Category Archives: pedigree laws

pedigree laws

Should Regulations Dictate Technology?

4 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.In the U.S. pharmaceutical supply chain this question becomes, should regulators—state legislatures, state Boards of Pharmacies, Congress or the FDA—mandate specific technology for serialization, ePedigree and other regulations?  This question arises whenever a new regulation is considered by any of these bodies or agencies.  It’s an important question now that the FDA is considering standards for ePedigree, Track & Trace and related things and I think there are some natural conclusions that can be drawn from past examples that lead to a potential answer.  Let’s review the history first.

EXAMPLE:  EXISTING ePEDIGREE LAWS

The language of the U.S. Prescription Drug Marketing Act (PDMA) specified the kind of data that must be in a compliant pedigree but it did not identify any particular technology to carry that information.  Of course, compared with today, what kind of technology was available back in 1987 when the PDMA was first introduced in the U.S. House of Representatives?  Is it a paper pedigree?  Can it be electronic?  What is the format?  Can GS1’s Drug Pedigree Messaging Standard (DPMS) be used to comply? Continue reading Should Regulations Dictate Technology?

pedigree laws

Do We Even Need To Mandate Drug Pedigrees Anymore?

2 Comments
  Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.

 

Drawing by Zsuzsanna Kilian

A CHALLENGE TO THE CURRENT CONVENTIONAL WISDOM

 

Currently well over half of the U.S. states have a drug pedigree law of some kind either on the books, in the process of being enacted or proposed in their legislature.  No two laws are exactly the same.  That fact is quite painful for the national participants in the supply chain and it gets a little worse every time a new law is enacted or a change is made to an existing law.  For this reason, the conventional wisdom among many supply chain participants, industry organizations, solution providers, and even the regulators themselves is that a nationwide pedigree law would be better than 50 different local laws.

Many of these entities are in favor of replacing those state laws with one administered by the U.S. Food and Drug Administration (FDA).  I don’t challenge that.  In this essay, I’m challenging the very need for any U.S. pedigree requirement at all.  Let me explain. Continue reading Do We Even Need To Mandate Drug Pedigrees Anymore?

pedigree laws

What are Pedigree Laws Trying to Accomplish Anyway?

6 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.Conversations about the merits of various pedigree and authentication models usually start from dissatisfaction with some characteristic of the current GS1 DPMS pedigree model. I maintain that the design of DPMS—including its perceived flaws—is merely a reflection of the current state and federal pedigree laws and regulations. Characteristics that people don’t like—like digital signatures, a growing document as drugs move down the supply chain, and the fact that Supply Chain Master Data is not used by DPMS—are actually all characteristics of the laws and/or regulations, so any alternate pedigree model that would truly be usable for compliance would need those characteristics too.

But that’s not exactly what I want to discuss in this essay. Instead, I wanted to explain my theory of what U.S. pedigree laws are trying to accomplish in the first place. Forget about how they do it for now. What were the goals of those who wrote these laws and regulations? I’ll agree that this is impossible to know for sure but I think I can construct a pretty convincing theory. I don’t know any of the legislators or congresspeople who wrote these laws, but I have studied their work for over four years now. I have made the following observations.

  1. The highest priority goal of the Florida and California laws appears to be to detect the introduction of illegitimate drugs (counterfeit, stolen, up-labeled, diverted, etc.) into the legitimate supply chain as early as possible, preferably at the very first transaction. These laws accomplish this by requiring companies buying drugs within the supply chain to receive the full supply chain history of those drugs at the time of the purchase (contained in a “pedigree”), and, most importantly, by requiring them to verify the legitimacy of those prior transactions. In Florida that verification can be performed by direct contact, such as a phone call, email, fax, etc., or, optionally, through the use if digital signatures. In California, this verification can only be performed through the use of digital signatures. The federal PDMA, on the other hand, does not appear to obligate the buyer to do any verification of the information provided on pedigrees they receive.Finally, Florida and California both require the recipient of the shipment to confirm that the physical drugs they received match those described by the pedigrees they received. That seems obvious, doesn’t it? Why would any legislative body require all or some supply chain participants to go through all the expense to generate and pass pedigree information but stop short of requiring anyone to actually look at it? Well, oddly, the federal PDMA appears to do just that.
  2. There is a clear attempt in the laws to help identify who participated in the introduction of the illegitimate product. This is important if your goal is to efficiently and quickly investigate the suspected crime. This would aid in shutting down the criminals as quickly as possible before they are able to spread bad medical products very deeply into the supply chain. Continue reading What are Pedigree Laws Trying to Accomplish Anyway?
Board of Pharmacy, California Pedigree, Digital Signatures, Florida Pedigree, non-repudiation, paper pedigrees, pedigree, pedigree laws, pharmaceutical supply chain, security, serialization

The California Pedigree Law

3 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.The original California Pedigree Law was passed back in 2004 and it was subsequently modified by the State Legislature in 2006 and again in 2008. In all three instances, I understand that members of the legislature and the Governor’s office worked closely with the State Board of Pharmacy to develop the final content and language.

