The California Pedigree Law

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.The original California Pedigree Law was passed back in 2004 and it was subsequently modified by the State Legislature in 2006 and again in 2008. In all three instances, I understand that members of the legislature and the Governor’s office worked closely with the State Board of Pharmacy to develop the final content and language.

I heard that one of the goals was to create a better law than the one in Florida. Did they succeed? In order to find out, let’s take a closer look at how they compare.

The law that is currently on the books in California differs from the Florida Pedigree Law in the following ways:

  1. It is fully electronic (it is NOT paper-based)
    The law and all of the discussion of the law by the Board of Pharmacy make it clear that the only acceptable form of a pedigree is electronic. This make it much more reasonable to implement because supply chain members can make use solely of computers to exchange, store and validate pedigrees, without fear that their trading partners can only handle paper pedigrees.
  2. Pharmacy returns must be reflected on pedigrees
    This was an original requirement of the Florida Pedigree Law too, but it was removed under pressure from lobbyists before the law went into effect. So far, it remains intact in California, but the law is not yet in effect. What it means is that when a pharmacy buys drugs from someone and they return those drugs, regardless of how little time has transpired, they must provide a pedigree update so that subsequent buyers of those drugs can see their purchase, and return transactions. This is no different from the requirements faced by all other segments.
  3. It starts with the manufacturer
    In Florida the first wholesaler started the pedigree. In California, the pedigree must be started by the manufacturer or it is not valid. If you are looking to expose the full history of package of drugs, how could you not start with the manufacturer? I even think the manufacturers generally agree with that notion.Interestingly, the Law doesn’t actually require anything of the manufacturers directly. It is directed at wholesalers who are licensed to operate within the state. Distribution of a drug without a pedigree that was started by the manufacturer is illegal and subject to penalties, but it is the wholesaler who violates the law and is punished, not the manufacturer. Thus, if a given manufacturer fails to provide California wholesalers with serialized product and compliant pedigrees by the time the law goes into effect, it will be up to the wholesaler to decide not to distribute those drugs within California in order to avoid violation of the law and avoid the associated penalties. The only risk a manufacturer takes on is that their drugs may no longer reach patients in California (and the subsequent PR firestorm that would follow).
  4. It requires item-level serialization
    California is very clear that they consider the concepts of “electronic track and trace” and “item-level serialization” as being inseparable. That is, if you have one but not the other, then you don’t have a pedigree system. Every drug package must have a unique identifier on it, applied by the manufacturer or repackager, and that UID must be included in the pedigree (the electronic record). This is a substantial difference from the Florida law which has no such requirement.
  5. No holes designed to accommodate special interests
    I’m not aware of any special treatment in the Law for any particular segment of the supply chain. Florida opened several holes that seriously compromise the intent of their law. So far, California has resisted opening holes, unless you consider pushing back the effective date to 2015-2017 a “hole”. 😉

Attentive readers will notice that I have listed these differences in the same order as my list of failures of the Florida Pedigree Law in my earlier post about the Florida Law. This is my way of showing that California has, so far, created a pedigree regulation that does not have any of the major failures of the Florida regulation.

These are the major differences, but what about the common characteristics? Here are the key things that the California Law has in common with the Florida Law:

  • Reliance on Digital Signatures
    Florida allows a pedigree to be created, stored and passed in electronic form, though they don’t require it. But if a Florida pedigree is in electronic form, digital signatures are required for the same purpose as a hand-executed signature on a paper document. The digital signature legally binds the signing person or entity to the content of the electronic document. Florida identified some specific standards that ensure that the digital signatures possess the all-important quality of non-repudiation. The California Pedigree Law does not, itself, specify any standards for digital signatures, but the Board of Pharmacy’s Q&A (see their Q72) calls out the fact that the California Code of Regulations identifies the specific characteristics that must result from a compliant digital signature architecture for electronic documents. The digital signature standards that are compliant in Florida would also be compliant in California.The fact that California included the use of digital signatures is significant because it ensures that each pedigree can stand on its own as a self-contained, self-secure package. This maximizes the value of the entire pedigree architecture because the security mechanism that prevents tampering goes with the package itself. No one has to rely on the access security of a given server or group of servers to prevent tampering. And, if tampering does occur, it can be easily detected, unlike tampering of pedigree approaches that rely solely on server access security. In that case, if server security is breached, you can’t tell which pedigrees were modified and which were not, rendering them all suspicious.
  • It distributes responsibility for monitoring supply chain security to all supply chain participants
    This is the one genius concept of the Florida Law and California retained it, thus qualifying those involved for genius status as well. It’s a regulatory approach that is relatively new but is likely to become much more common in the face of perpetual budget “crises” in state and federal government agencies. Instead of requiring trading partners to simply keep records of their own buying and selling history for each drug so that they can be audited by an inspector at some later date, these laws require them to check the validity of the full pedigree at the time of each purchase transaction, in near real-time.Notice the difference. In the first instance, it is up to the State Board of Pharmacy inspector to detect suspicious activity in the supply chain. But how often will a state inspector visit, and how many records will they be able to review? It’s inconceivable that this approach would result in the detection of illegitimate activity.But when every purchase of a drug as it passes down the supply chain requires the buyer to run a validity check on the full transaction history of that specific bottle, it greatly increases the odds that most suspicious transactions will be detected. And for most suspicious events in the history there will normally be multiple opportunities for detection. Here, digital signatures are the enabling technology. They allow all of this supply chain monitoring activity to occur reliably and automatically inside computers that are distributed throughout the supply chain, without human intervention and without slowing the movement of drugs.

