When Shared Profits Create Shared Liability: Two Dallas Software Company Founders Indicted in $70M Healthcare Fraud Charges

On Jan. 10, two practice management software company founders and two physicians were indicted to the tune of $70 million for allegedly submitting false claims to private insurers. Prosecutors allege that the practice management software company, Vivature, provided medical billing services to educational institutions and worked with two physicians to submit false claims to students’ insurers. The physicians used Vivature to submit billing invoices to insurance companies after treating the students.

However, questions arose when it was discovered that the physicians were hundreds of miles away from the students and were allowing the treatment to be performed by student athletes. The physicians submitted billing as if they had done the treatment themselves through Vivature, who then submitted the claims to various insurance providers.

For in-house counsel and business leaders looking to understand the larger implications of this indictment, there is a clear takeaway. If your company provides any kind of business management software, you might have a shared responsibility for how that software is used once it leaves your four walls.

As detailed in the indictment, defendants Mouzon Bass III and Lance West Wilson — CEO and EVP of Vivature, respectively — allegedly used the software to knowingly submit false claims on behalf of the two indicted physicians. Vivature, which has more than 400 collegiate partners and focuses on student athlete healthcare management, shared profits with the physicians from the insurance payments pursuant to their practice management software agreement.

The indictment raises an important question: If you are a practice management software company who works directly with your customer in the implementation of your software, how do you limit your liability in the event your customer is engaged in an illegal activity?

Assessing Your Company’s Risk

The reality is that the closer your company is to a client’s point-of-sale, the higher degree of risk assumed. If you are assisting in the implementation of your software, a good rule of thumb is to imagine that you’re the one who’s primarily responsible for providing the service. In assuming this role, you are more likely to verify that your software is not being used to further illegal activities. For example, if your management software assists a business in the submission of bills to a governmental agency, you would need to have a system in place which verifies the information provided is truthful. Or, if that business collected large amounts of consumer data, you would ensure the business has a comprehensive data compliance plan which is lawfully compliant with current regulations. To understand risk, it is helpful to first look at how software companies typically engage with businesses.

There are three typical ways management software companies get involved with their business clients:

1. Sell the software to a business for their use;
2. Sell the software to a business with some degree of supplemental consulting service; or
3. Sell the software with consulting, implementation and business fulfillment (for example, your company assists the client in running their business by collecting data or billing insurance companies for services rendered)

Safeguard Practices

The most effective way to address risk — at any level — is to first step back and ensure your company is following basic best practices.

• Establish comprehensive and up-to-date contracts outlining the terms and responsibilities of both parties, including specific language indemnifying your software company against civil and criminal liability. Ensure the client agrees that it will not use the software for any illegal purpose.
• Conduct annual, comprehensive reviews to ensure adherence to relevant legal frameworks. This proactive approach can identify and rectify potential issues before they escalate into legal challenges.
• Consider involving a team member not involved in the sales process to independently verify that the information provided is truthful.
  • Do they have an actual office at the address provided?
  • Are client employees licensed or credentialed within the state in which they operate?
  • Was their space inspected to ensure they are capable of the service they plan to bill for?
• Develop and establish a set plan for annual business plan and transparency check-ins with clients to safeguard any potential government inquiries.
  • Is the business entity still legally compliant?
  • Are they still operating as the original contracted business?
  • Any changes in ownership? Lawsuits or pending investigations against the company?
  • Are all professional licenses in compliance with each related state regulatory body?
  • Any massive security breaches with the software?

Potential Pitfall: Texas’ New Law on Data Privacy

On June 18, Texas enacted the Texas Data Privacy and Security Act adding our state to the list of U.S. states with a comprehensive data privacy law to protect consumers and hold businesses accountable for their data practices. To safeguard against running afoul of this new law, consider adding the following checks to your practices.

• Add contractual compliance with data protection laws as an explicit requirement to your contracts with specific language concerning the client’s obligations concerning data handling. Underscore the necessity of compliance with all pertinent data privacy laws and regulations such as the TDPSA, the General Data Protection Regulation, the California Privacy Rights Act, or other applicable regulations.
• Define data ownership and responsibility within contractual agreements. Specify that the client bears responsibility for the legality of the data they handle, absolving the software/consulting company of liability for any illicit actions on the client’s part. Include indemnification language in your contracts as it relates to data privacy.
• Incorporate regular, annual compliance audits into the contractual framework to assess the client’s adherence to data protection laws.
• Implement stringent security measures within software solutions to safeguard processed data. Encryption, secure access controls and routine security audits contribute to creating a secure data environment.
• Promote and implement data minimization practices that are emphasized in many privacy laws, advocating for clients to collect and utilize only the data necessary for legitimate business purposes.
• Encourage clients to obtain clear and informed consent from users regarding data collection and usage. Transparency in data practices serves as a powerful mitigating factor against legal risks.

These themes have been recently highlighted by The White House in its National Cybersecurity Strategy, stating that “we must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.” It’s fair to assume that the government will be issuing more mandates to hold accountable technology companies to protect vulnerabilities that result in consumer-impacting data breaches. In this 2023 Strategy, the president emphasized his administration’s priority “to protect the American people from hackers, hold bad actors and cybercriminals accountable, and defend against the increasingly malicious cyber campaigns targeting our security and privacy. “

Big Picture Takeaways

The bottom line is that the more involved you are in your clients’ business beyond the sale of the software itself, the more knowledge you need about their specific business practices and the more safeguards you need to put in place to protect your business. Whether it be the protecting against your clients’ nefarious acts or unintentional breaches of data privacy law, management software companies must step up their practices to avoid shared liability.