DSCSA
FDA announced on 8/25/23 that they are exercising enforcement discretion for DSCSA EDDS. What the heck does that mean?
I have spent a lot of time thinking about the Drug Supply Chain Security Act over the last three years, and especially the last 3 months. I’ve served on volunteer committees for multiple professional societies, and DSCSA compliance has been a topic of discussion for these committees since at least 2017. I believe that my participation in these committees, together with my efforts to understand and comply with the requirements of the law make me somewhat of a subject matter expert among “small dispensers.”
In this piece, I want to review what the DSCSA EDDS requirements ARE, WHY they exist, and why the FDA’s decision was, in my opinion, a vital decision. I also want to call out several major players in this space (including the FDA) in terms of how nonchalantly they have viewed this whole process of implementing the EDDS requirements.
First of all - the text of the law passed by Congress and signed into law on 11/27/2013 is available here, on page 562-595. The point of this law from my perspective is to attempt to prevent counterfeit products from entering the drug supply chain. As I’ve discussed before on this blog, counterfeit products DO exist and even have the apparently appropriate T3 documents to validate their legitimacy. The goals of this law are good goals - counterfeit drug products kill people and lead to increased disease burden in the population - the counterfeiting scheme I described previously likely caused ~10,000 person-years of uncontrolled HIV across the USA - that’s a lot of people who thought their HIV was undetectable and untransmittable (U = U) who lost control of their disease state and probably unknowingly, through no fault of their own, transmitted HIV to their partners. As an industry, we should absolutely take actions to prevent that kind of fraud. The paper-based systems that have been in place from 2015 till now have probably helped to catch and shut down these fraudsters to a small degree, after the fact, but they have not been capable (to my knowledge) of preventing these frauds early in the process.
The Enhanced Drug Distribution Security (EDDS) requirements that the FDA is delaying enforcement of by 1 year should theoretically help to actually disrupt this type of fraud earlier, hopefully before the public is harmed. (Sidebar: As a person subject to an Act of Congress that tries to lock down the US drug supply chain to ensure that all of the drugs are legitimate, it really bugs me when politicians talk a big game about importing drugs from Canada. You can’t have a closed supply chain where we know how every single bottle moved through the whole supply chain from factory to wholesaler to pharmacy/dispenser and then introduce drugs from a completely different regulatory regime into that mix. On the other hand, such attempts are a nod to the concept that “it is highly unlikely that the optimal level of fraud is zero.” NB - the book review I linked there and the book itself Lying for Money both specifically call out DSCSA as a system that attempts to ensure zero fraud).
Unfortunately, no one, from the manufacturers to the wholesalers to the dispensers to the FDA themselves has actually complied with the will of the 2013 Congress as written in the text of the DSCSA. The FDA was supposed to conduct a “small dispenser survey” no later than 8 and 1/2 years after the act passed. It’s been 9 and 3/4 years since the act passed, and the FDA just posted a request for comment on a proposed survey earlier this month, asking if the questions are the right questions or not. (In an attempt to make sure that small dispensers are personally represented in the public comments on this request for comment, I created a google form that I’ve sent to several colleagues and I’ve gotten a decent number of responses that I intend to submit to the FDA’s docket in early September. If you are reading this, I’d appreciate you filling out the google form I made - I’ll make sure the FDA sees your comments).
Additionally, the law requires the FDA to conduct several pilot projects, and while they did so, the vast majority of the pilot projects that were actually executed appear in my estimation to be poorly carried out attempts to promote blockchain by cryptocurrency enthusiasts, mixed in with a few actual serious attempts to comply with the law as written. Bizarrely, the final report that the FDA issued earlier this month of the pilot projects seems to contain a lot of what the goals of the projects were, and is rather short on the details of whether those goals were met or not.
Manufacturers have been required to send Transaction Information, Transaction History and Transaction Statements (T3 data) electronically to wholesalers and dispensers since 2017, but according to my wholesaler contacts, ~20-30% of all pallets they receive from manufacturers have missing or invalid T3 data. Under the EDDS requirements as written, that would mean that 20-30% of all pallets need to be quarantined until the T3 data is corrected or supplied. In a time where the FDA and DEA have seen the need to publish a joint statement about drug shortages of ADHD medication, quarantining 20-30% of pallets seems like a recipe for disaster.