So did California succeed in creating a better law than Florida? I propose that there is almost no comparison so the question may be moot. The California Pedigree Law is so much more far-reaching than the one in Florida. While Florida focused on disrupting some very troublesome practices being performed by a few nefarious licensed and unlicensed wholesalers, California’s law is designed to cause a major reorientation of the pharmaceutical supply chain approach to security, monitoring and policing (see also The Deputized Supply Chain). This has major implications that go well beyond those of the Florida law.

Faced with that, it is not surprising that it was necessary to push out the effective dates to 2015-2017. Transformation this big takes time to implement.

Digital Signatures

Digital signatures are commonly mis-understood, but they play an important role in securing the pharmaceutical supply chain. The Florida pedigree regulations allow the use of digital signatures on electronic pedigrees so that they can be “self-authenticated”. That is, so the pedigree can be authenticated on receipt without employing methods that require some kind of communication with each upstream owner of the drug—like phone calls, faxes, emails, etc.

Digital signatures employed in pedigrees can self-authenticate without any kind of communication. This can be a huge timesaver because it can fully automate the detection of improper supply chain behavior. Large volumes of “clean” pedigrees can be processed without human review or intervention with only those that have a problem being presented to a user for manual review and handling.

It’s not necessary to understand the technical details, but understanding some of the non-technical characteristics of digital signature technology is important for those in the pharmaceutical supply chain. Florida encoded the use of FIPS (Federal Information Processing Standards) digital signature standards directly into their regulations. California seems poised to do something similar.

I want to explain digital signatures without getting too technical. That’s hard to do, but here’s a common misconception that is easy to dispel. The term “digital signature” does not mean something that looks like this:

This is a scanned image of a hand written signature (compliments of a spam/scam email I received this morning). You could call this a “digitized signature”, but it is far from a “digital signature”. The digitized signature may mean something to people when the image is displayed so they can see it, but it means nothing to a computer. Nothing more than a photograph. It’s just a bunch of bits.

A true digital signature is one that a computer can make sense out of. The “sense” it can make is to determine whether the signature is valid or not. For that to work, the digital signature has to be composed of data. Here is an example of a long-form demo digital signature in XML format like those found inside DPMS pedigrees. It includes the core signature as well as the signer’s public key for use in decoding the signature, and a certificate that is digitally signed by a certificate authority who is willing to attest to the signer’s identity.

It looks pretty technical, doesn’t it? It is, but don’t get bogged down in the details. The point is, with this type of data, a computer can verify that a known trusted authority (the certificate authority) is positively willing to attest to the identity of the signer and that the public key included is positively from the signer. The computer can then use the public key to verify that the information being signed (not visible in this example) has not been modified since the signer applied the digital signature. All of this can be determined without the computer needing to go elsewhere for additional information.

Probably the most important thing a digital signature provides is the quality of “non-repudiation”. That is, because the certificate authority has pre-identified the signer in a way that can include the review of legal records, and as long as the signer has kept their private key secret, the signer cannot later claim that they did not sign a set of digital information that bears their digital signature. They cannot disclaim it. The signer is tightly bound to the signed data.

That’s a lot more than your bank can tell from the handwritten signature on your checks. Digital signatures are better in almost all respects.

The FDA, other federal government agencies and most U.S. state governments have embraced the use of digital signatures in digital legal documents. In pedigrees, digital signatures provide strong evidence that the information signed can or cannot be trusted. That’s why they are an obvious choice by regulators who want to move beyond paper pedigrees.