I heard that one of the goals was to create a better law than the one in Florida. Did they succeed? In order to find out, let’s take a closer look at how they compare.

The law that is currently on the books in California differs from the Florida Pedigree Law in the following ways:

  1. It is fully electronic (it is NOT paper-based)
    The law and all of the discussion of the law by the Board of Pharmacy make it clear that the only acceptable form of a pedigree is electronic. This make it much more reasonable to implement because supply chain members can make use solely of computers to exchange, store and validate pedigrees, without fear that their trading partners can only handle paper pedigrees.
  2. Pharmacy returns must be reflected on pedigrees
    This was an original requirement of the Florida Pedigree Law too, but it was removed under pressure from lobbyists before the law went into effect. So far, it remains intact in California, but the law is not yet in effect. What it means is that when a pharmacy buys drugs from someone and they return those drugs, regardless of how little time has transpired, they must provide a pedigree update so that subsequent buyers of those drugs can see their purchase, and return transactions. This is no different from the requirements faced by all other segments.
  3. It starts with the manufacturer
    In Florida the first wholesaler started the pedigree. In California, the pedigree must be started by the manufacturer or it is not valid. If you are looking to expose the full history of package of drugs, how could you not start with the manufacturer? I even think the manufacturers generally agree with that notion.Interestingly, the Law doesn’t actually require anything of the manufacturers directly. It is directed at wholesalers who are licensed to operate within the state. Distribution of a drug without a pedigree that was started by the manufacturer is illegal and subject to penalties, but it is the wholesaler who violates the law and is punished, not the manufacturer. Thus, if a given manufacturer fails to provide California wholesalers with serialized product and compliant pedigrees by the time the law goes into effect, it will be up to the wholesaler to decide not to distribute those drugs within California in order to avoid violation of the law and avoid the associated penalties. The only risk a manufacturer takes on is that their drugs may no longer reach patients in California (and the subsequent PR firestorm that would follow).
  4. It requires item-level serialization
    California is very clear that they consider the concepts of “electronic track and trace” and “item-level serialization” as being inseparable. That is, if you have one but not the other, then you don’t have a pedigree system. Every drug package must have a unique identifier on it, applied by the manufacturer or repackager, and that UID must be included in the pedigree (the electronic record). This is a substantial difference from the Florida law which has no such requirement.
  5. No holes designed to accommodate special interests
    I’m not aware of any special treatment in the Law for any particular segment of the supply chain. Florida opened several holes that seriously compromise the intent of their law. So far, California has resisted opening holes, unless you consider pushing back the effective date to 2015-2017 a “hole”. 😉

Attentive readers will notice that I have listed these differences in the same order as my list of failures of the Florida Pedigree Law in my earlier post about the Florida Law. This is my way of showing that California has, so far, created a pedigree regulation that does not have any of the major failures of the Florida regulation.

These are the major differences, but what about the common characteristics? Here are the key things that the California Law has in common with the Florida Law:

