Draft Regulations On Certifications Within California ePedigrees

Edited by DirkImportant Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.During the March 14, 2013 meeting of the Enforcement Committee of the California Board of Pharmacy, Joshua Room, Supervising Deputy Attorney General at California Department of Justice assigned to the California Board of Pharmacy distributed copies of draft text that he is looking for public comments on.  The draft is for regulations covering pedigree “certification”, the use of “inference” and “inspection” of electronic pedigrees.  Unfortunately the text is buried in a PDF that contains some other material related to the agenda of that meeting.  You can find that PDF file here.  As a service to people who wish to respond to it, I have cut-and-pasted the text into a MS Word document.  You can download that document here.

I am not planning on responding to the Board with my thoughts, but I do have some ideas.  I’ll cover each of the three topics in its own essay.  I consider pedigree certification to be the biggest barrier to the use of GS1 EPCIS-based Network Centric ePedigree approaches, so I will discuss that topic first.  For some background on my earlier coverage of this topic—including a list of my essays on it—see last week’s RxTrace essay, “The Board of Pharmacy Must Respond To Ideas For Making EPCIS Work”.

The use of pedigree solutions that are based purely on GS1’s EPCIS standard seem to many to be a natural fit because it is designed to document serial number-based supply chain events.  Most people recognize that description as something like an electronic pedigree, and they are right.  It is something like it.

The problem is, the California pedigree law, like all of the other pedigree laws in the United States, is written in a way that it leads you down the path of passing an electronic document from one trading partner to the next.  Each trading partner must add data to the pedigree as it moves, which means that the electronic pedigree document gets bigger the farther down the supply chain it gets.  Most people who know the GS1 Drug Pedigree Messaging Standard (DPMS) will recognize that description as the way DPMS works.  DPMS mirrors these laws.

But there is good news.  At the December 4th, 2012 Enforcement Committee meeting of the California Board of Pharmacy, Mr. Room said that he doesn’t see anything in the law that would preclude the use of an Network Centric ePedigree (NCeP) solution like the one used in the Abbott, McKesson, VA, GHX pilot (see, “The Significance of the Abbott, McKesson and VA Pilot”), which made use of a Centralized NCeP.

I was more than a little surprised at that.  After all, I am the author of at least two essays that claim in their titles that EPCIS alone won’t work for California compliance (see, “Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1”, and “… Part 2”).  But ever since that meeting, people have been trying to figure out how to creatively meet the challenge he issued along with his comment:

“There are various things that have to be included in [the pedigree], including that you have to […] certify the data that you are providing as being true and accurate.”

(See “California Board of Pharmacy Clarifies Use Of GS1 EPCIS”.)  Even Mr. Room has contributed to that effort (see “The Board of Pharmacy Must Respond To Ideas For Making EPCIS Work”).  The draft regulation on certification that he published last month for public comment may be his way of giving the industry an opportunity to influence the wording of the regulation so that it might allow the use of an NCeP.  At least that’s how I’m looking at it.

As I’ve said before, pedigree certification is one of my favorite topics.  I’ve given it a lot of thought, so I found it fairly easy to markup Mr. Room’s draft with changes that I think would accommodate the use of an NCeP.  At the same time I made markups that would accommodate the use of GS1 Global Location Numbers (GLN) and Global Trade Item Numbers (GTIN) in place of the full addresses and full product data elements specified in the law.  My markup (using “Track Changes” so you can see my edits clearly) can be found here.


I have concluded that the biggest mistake in the law and especially in the draft regulation is the reliance on a single security technology—digital signatures—to provide both the non-repudiable certification of truth and accuracy of the pedigree contents AND to provide immutability of the data.  Let me explain.

When someone writes down a certification of truth and accuracy, it only has value if they cannot later easily claim that they did not really make the certification.  That is, they are able to “repudiate” that they ever made the claim of truth and accuracy.  So the draft regulation  makes use of digital signatures so that it is much harder for a company or individual to repudiate that they made the certification after the pedigree is properly “signed” by them.

Pedigree immutability is also very important.  When something is “immutable”, it cannot be changed.  Digital signatures cannot prevent signed data from changing, but they are quite good at making it obvious when the data has been changed after signing.  Digital signatures can provide total confidence that the data has, or has not been changed.  So digital signatures are often employed whenever immutability of electronic documents is required.

Because digital signatures are well suited for ensuring both characteristics, it is logical that their use would be specified by regulation (well, at least it’s logical to me).  The problem is, the draft regulation as written seems to make use of singular digital signatures to enforce both properties.  That will drive you down the path of using DPMS.

DPMS uses the same digital signature for both purposes.  This results in wholesalers, for example, being forced to pass on the manufacturer’s list of serial numbers representing as much as their entire shipment to the wholesaler (depending on how granular the manufacturer generates their pedigrees) when the pharmacy buys only one bottle of drugs.  That’s because the certification technology used is also the immutability technology.  The wholesaler cannot limit the exposure of information provided by the manufacturer to only the single unit that the pharmacy bought or they would break the immutability.

The problem here is that shipments from wholesaler to pharmacy are much smaller than shipments from manufacturer to wholesaler, so the pedigree data should follow a similar reduction.  Wholesalers should show the pharmacy only the pedigree data that fully documents the history of the unit(s) that the pharmacy is receiving.

To accomplish this, the non-repudiability of the certification of truth and accuracy made by the creator of the data must be distinct from the basic security mechanism that ensures immutability of the pedigree data, even if the technology used to implement both turns out to be digital signatures.  Once you separate these two mechanisms, you are free to make use of a NCeP without violating one or the other as shipments become less granular as they move down the supply chain.  You might still use digital signatures for one or the other, or both—just not the same digital signature for both.

And why should the regulation care whether there are one, two or three digital signatures—or even none—in use, as long as some technology is employed to ensure that these two properties are maintained at all times?

My edits do not propose any particular technology.  In fact, it removes the specification of technology (which might surprise a few people considering that I wrote the essay, “Should Regulations Dictate Technology?”).  It will be necessary for the industry and solution providers to agree on which technologies would be applied to accomplish this.  Groups in GS1 and GS1 US Healthcare are currently working on how this might be done.  It’s going to be hard enough for them to accomplish it without a regulation that needlessly places restrictions on the technical solution.

My edits change the regulation so that it focuses on mandating the results and not the “how” in this case.  It should define what a “certification” is in non-technical terms, focusing on the outcomes.  It should specify immutability of data without choosing the technology to accomplish it, again, focusing on the outcome.

My edits also add a new section (d) regarding the use of trusted third-parties as an intermediary to receive, hold and make assessable pedigrees on behalf of the drug seller and buyer.  This includes the use of a centralized service like the one in the Abbott, McKesson, VA, GHX pilot that Mr. Room felt was not precluded by the law.  I think the regulation should explicitly recognize this way of “transmitting” pedigrees from seller to buyer, or as the draft regulation calls them, from source to recipient.  This addition also includes language that acknowledges the need for parties to correct unintended errors that will occur in pedigrees and provides a safe way to make these changes transparent in the pedigree.

I encourage you to read the draft regulation on certification.  Read my markup.  Make up your own mind and create your own markup.  Tell me where yours is better than mine.  If you are a member of the supply chain, send in some formal comments before their next meeting in June to help the Enforcement Committee create a workable regulation that will accommodate GS1 identification standards, NCePs and pedigree corrections.  Or, prepare to use DPMS.