DSCSA: OIG Report Exposes Likely Enforcement Approach

Last week the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) published their second report on the experience of selected members of the pharma supply chain with the exchange of drug product tracing information as required by the DSCSA.  This one was aimed at dispensers.  The one published last fall was aimed at wholesale distributors.  As you know, starting in January 1, 2015 (delayed until May 1, 2015), pharmaceutical wholesale distributors have been required to pass to their customers for non-exempt prescription drug shipments, and retain for six years, transaction documents (TI, TH and TS).  Since July 1, 2015 (delayed until March 1, 2016), dispensers have been required to receive and store these documents for six years.

Each of these reports details a simple study the OIG conducted to collect “unrepresentative” (unscientific, anecdotal) evidence of the quality of the transaction documentation that is being exchanged from a handful of companies in each category.  What they found was kind of interesting, despite the unscientific quality of their methodology.  They found a surprisingly low rate of full compliance.

I used the phrase “low rate of compliance” in that last sentence because I expected a higher level of compliance, considering that we are talking about a legal requirement that had existed for 5 to 7 months before the studies were conducted.  I was particularly surprised at the two independent pharmacies OIC picked at random that had never even heard of the DSCSA, so, of course, they hadn’t been doing anything to comply.  But that’s just me.  The OIG characterized the results somewhat more positively in the titles of these two reports:  “Wholesalers Exchange Most Tracing Information” and “Dispensers Received Most Tracing Information”.  Oh.  OK.  I guess I’ve been working too long with publicly-held, multi-national drug manufacturers and larger wholesale distributors who sweat every detail to ensure total on-time compliance with every word of every applicable section of the DSCSA.

On a brighter note, the “Big-3” wholesale distributors came through the first study with what appears to be a perfect score.  Congratulations.  That’s thanks to all that sweating—and a lot of money.  Every wholesale distributor they contacted was not only aware of the DSCSA, but every one of them was trying to comply with it.  Some were more successful than others.

Both reports conclude with recommendations that the FDA engage in more educational outreach, particularly to independent pharmacies.  They recommended that the FDA create a Frequently Asked Questions document about the DSCSA aimed at pharmacies.  To help wholesale distributors, they recommended the FDA provide technical assistance regarding transaction data exchange for direct purchase statements, exempt products and 340-B covered entities and contract pharmacies.  The FDA has already addressed that first wholesale distributor OIG recommendation by publishing draft guidance last month that provided lots of details around transaction data exchange, including direct purchases (see “DSCSA Guidance: Standardization of Data & Documentation Practices for Product Tracing”).


Everyone wonders how the FDA will enforce the DSCSA (see “How Will The DSCSA Serialization Mandate Be Enforced After 2017?”).  For trading partners beyond the manufacturer, will they do what the California Board of Pharmacy always said they intended to do as part of their efforts to enforce their pedigree law?  The CBoP always claimed they intended to make surprise visits to wholesale distributors and pharmacies, pick out a package of drugs and say, “show me the pedigree for this package” (see “Inspecting An Electronic Pedigree”).  The implication being, if you couldn’t produce the pedigree, you would be arrested.  Fortunately that law no longer exists (see “The California Pedigree Law Is Now Officially Inoperative”).

But isn’t that kind of what happened in these studies?  Why weren’t the companies who provided incomplete documentation in trouble?  They were clearly not fully meeting their DSCSA obligations—especially those two independent pharmacies.

It’s pretty clear to me from my reading of the DSCSA that no one should expect that kind of surprise request for no reason.  That’s just not how the law was written.  The requests for documentation made by the OIG in these studies were only experimental, voluntary and somewhat random.  When they were shown incomplete documentation by wholesalers and pharmacies—or none at all—no enforcement action was called for.  That is, none was appropriate.  No one “broke the law”, because that’s just not how it works.

Here’s how it’s supposed to work.  After something goes wrong, which results in a suspicion that certain drugs might be illegitimate, that will trigger formal requests for transaction documentation from everyone potentially involved.  These are when things could get serious.  If the drugs under suspicion are in your possession now or were in the past, you can expect someone to ask to see your DSCSA transaction documentation for all transactions involving them.  Those requests will probably come as a surprise, but in these cases, there is a reason behind the request.  Requests can come from the FDA and other federal agencies and even appropriate state agencies.  If, at that time, you can’t fulfill the request to produce the complete set of transaction documentation with all the mandated data elements within the mandated time, will you be in trouble?  Maybe, maybe not.

I suspect the agencies will not be too harsh on companies who do not have complete documentation, although you might be treated with suspicion for a while.  But if they find that you knowingly bought drugs from unauthorized entities, and that’s why you don’t have proper documentation, you are probably going to be treated like a criminal.  Now you’ve really broken the law, and that’s probably going to lead to penalties—and maybe even prosecution—more often than it has in the past.  And if they find that you forged transaction documentation, you’ll be in even more trouble (so please don’t do that).

In short, the DSCSA was not designed to create a new class of criminals:  those who do not always produce or receive fully filled out transaction documentation.  It is designed to help the FDA investigate what actually happened, and who is likely at fault when some other crime has been committed.  When data elements are missing within transaction documents, as the OIG found in quite a few cases, that’s just going to slow the investigations down.  I can’t say you won’t get penalized in that situation—especially in a life-threatening situation—but that’s not the “crime” they will be looking for.

The FDA and the OIG would certainly prefer to always get a complete set of transaction documents with all the required data elements filled in whenever they request it, but their relaxed reaction in these incomplete reports appears to show that they may not expect rigid compliance.  Of course, I don’t recommend that you test that theory.