Wholesaler executives have been rather silly about DSCSA EDDS compliance. For example, there’s this white paper by Cardinal Health’s CTO last year claiming that blockchain is the solution to all of the supply chain’s problems. Here’s another, this breathless press release in 2021 stating that blockchain will make pharmacies have “reliable, frictionless experience” with pharmaceutical chargebacks. I was skeptical at the time, and I’m 99% sure that Cardinal’s process of issuing a credit memo and a replacement invoice in the case of pricing errors (aka chargebacks) has exactly zero blockchain behind it, and I’d be rather shocked to hear of any pharmacy operator who would describe their experience with pricing errors as “reliable” or “frictionless.” I think “incredibly frustrating that you can’t build a price system into your software systems that accurately reflects changes to WAC in real time when you have a 30% market share” is more the typical pharmacy’s experience with chargebacks. Distributed public ledgers are a nice idea, but they are not a serious solution to DSCSA compliance, and if you think that getting every pharmacy in the country to register a GLN was a tough problem, getting them all to stand up a blockchain node to be able to participate in a distributed public ledger is a problem that is multiple orders of magnitude more difficult (read: impossible). Also, blockchain as a solution for a company that relies on charging different prices to different pharmacies to extract maximal revenue seems rather strategically shortsighted. Sorry, but if I propose a technical problem and you say “we’ll use blockchain,” I’m pretty sure that you are either a satoshi-pilled scam artist trying to juice stock prices, or you just fundamentally don’t understand the technical problem you are trying to solve. Either way, that’s a bad look for the CTO of one of the three largest wholesale distributors (and the FDA official that greenlighted the half dozen pilot projects that focused on blockchain).
Other wholesalers (including McKesson) continue to transact outdated X12 EDI .856 Advanced Ship Notices as their T3 data sets to pharmacies. I assume that they are working on shifting to EPCIS 1.2/1.3 files in order to comply with the EDDS requirements, but the fact that we’ve now known since at least 2016 that EPCIS would be the way that the EDDS data transfer requirements would be executed by McKesson, it’s rather disappointing that a company with $284 billion in revenue is still using .856 ASNs in data to pharmacies when they have been working on EPCIS data transfer to and from pharma manufacturers for 7 years now.
Additionally, all of the big 3 wholesalers have been engaged in disinformation campaigns informing their small dispenser pharmacy customers that they don’t need to do anything new to comply with DSCSA, because daddy will handle it. While it’s certainly an option to delegate maintenance of the T3 data to a third party, explicitly including to a wholesaler, the dispenser “shall maintain a copy of the written agreement and shall not be relieved of the obligations of the dispenser under this subsection.” As a small dispenser pharmacy operator, I’ve built up a healthy distrust of big 3 wholesaler requests to trust them that they’ll take care of me. Even if I choose to trust daddy McCardiSource Bergen to maintain my T3 data, I’m still responsible for making sure that they receive that data from all of my suppliers, to make sure that I send data to other pharmacies if I’m transferring stock (other than for a specific, identified, patient need), and to file form 3911s with the FDA when I receive suspect product. The communications I have seen and heard from the big 3 to small dispensers are irresponsible and seem like attempts to sabotage compliance, in my view. As I very much doubt that they will pay their biglaw counsel to defend small dispensers when a small dispenser gets a fine or lawsuit due to unintentional noncompliance with the DSCSA, communications that claim that pharmacies should trust their wholesaler to take care of DSCSA compliance likely create substantial legal exposure for these companies (who really can’t afford another $18B settlement).
McCardiSource Bergen Smith (McCardi B) and HealthPremVizset want you to know that true love is knowing your dispenser trading partner’s favorite McDonald’s meal full serialization data from every single supplier so that you can make sure that they aren’t cheating on you with their sidechick wholesalers. Gotta maximize that share of wallet for your GPR/GCR! (seriously though, don’t use your wholesaler as your EPCIS provider).
I’ve now complained about companies and entities with tens of thousands of employees and the failures of their respective bureaucracies long enough. If I’m a pharmacy operator, what do I actually need to do to make sure that I don’t get a fine in 2025 for failure to comply with DSCSA?
Get a GLN or find out which GLN daddy wholesaler registered on your behalf.
Demand that you get control of your GLN from daddy wholesaler, who didn’t ask your permission before they registered your pharmacy “Jolley’s Corner Pharmacy MRX” in the GS1 database, falsely implying that you are a subsidiary of Masters Pharmaceutical. Good luck with this part - I’ve been pestering GS1 and Masters/McKesson for a year now to give me control of my GLN so that I can make it actually match the legal name of the pharmacy and not have weird ownership and control implications. No luck even figuring out who in McKesson’s bureaucracy I can even talk to about transferring control of my GLN or de-activating it so that I can use the GLN that I registered for my pharmacy before I learned about daddy’s McCardiSource Bergen’s plan to register GLNs for every one of their customers (the Managed GLN Program).
