Recently, the Office of the Inspector General (“OIG”) for Health and Human Services identified twenty portable x-ray suppliers that exhibited questionable billing patterns when compared to its established criteria.  The OIG based its review on 2008 and 2009 Medicare claims data, nursing home stay data, and provider enrollment data to examine portable x-ray suppliers’ billing patterns. The review found questionable patterns which resulted in Medicare paying approximately $12.8 million for return trips to nursing facilities on a single day.  Additionally, these billing practices generated $6.6 million in Medicare payments for services ordered by nonphysicians, which are not covered and, contrary to Federal regulations.  Only licensed physicians may order portable x-rays.

In 2009, Medicare paid approximately $225 million for extremities, pelvis, spine, skull, chest, and abdomen x-rays rendered by portable x-ray suppliers, entities that furnish x-rays at a beneficiary’s location. X-ray suppliers receive separate Medicare payments for the suppliers’ mobile equipment transport and setup in addition to test administration and interpretation. The OIG’s recommendations included that CMS:

(1) Develop and implement a process to periodically identify portable x-ray suppliers that merit greater scrutiny and follow up;

(2) Identify the incorrectly billed transportation component claims that make up a portion of the $12.8 million it paid for return trips in 2009 and collect any overpayments;

(3) Collect the $6.6 million in overpayments that resulted from 2009 claims made for portable x-ray services ordered by nonphysicians, and

(4) Implement procedures that ensure that its pays for only physician-ordered portable x-ray services.

On February 21, 2011, the Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced the first civil money penalty under HIPAA since the regulation took effect in 2003.  OCR imposed a fine of $4.3 million on Cignet Health (“Cignet”), a Temple Hills, Md., health plan that also operates two clinics offering services in Prince George’s County, a suburb of Washington, D.C.  After investigating numerous patient complaints, OCR found that over a one month period in 2009, Cignet denied 41 patients access to their medical records, thereby denying their rights under HIPAA.  Additionally, Cignet refused to cooperate with OCR’s investigation of these incidents. OCR fined Cignet $1.3 million for patient rights violations and $3.1 million for its failure to cooperate with the investigation.

The HITECH Act increased the number of categories that qualified as HIPAA violations and increased the fines that could be imposed for HIPAA violations.  The proposed HIPAA penalties, which conceivably could go into effect within one year, would increase financial penalties for single privacy and security violations up to $50,000 per violation.  Additionally, the proposed changes would impose a maximum penalty per year of $1.5 million per provision of the HIPAA Privacy and Security Rules.  At the February 2011 annual Health Information and Management Systems Society (“HIMSS”) conference, Adam Greene, an OCR senior health IT and privacy advisor, stated that these fines could add up quickly given the numerous breach incidents that typically contain multiple violations.

HHS Secretary Kathleen Sebelius has stated that HHS is committed to enforcing individual rights guaranteed under HIPAA.  Organizations that knowingly disregard their obligations will be targeted for investigations and enforcement action, according to OCR.  In furtherance of what appears to be a stepped-up effort to ensure HIPAA compliance, OCR requested $5.6 million in increased funding over the previous year, with over 75% of the new funds projected for increased enforcement.