A lot of things related to ePedigree in the U.S. supply chain are cooking right now but they seem to be happening a little too slowly, so it will be interesting to see where it all ends up in the next few years. After developing the Drug Pedigree Messaging Standard (DPMS) in 2006-2007, GS1 is now taking only the initial steps toward adding network-centric ePedigree capabilities to their EPCIS and related standards. The California Board of Pharmacy says they would like to be able to accept a semi-centralized network centric approach as long as it includes all the stuff listed in their pedigree law. For nearly 18 months, GS1 U.S. has been “nearing publication” of a draft guideline—six years in the making—that is supposed to help companies who want to use EPCIS to meet the California law. Congress considered passing a Federal track & trace regulation that would have preempted the California law last year but failed from lack of agreement between the parties. Some companies are making good progress on meeting the serialization requirement but the number who have the pedigree part figured out are those who have settled on DPMS. All the while the California pedigree deadlines are rushing toward us like a bus-sized asteroid heading straight toward Earth. Not surprisingly, the asteroid is moving faster than the efforts to divert or absorb it.
I’ve written about my theory that the date of impact won’t be pushed out again, no matter what happens (for a full explanation of that theory, see “Will The California ePedigree Dates Slip Again?”).
What can be done? In my view, it’s going to be determined by Continue reading California ePedigree Uncertainty
Within conversations held during the development of standards for electronic pedigrees it is sometimes common to hear people apply the following test to any pedigree proposal:
“A state inspector arrives at your facility without prior warning, enters the warehouse, picks up any random package of drugs and asks to see ‘the pedigree’ for this package.”
The point being made is that, according to the California Pedigree Law, at the very least, supply chain members will need to be capable of producing a full pedigree for any and every package of drugs in their possession at any time in case of a surprise inspection.
This scenario is an important one when selecting a pedigree model, but it often causes me to think about exactly what the company being inspected would show the inspector, and how they would do that. Continue reading Inspecting An Electronic Pedigree
For the application of unique serial numbers, or Standard Numerical Identifiers (SNIs), to packages as part of compliance with the California Pedigree Law in 2015-2017 , GS1’s Electronic Product Code (EPC), particularly in barcode form, is the clear winning standard. But there seems to be a very common misconception going around that for pedigree data management, all you need to do to comply with that law is to deploy a system that is based solely on the GS1 Electronic Product Code Information Services (EPCIS) standard. The misconception assumes that there is a formula that can be followed to achieve compliance and that EPCIS is the whole formula.
In truth, EPCIS will almost certainly be an important component in the compliance formula but exactly how it fits, and whether there are other necessary components, has not yet been determined.
There are probably several reasons that this misconception persists. First, GS1 US continues to promote their 2015 “Readiness” Program as if it is that formula. The program documentation strongly implies that, if you simply follow their program, you will “be ready” to comply with the law; but it stops short of actually saying that you will be compliant.
Second, it seems like people are either able to understand the law well but not the technical standards, or they are able to understand the technical standards well but not the law. The legal folks are left to trust what the technical people say about EPCIS, and the technical people assume that as long as the data elements identified in the law are present somewhere then EPCIS must comply.
Now I am not a legal expert but I’ve been looking at the text of the California Pedigree Law for a few years now and I think I understand it at a level that allows me to estimate how various technical approaches might fill its requirements. Let me show you how Continue reading Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 1
The original California Pedigree Law was passed back in 2004 and it was subsequently modified by the State Legislature in 2006 and again in 2008. In all three instances, I understand that members of the legislature and the Governor’s office worked closely with the State Board of Pharmacy to develop the final content and language.
I heard that one of the goals was to create a better law than the one in Florida. Did they succeed? In order to find out, let’s take a closer look at how they compare.
The law that is currently on the books in California differs from the Florida Pedigree Law in the following ways:
- It is fully electronic (it is NOT paper-based)
The law and all of the discussion of the law by the Board of Pharmacy make it clear that the only acceptable form of a pedigree is electronic. This make it much more reasonable to implement because supply chain members can make use solely of computers to exchange, store and validate pedigrees, without fear that their trading partners can only handle paper pedigrees.
- Pharmacy returns must be reflected on pedigrees
This was an original requirement of the Florida Pedigree Law too, but it was removed under pressure from lobbyists before the law went into effect. So far, it remains intact in California, but the law is not yet in effect. What it means is that when a pharmacy buys drugs from someone and they return those drugs, regardless of how little time has transpired, they must provide a pedigree update so that subsequent buyers of those drugs can see their purchase, and return transactions. This is no different from the requirements faced by all other segments.