Choose a vendor to send/receive EPCIS data on your behalf. After doing multiple demos and attempting to use other vendor software (which I found unuseable), I’ll personally be using LSPedia’s solution - they appear to me to be the only vendor with certain functionalities built as of the time of writing, such as connection to the Verification Routing Service (VRS) so that I can quickly conduct verifications of suspect product and clear it without the need for manual verification requests to pharmaceutical manufacturers. Had the EDDS been fully implemented, and provided with a VRS connection, Shane Jerominski could have discovered the fraud by Safe Chain Solutions almost immediately upon receipt of the fake Genvoya, rather than having to call Gilead and wait for a response. He could have scanned the 2D barcode on any of the bottles and would have received a “duplicate serial number” response from the VRS, which would have caused immediate quarantine of the product, rather than dispensing product that externally appeared legitimate and only discovering the fraud when a patient complained. To the best of my knowledge, the major vendors in this space include LSPedia, Infinitrak, Advasur, and Inmar, as well as presumably some kind of solution offered by each of the major wholesalers
Keep a copy of your EPCIS vendor contract somewhere that you can find it upon request.
Write up your standard operating procedures for DSCSA compliance and order receiving (all of the EPCIS vendors offer templates for editing)
Get your EPCIS vendor to connect with each of your wholesalers, and pester them until all of the connections are functional.
Annoy your primary pharmacy software vendor until they build functionality to allow their order receiving process to capture 2D barcode scans (with a single scan - you should not need to use the 1D barcode at all!) Keep annoying them until they build integrations with your chosen EPCIS data transfer partner so that you can have ONE inventory receiving process, not two or more. (i.e. pharmacies have the business need to maintain a perpetual inventory, and an essential part of that is making sure that you receive invoice data from your wholesaler into your software, as well as verifying that there were no mispicks by the warehouse. You also have a DSCSA compliance need to verify your product shipments against the EPCIS data that you receive. To minimize the labor cost of these two needs that have overlapping processes, you need your inventory and EPCIS software vendors to share information with each other, because one scan of the 2D barcode on each bottle received should provide all of the data needed for both processes).
The Partnership for DSCSA Governance (PDG) has also published a pharmacy checklist that was prepared by NCPA. You should read it as well. This slideshow by HDA also lays out a checklist for dispensers. PDG has a bunch of resources for pharmacies here as well. I read through a lot of their stuff while I was writing this post.
Several talking head bureaucrat types at PBMs and wholesalers seem to believe that serialization information will eventually be included in pharmacy claims data. That’s not going to happen, because 1) the claim billing transaction happens (by design) before the product is removed from inventory, so it’s not physically feasible, 2) claims will be fulfilled with multiple serial numbers all the time (3x30 count bottles for a 90 day supply claim, last 2 tablets of a 1000 count bottle plus 28 tablets from a new 1000 count bottle for a 30 tab/30 day claim), and there’s no legitimate or feasible business need for PBMs to receive serialization data - attempts by PBMs to find duplicate serial numbers would have far too low a signal-to-noise ratio to be at all useable.
However, I do believe that it will be a best practice to scan 2D barcodes while dispensing, to record the lot/expiry/serial numbers used, and to integrate that data with the EPCIS received inventory data. Scanning 2D barcodes requires the same amount of work by pharmacy staff as scanning 1D barcodes to verify accurate dispensing, and has the added benefit of alerting staff when they are dispensing product that is near its expiration date, as well as facilitating smaller call lists for patient-level recalls (if you record the lots used for every dispensing, you only need to call patients who actually received the affected lot #s). Integrating the 2D barcode-scanned dispense data with EPCIS received inventory data should allow pharmacies to pull expiring product off their shelf more efficiently (EPCIS data knows which bottles are expiring this month, but without the dispensing data, it’ll tell you to pull 5000 bottles off your shelf because it doesn’t know that you sold 4900 of them 4 years ago), as well as theoretically allow pharmacies to automate listing their soon-to-expire products to secondary markets like MatchRx to minimize waste and thereby liquidate their oldest inventory.
I think I’ve rambled about 2D barcodes and EDDS and too many new acronyms for long enough. In short, the FDA made the right decision to delay enforcement of EDDS by a year - while it might have felt good to see Fortune 20 companies get fines for noncompliance, the delays to product distribution and subsequent patient care due to the data integrity and data validation failures that haven’t been worked out yet would have been too severe. Let’s all get to work as an industry to make sure that we aren’t desperate for another delay next year.
I've been writing our policy and procedure for DSCSA. I can't not find a requirement any where for dispensers to scan and record and thus verify against the electronic data. The only verification required at receipt is that you received the electronic data and the item has a product identifier.
I'm I wrong? I'm not saying it isn't a best practice but just not a requirement. The "verification" part applies to be able to determine items in your possession are suspect or illegitimate. I think the scanning part is misinformation requiring pharmacies to buy a monthly subscription.
Kurt
Well s done, Ben