By Adrienne Dresevic, Esq., and Leslie A. Rojas, Esq., of The Health Law Partners, P.C.  The OIG released its 2016 Work Plan, available here, which contains provisions affecting the imaging community. Each year, the Work Plan delineates the new and ongoing projects that the OIG plans to address during the fiscal year. This year, the OIG highlighted the following issues affecting the imaging community: Intensity-Modulated Radiation Therapy (IMRT): The OIG will continue to review Medicare outpatient payments for IMRT to determine whether hospitals are correctly billing for these services. As an example of one billing error, the OIG references Chapter 4 of the Medicare Claims Processing Manual, which provides that CPT codes 77014, 77280-77295, 77305-77321, 77331, 77336, and 77370 should not be billed in addition to CPT code 77301 when performed as part of IMRT planning. (See, Section 200.3.2 of Ch. 4, available here.) Hospitals that perform routine billing audits should add these IMRT CPT codes to the list of services to flag and review for accuracy. Imaging Services – Payments for Practice Expenses: The OIG will continue to review Medicare Part B payments for imaging services to determine whether they accurately reflect the expenses incurred. The OIG will do so by looking at the practice expense components (eg, office rent, wages, and equipment expenses), as well as the equipment utilization rates. The OIG will also look at whether the utilization rates are reflective of industry practices. Fraud and Abuse: The OIG continues to highlight diagnostic radiology as a case type that it reviews for healthcare fraud and abuse issues. Fraud and abuse may include: billing for services not rendered; billing for medically unnecessary services; patient harm incidents; and solicitation or receipt of kickbacks in exchange for patient referrals. A compliance program is an essential weapon in any imaging provider’s arsenal to prevent and protect against healthcare fraud and abuse. For more information on compliance programs, see our November 2014 Link article. Controls Over Networked Medical Devices at Hospitals: New to the OIG’s Work Plan this year is its plan to review whether the FDA’s oversight of hospital networked medical devices is sufficient to protect the electronic protected health information on those devices. The OIG specifically mentions “radiology systems” as one of the computerized medical devices that pose a growing security and privacy threat. The OIG explains that computerized medical devices “use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.” For these reasons, hospital imaging departments should assess the security of these devices and the software and networks used to transmit information. For example, a HIPAA security risk assessment can be performed to determine if there are any security weaknesses that should be addressed. For more information on HIPAA privacy and security issues, see our October 2015 Link article.   The imaging provisions discussed in this year’s Work Plan demonstrate that HIPAA privacy and security issues, billing errors, and fraud and abuse issues (including unlawful referral relationships and medical necessity deficiencies) continue to be major risk areas for imaging providers. The development of a comprehensive HIPAA privacy and security manual and a robust compliance program addressing these issues is an integral step in protecting against risk.