- It starts with the manufacturer
In Florida the first wholesaler started the pedigree. In California, the pedigree must be started by the manufacturer or it is not valid. If you are looking to expose the full history of package of drugs, how could you not start with the manufacturer? I even think the manufacturers generally agree with that notion.Interestingly, the Law doesn’t actually require anything of the manufacturers directly. It is directed at wholesalers who are licensed to operate within the state. Distribution of a drug without a pedigree that was started by the manufacturer is illegal and subject to penalties, but it is the wholesaler who violates the law and is punished, not the manufacturer. Thus, if a given manufacturer fails to provide California wholesalers with serialized product and compliant pedigrees by the time the law goes into effect, it will be up to the wholesaler to decide not to distribute those drugs within California in order to avoid violation of the law and avoid the associated penalties. The only risk a manufacturer takes on is that their drugs may no longer reach patients in California (and the subsequent PR firestorm that would follow).
- It requires item-level serialization
California is very clear that they consider the concepts of “electronic track and trace” and “item-level serialization” as being inseparable. That is, if you have one but not the other, then you don’t have a pedigree system. Every drug package must have a unique identifier on it, applied by the manufacturer or repackager, and that UID must be included in the pedigree (the electronic record). This is a substantial difference from the Florida law which has no such requirement.
- No holes designed to accommodate special interests
I’m not aware of any special treatment in the Law for any particular segment of the supply chain. Florida opened several holes that seriously compromise the intent of their law. So far, California has resisted opening holes, unless you consider pushing back the effective date to 2015-2017 a “hole”. 😉
Attentive readers will notice that I have listed these differences in the same order as my list of failures of the Florida Pedigree Law in my earlier post about the Florida Law. This is my way of showing that California has, so far, created a pedigree regulation that does not have any of the major failures of the Florida regulation.
These are the major differences, but what about the common characteristics? Here are the key things that the California Law has in common with the Florida Law:
- Reliance on Digital Signatures
Florida allows a pedigree to be created, stored and passed in electronic form, though they don’t require it. But if a Florida pedigree is in electronic form, digital signatures are required for the same purpose as a hand-executed signature on a paper document. The digital signature legally binds the signing person or entity to the content of the electronic document. Florida identified some specific standards that ensure that the digital signatures possess the all-important quality of non-repudiation. The California Pedigree Law does not, itself, specify any standards for digital signatures, but the Board of Pharmacy’s Q&A (see their Q72) calls out the fact that the California Code of Regulations identifies the specific characteristics that must result from a compliant digital signature architecture for electronic documents. The digital signature standards that are compliant in Florida would also be compliant in California.The fact that California included the use of digital signatures is significant because it ensures that each pedigree can stand on its own as a self-contained, self-secure package. This maximizes the value of the entire pedigree architecture because the security mechanism that prevents tampering goes with the package itself. No one has to rely on the access security of a given server or group of servers to prevent tampering. And, if tampering does occur, it can be easily detected, unlike tampering of pedigree approaches that rely solely on server access security. In that case, if server security is breached, you can’t tell which pedigrees were modified and which were not, rendering them all suspicious.
- It distributes responsibility for monitoring supply chain security to all supply chain participants
This is the one genius concept of the Florida Law and California retained it, thus qualifying those involved for genius status as well. It’s a regulatory approach that is relatively new but is likely to become much more common in the face of perpetual budget “crises” in state and federal government agencies. Instead of requiring trading partners to simply keep records of their own buying and selling history for each drug so that they can be audited by an inspector at some later date, these laws require them to check the validity of the full pedigree at the time of each purchase transaction, in near real-time.Notice the difference. In the first instance, it is up to the State Board of Pharmacy inspector to detect suspicious activity in the supply chain. But how often will a state inspector visit, and how many records will they be able to review? It’s inconceivable that this approach would result in the detection of illegitimate activity.But when every purchase of a drug as it passes down the supply chain requires the buyer to run a validity check on the full transaction history of that specific bottle, it greatly increases the odds that most suspicious transactions will be detected. And for most suspicious events in the history there will normally be multiple opportunities for detection. Here, digital signatures are the enabling technology. They allow all of this supply chain monitoring activity to occur reliably and automatically inside computers that are distributed throughout the supply chain, without human intervention and without slowing the movement of drugs.
So did California succeed in creating a better law than Florida? I propose that there is almost no comparison so the question may be moot. The California Pedigree Law is so much more far-reaching than the one in Florida. While Florida focused on disrupting some very troublesome practices being performed by a few nefarious licensed and unlicensed wholesalers, California’s law is designed to cause a major reorientation of the pharmaceutical supply chain approach to security, monitoring and policing (see also The Deputized Supply Chain). This has major implications that go well beyond those of the Florida law.
Faced with that, it is not surprising that it was necessary to push out the effective dates to 2015-2017. Transformation this big takes time to implement.