HIPAA Survival Guide February 2019 Newsletter

42 CFR Sections A-D
The regulations associated with 42 CFR Sections A-D ("42 CFR") are a set of sloppily written regulations and needlessly confusing for obvious reasons. The statutory authority for these regulations reads as follows:
The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3.
For our purposes, suffice to say that these regulations are related to Drug Abuse Prevention, Treatment and Rehabilitation. They are like HIPAA "on steroids" for PHI under the control of government assisted programs that help patients recover from drug abuse. The public policy rationale behind 42 CFR is one that we can agree with. These regulations do not want to penalize patients (e.g. heroin addicts) who seek drug abuse treatment with potential criminal prosecution for nefarious activities, otherwise it might hinder their actions for rehabilitation. Therefore, the protection of this PHI far exceeds that of HIPAA.
Even though 42 CFR is "related to HIPAA" it does not mention the latter anywhere. It is written as if these two sets of regulations are mutually exclusive; but clearly from a Practitioner's perspective they are not. For example, 42 CFR eliminates any exception for sharing PHI even for the purposes of treatment, payment, and operations ("TPO"). The latter is clearly allowed under HIPAA. 
Further, although 42 CFR does require contracts with third parties that may use the PHI in question, it does not mandate what the content of the contract should contain, nor does it impose any kind of reciprocal monitoring of the contract by both parties. It is silent as to these matters. In addition, these third-parties are not designated as Business Associates as they are under HIPAA, nor is their any regulatory language that addresses the potential subcontractors of these third-parties.
42 CFR also has nothing to say about Breach Notification. However, presumably (almost certainly) any breach of PHI maintained by persons and/or organizations that deliver this kind of treatment would trigger notification under HIPAA and likely under state law as well. 42 CFR's silence on breach notification is deafening, especially since the PHI in question is more sensitive by definition.
The fundamental problem with 42 CFR is that it raises more questions than it answers, forcing practitioners, judges, and other stakeholders to make educated guesses as to how these questions should be answered. 42 CFR arguably should have been made part of HIPAA. It is unclear from a legislative history perspective why it was not. We don't expect for it to be added  into HIPAA anytime soon; therefore, we are forced to continue to deal with the "bolt on" as a separate but related thing (i.e. vis-à-vis HIPAA).