  • Reliance on Digital Signatures
    Florida allows a pedigree to be created, stored and passed in electronic form, though they don’t require it. But if a Florida pedigree is in electronic form, digital signatures are required for the same purpose as a hand-executed signature on a paper document. The digital signature legally binds the signing person or entity to the content of the electronic document. Florida identified some specific standards that ensure that the digital signatures possess the all-important quality of non-repudiation. The California Pedigree Law does not, itself, specify any standards for digital signatures, but the Board of Pharmacy’s Q&A (see their Q72) calls out the fact that the California Code of Regulations identifies the specific characteristics that must result from a compliant digital signature architecture for electronic documents. The digital signature standards that are compliant in Florida would also be compliant in California.The fact that California included the use of digital signatures is significant because it ensures that each pedigree can stand on its own as a self-contained, self-secure package. This maximizes the value of the entire pedigree architecture because the security mechanism that prevents tampering goes with the package itself. No one has to rely on the access security of a given server or group of servers to prevent tampering. And, if tampering does occur, it can be easily detected, unlike tampering of pedigree approaches that rely solely on server access security. In that case, if server security is breached, you can’t tell which pedigrees were modified and which were not, rendering them all suspicious.
  • It distributes responsibility for monitoring supply chain security to all supply chain participants
    This is the one genius concept of the Florida Law and California retained it, thus qualifying those involved for genius status as well. It’s a regulatory approach that is relatively new but is likely to become much more common in the face of perpetual budget “crises” in state and federal government agencies. Instead of requiring trading partners to simply keep records of their own buying and selling history for each drug so that they can be audited by an inspector at some later date, these laws require them to check the validity of the full pedigree at the time of each purchase transaction, in near real-time.Notice the difference. In the first instance, it is up to the State Board of Pharmacy inspector to detect suspicious activity in the supply chain. But how often will a state inspector visit, and how many records will they be able to review? It’s inconceivable that this approach would result in the detection of illegitimate activity.But when every purchase of a drug as it passes down the supply chain requires the buyer to run a validity check on the full transaction history of that specific bottle, it greatly increases the odds that most suspicious transactions will be detected. And for most suspicious events in the history there will normally be multiple opportunities for detection. Here, digital signatures are the enabling technology. They allow all of this supply chain monitoring activity to occur reliably and automatically inside computers that are distributed throughout the supply chain, without human intervention and without slowing the movement of drugs.

So did California succeed in creating a better law than Florida? I propose that there is almost no comparison so the question may be moot. The California Pedigree Law is so much more far-reaching than the one in Florida. While Florida focused on disrupting some very troublesome practices being performed by a few nefarious licensed and unlicensed wholesalers, California’s law is designed to cause a major reorientation of the pharmaceutical supply chain approach to security, monitoring and policing (see also The Deputized Supply Chain). This has major implications that go well beyond those of the Florida law.

Faced with that, it is not surprising that it was necessary to push out the effective dates to 2015-2017. Transformation this big takes time to implement.

crimes, Dangerous Doses, Florida, pedigree laws

Dangerous Doses

If you have chosen to read this blog but you still haven’t read Dangerous Doses by Katherine Eban, you have made the wrong choice. The book is a great read. It documents the events in the early 2000’s that led the State of Florida to pass the first state pedigree law in 2003. You can draw a straight line between those events and all of the state pedigree laws that came after it. The book is a detailed accounting of crimes that occurred after a few criminals realized that law enforcement and the courts would not take seriously any drug crime that did not involve illegal drugs. But a small group of detectives and a lone prosecutor took them on and eventually brought them to justice. The book alternates between narratives of the crimes, the pursuit of the criminals by the detectives, and Eban’s explanation of how the pharmaceutical supply chain worked back at that time.

But that’s just it. The book was written at a time when things were different than they are now in some very important ways. As I understand it, back then, you could have spent less money on a license to distribute pharmaceuticals than you would if you obtained a license to open a bar. As a consequence, there were thousands of drug wholesalers licensed in Florida. But in 2003 the state toughened its licensing laws, greatly increased the cost of the licenses and increased the penalties for crimes related to wholesale distribution of pharmaceuticals. The HDMA cataloged the significant changes to Florida’s drug distribution regulations as the result of those changes. The number of licensed wholesalers plummeted to only a few hundred in the following years.

Oh, and they passed a pedigree requirement too.

I have to admit that I don’t have a good window into what exactly is going on in the Florida crime scene today but given the heightened awareness in the press of counterfeiting and diversion stories, I have to think that there is not nearly the problem that there was back in 2002, or we would hear about it.

So that pedigree requirement really worked, right? Maybe, but I have to think that the increased licensing fees and other requirements, the increased penalties and the increased interest by the courts are the things that really caused criminals to think twice about getting into that business.

Dangerous Doses is a great book and I still highly recommend it to anyone, especially those like me, who are responsible for working on pedigree, serialization and track & trace systems for companies in the supply chain. But as you read it try to keep in mind, that era doesn’t exist anymore. Since that time many other states have taken comparable steps to strengthen their licensing and toughen penalties. And many of them have also passed some type of pedigree law. Stay tuned for more about some of those laws in later posts.

Do drugs still get counterfeited and sold in the U.S.? Probably, but the criminal activity seems to have moved from the supply chain to the internet where criminals can hide just across the borders. Check your spam folder for the evidence.