Supreme Court Narrows Scope of Aggravated Identity Theft Law in Healthcare Fraud Case
Prosecutors Must Show That Means of Identification Is at "Crux of Underlying Criminality," Not Ancillary to Commission of the Crime
The healthcare industry is one of the most heavily regulated industries in the United States. Healthcare companies and practitioners devote significant resources to complying with the complex and often changing legal and regulatory schemes imposed on them. They are also often beset by aggressive prosecutors and opportunistic whistleblowers (and their counsel) with various forms of investigations and enforcement actions.
Yet, in this climate of intense scrutiny on the healthcare industry on several fronts, the United States Supreme Court has shown over the last few years a willingness to interpret laws impacting the industry in an appropriately narrow and constrained manner. For example, in the 2022 case, Ruan v. United States, a unanimous Court held that to convict a physician of a criminal violation of the Controlled Substances Act, the government must prove that the physician knowingly or intentionally acted in a manner that was not "authorized" by the physician's license, not merely that the doctor violated objective standards of care. And earlier this month, in a healthcare billing fraud case, the Court, again unanimously, narrowed prosecutors' ability to use the federal aggravated identity theft statute in garden-variety overbilling and fraud cases generally.
Dubin v. United States
David Dubin was convicted of healthcare fraud under the healthcare fraud statute at 18 U.S.C. § 1347 for overbilling Medicaid for psychological testing performed by a company he helped manage. Dubin did so by "overstat[ing] the qualifications of the employee who actually performed [patient] testing," which resulted in the government paying Dubin "inflated" reimbursement amounts. In committing this crime, Dubin "used" the names and Medicaid identification numbers of various patients on "fraudulent billing sent to Medicaid," but those patients did receive some testing. The question at issue in Dubin was whether by using patient information on fraudulent bills, Dubin committed not just Medicaid fraud, but also aggravated identity theft, in violation of the Aggravated Identity Theft statute at 18 U.S.C. § 1028A.
Section 1028A
Section 1028A is harsh insofar as it imposes a mandatory two-year sentence on any person who, "during and in relation to any felony violation" enumerated in the statute, "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person[.]" It is considered a particularly severe penalty because judges must impose the two-year sentence on top of the penalty for the predicate offense, and the sentences must run consecutively. See 18 U.S.C. § 1028A(b).
On appeal, Dubin argued that, in convicting him for aggravated identity theft, the government stretched the bounds of Section 1028A too far, and that the statute should not apply when the use of a person's name is merely "incidental" to the crime. Dubin argued the phrase "in relation to" in Section 1028A signals that the "use" of a means of identification must have a "genuine nexus" to the predicate offense, "[t]hat is, the use must at least facilitate – or be instrumental to – the predicate offense." A unanimous Supreme Court agreed.
Section 1028A Requires a Genuine Nexus Between Means of Identification and Predicate Offense
The Court rejected the government's contention that a defendant violates Section 1028A any time he uses a means of identification to "facilitate or further" a predicate offense in some way. Calling the government's interpretation "boundless," the Court noted that under the government's interpretation, a person could commit aggravated identity theft (and be subject to enhanced penalties) if they merely "mention" another person's name in the commission of another predicate offense. This, the Court suggested, would put "everyday overbilling cases" at the core of the statute, and would stretch Section 1028A "well beyond ordinary understandings of identity theft."
Instead, the Court embraced the defense position that a Section 1028A conviction requires a "genuine nexus" to the predicate offense. Relying on statutory text, context, and "common sense," the Court held that a Section 1028A conviction must be premised on "identity theft specifically, rather than all fraud involving means of identification." More specifically, the Court found that the statutory phrase "in relation to" means that a "means of identification" must be "at the crux of the underlying criminality," lest the government turn all everyday billing offenses into "aggravated" offenses. It is not enough to merely use or mention a patient's name. Instead, the name itself (or other identifying information) must relate closely to the "fraudulent aspect of the offense." As the Court noted, patient names or other identifiers will "of course[] be involved in the great majority of healthcare billing" cases, but that does not automatically convert those cases into aggravated identity theft cases.
In Dubin's case, it was not enough that he used patients' names or Medicaid identification numbers. The crux of Dubin's crime was that he overstated the qualifications of the medical providers, not that he stole the identities of those receiving testing. For that reason, the Court vacated Dubin's aggravated identity theft conviction and remanded the case for resentencing.
In narrowing the scope of Section 1028A, the Court hoped to settle a split between the circuit courts and focus Section 1028A prosecutions on true identity theft. But as the Dubin opinion and Justice Gorsuch's concurrence make clear, that is not always easy. We may see prosecutors, juries and courts struggle with "crux" test in the future and we may even see the aggravated identity theft statute back before the Supreme Court. What we will not likely see, however, is the government using this statute again to overcharge everyday healthcare billing cases.
Holland & Knight Summer Associate Leonard Brahin contributed to this blog post.