for using or disclosing it. The 18 HIPAA identifiers (name, MRN, dates more specific than year, etc.) are PHI.
Security Rule (45 CFR Part 164, Subpart C) — administrative, physical, and technical safeguards. Encryption, access controls, audit logs.
Transactions and Code Sets Rule — why X12 837/835 and code sets like CPT/ICD-10 are mandatory.

If you're a vendor to a covered entity, you sign a Business Associate Agreement (BAA). Your stack must support BAAs if you want to sell. AWS, GCP, Azure, OpenAI Enterprise, Anthropic Enterprise, and most modern infrastructure providers offer BAAs — but not on all tiers. Confirm before building.

42 CFR Part 422 — Medicare Advantage

This regulates Medicare Advantage plans (the privatized Medicare programs run by Aetna, UnitedHealth, Humana, etc.). Recent updates that matter for AI builders:

Two-midnight rule for MA (effective 2024) — MA plans must follow the same inpatient admission criteria as Traditional Medicare. This dramatically constrains UM auto-denial logic.
Internal coverage criteria limits — MA plans cannot use proprietary criteria more restrictive than Traditional Medicare's National Coverage Determinations or Local Coverage Determinations.
Algorithmic decision-making transparency (CMS final rule 2024) — MA plans using AI/algorithms for coverage decisions must ensure they comply with all coverage rules and cannot use them to deny care that traditional Medicare would cover.

CMS-0057-F (CMS Interoperability and Prior Authorization Final Rule, 2024)

Sometimes called the "Patient Access Final Rule." The single most important regulation for builders working on prior authorization. Key dates and requirements:

Effective for impacted payers (Medicare Advantage, Medicaid managed care, CHIP, qualified health plans on FFEs).
By January 1, 2026 — affected payers must send prior authorization decisions within 72 hours for urgent and 7 calendar days for non-urgent requests.
Payers must provide a specific reason for denial.
Payers must publicly report PA metrics.
By January 1, 2027 — affected payers must implement FHIR-based Prior Authorization API (Da Vinci PAS implementation guide), Patient Access API for PA info, Provider Access API, and Payer-to-Payer API.

▶ Why this rule changes everything

For two decades, prior auth ran on faxes, phone calls, and proprietary portals. CMS-0057-F forces an open FHIR-based interface, with strict turnaround requirements and public reporting. This is the regulatory tailwind that's making prior auth AI a real market — but it also means your product needs to align with the Da Vinci PAS implementation guide, not invent its own interface. Covered in detail in Step 4's Prior Auth pod.

State-level laws to watch

Several states have passed AI-specific UM laws that bind any payer doing business in the state — and any vendor selling to those payers:

California SB 1120 (2024) — health plans using AI for utilization management must ensure clinical decisions are made by a qualified human, AI cannot deny based solely on group data, and equity testing is required.
Texas, New York, Illinois — variations on AI transparency and human-in-the-loop requirements.

The No Surprises Act (NSA, 2022)

Bans most surprise out-of-network billing and creates an independent dispute resolution (IDR) process for OON payment disputes between providers and payers. If you're building anything around OON claims or balance billing, you need to know the IDR mechanics — covered briefly in Step 4's Payment Integrity pod.

Self-check

Your team wants to use a general-purpose LLM API to summarize de-identified clinical notes. What's the first question to ask?

"Is the data actually de-identified to HIPAA standards?" — meaning all 18 HIPAA identifiers removed, or processed under HIPAA Expert Determination. If yes, the data is no longer PHI and BAA requirements don't apply. If not (or if you're not sure), you need a BAA-covered tier of the LLM provider, and you need to verify the provider's BAA actually covers the API you're calling.

Under CMS-0057-F, what changes for a Medicare Advantage plan that currently takes 14 days to respond to a non-urgent PA request?

They have to compress that to 7 calendar days. They must also start reporting their PA metrics publicly and provide specific denial reasons. By 2027 they must additionally expose a FHIR-based PA API. AI vendors selling into MA plans should be positioning their products against these timelines.

Step 1 Glossary

CPT (Current Procedural Terminology): AMA-maintained code set for physician services and outpatient procedures. 5 digits.
ICD-10-CM: Diagnosis code set used in the US. Alphanumeric, 3–7 characters.
ICD-10-PCS: Inpatient procedure coding system. 7-character alphanumeric. Used only for hospital inpatient claims.
HCPCS Level II: CMS-maintained code set for drugs, DME, supplies, ambulance. One letter + four digits.
Modifier: Two-character suffix on a CPT/HCPCS code that changes its meaning (e.g., -25, -59, -RT).
X12 837 / 835 / 277CA / 270 / 271 / 278: HIPAA-mandated EDI transaction formats: 837 = claim, 835 = remittance, 277CA = claim acknowledgement, 270/271 = eligibility, 278 = prior auth.
CARC (Claim Adjustment Reason Code): Standard code in the 835 explaining why a claim/line was adjusted. Maintained by the Code Committee of WPC.
RARC (Remittance Advice Remark Code): Supplementary code in the 835 providing additional context for the CARC.
EOB (Explanation of Benefits): Patient-facing summary of claim adjudication. Not a bill.
PHI (Protected Health Information): Individually identifiable health information regulated by HIPAA.
BAA (Business Associate Agreement): HIPAA contract between a covered entity and a vendor handling PHI.
CMS-0057-F: CMS Interoperability and Prior Authorization Final Rule (2024), mandating FHIR APIs and shorter PA turnaround times.

Frequently asked questions

Do AI engineers really need to learn CPT codes? Can't they just look them up?

Looking up codes works for one or two examples. Building a product means designing data models, feature spaces, and eval sets where coding logic is everywhere. Engineers who don't internalize the structure ship models that mishandle modifiers, conflate professional and technical components, or treat ICD-10 as if it were flat. The most reliable way to get this fluency is the AAPC CPC certification (covered in Step 2).

How long does it really take to get through Step 1?

About 40 hours of focused study, plus another 20–40 hours of working with real claim files if you have access to them. Most teams stretch this across 4–6 weeks part-time. Don't rush — Step 2 and Step 3 assume you've internalized this material.

Where can I get sample 837 and 835 files to practice on?

Several sources: the X12 specification documents themselves contain examples; CMS publishes sample 5010 files for testing; clearinghouses like Availity, Change Healthcare, and Waystar publish sample files; and the Da Vinci HL7 implementation guides reference test bundles. If your organization is a covered entity or business associate, ask compliance about safely accessing de-identified historical data.

Is HIPAA the only privacy law I need to worry about?

No. Substance abuse records have stricter rules under 42 CFR Part 2. Genetic information has additional protections under GINA. Some states (California with CMIA, Texas with HB 300) have laws stricter than HIPAA. And if you handle EU-resident data, GDPR applies. HIPAA is the floor, not the ceiling.

What's the difference between a denial and a write-off?

A write-off (typically CARC 45) is a contractual adjustment — the difference between billed charges and the agreed contracted rate. It's expected. A denial means the payer is refusing to pay something they otherwise might have paid (medical necessity, missing auth, eligibility). Denials are actionable; write-offs generally aren't. Sophisticated denial-prevention AI separates these cleanly.

Self-check · End of Step 1

Did you absorb Step 1?

Eight questions grounded in real CPT, CARC, X12, and CMS-0057-F material. No certificate at this stage — the certificate is earned at the end of Builders Track via the final exam. Honor system. Unlimited retakes. Wrong answers come with explanations.