In summary, digital signatures provide the following benefits when used in electronic documents:

  • Positive identification of the signer
  • Non-repudiation of the information that is signed
  • Positive confirmation that the signed information has, or has not been modified since being signed
  • Signature validation can be performed without needing to communicate with external entities

The use of digital signatures in DPMS pedigrees is the feature that turns, what would otherwise be just a blob of data, into a standalone legal document that can be easily validated without needing to acquire any other information. It’s what allows DPMS pedigrees to be used as evidence in court for prosecution of counterfeiters, diverters and thieves.

For a more technical description of digital signatures and the PKI (Public Key Infrastructure) technology behind it, start with the definition in Wikipedia.

Now that I have covered digital signatures in general I can move on to discuss their use in specific pedigree approaches. Stay tuned.

The Legitimate and Illegitimate Supply Chains

There are a number of important misunderstandings out there related to exactly how illegitimate pharmaceuticals get into the hands of unsuspecting consumers and patients. We need to understand all there is to know about the subject, especially those who are responsible for protecting the public against criminal activity and those who are contemplating new laws aimed at elevating the integrity of the supply chain. In this post, I want to define and differentiate the legitimate and the illegitimate pharmaceutical supply chains.

Extracting the meanings we are looking for, Wiktionary defines the adjective “legitimate” as:

  1. Accordant with law or with established legal forms and requirements; lawful
  2. Conforming to known principles, or accepted rules; valid
  3. (obsolete) Authorized; real, genuine

and the adjective “illegitimate” as:

  1. Illegal; against the law

I don’t think there is any surprise here since these words are in fairly common use, but let’s apply these adjectives to the pharmaceutical supply chain. We could deduce:

The Legitimate Pharmaceutical Supply Chain: The chain of pharmaceutical supply that conforms to known and established legal forms, principles and requirements; the lawful supply chain; the valid supply chain; the real, the authorized, the genuine supply chain.

The Illegitimate Pharmaceutical Supply Chain: The illegal supply chain

Again, no surprises here.

We need one more definition: supply chain.

Wikipedia defines “Supply Chain” as:

“A supply chain is the system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier to customer. …”

For pharmaceuticals, the supply chain begins with the manufacturer and ends with the consumer, or patient. (For logistical purposes we often talk of our supply chain beginning with the drug manufacturer and ending with the pharmacy, but in actual fact, it ends when the product is irreversibly consumed by the patient.)

We have a single legitimate pharmaceutical supply chain in the United States–filled with complexity, but singular nonetheless. I’ve heard people make the claim that “their [pharma] supply chain is secure”, as if there were many pharma supply chains and it is no concern of theirs if anyone else’s supply chain might not be secure. For security purposes we should treat the U.S. supply chain as a single entity. Martin Luther King famously once wrote, “Injustice anywhere is a threat to justice everywhere”. Similarly, in the pharma supply chain, it could be said that insecurity anywhere is a threat to security everywhere.

Likewise, I believe we have only one significant illegitimate supply chain: the internet. That’s a topic all on its own.

Both the legitimate and the illegitimate supply chains end with the consumer/patient. Interestingly, illegitimate drugs (counterfeit, stolen, diverted, up-labeled, adulterated) can reach the consumer/patient from both the legitimate and the illegitimate supply chains.

Here is perhaps the first surprise in this essay. If we have already separated the legitimate and the illegitimate pharma supply chains, how is it possible for illegitimate drugs to make it into the legitimate supply chain? Wouldn’t they only exist in the illegitimate supply chain?

The answer to the second question is “No”. I selected the adjectives “legitimate” and “illegitimate” for supply chains and for the drugs that pass in them. Just because the adjective is the same doesn’t mean that the subjects are bound to each other.

The answer to the first question is less intuitive. How do illegitimate drugs make it to consumers/patients through the legitimate supply chain? The answer is well documented in Katherine Eban’s book, “Dangerous Doses” already discussed in an earlier post. Look at the case of Timothy Fagan. His parents did not order his Epogen from a website. They bought it (in New York in 2002, prior to the crackdown on criminals in Florida…don’t miss my comments on how much has changed since then) from their favorite national chain pharmacy, a very solid participant in the legitimate pharma supply chain. But the Epogen was “counterfeit” (actually up-labeled and spoiled due to storage at improper temperatures) and Timothy nearly lost his life as the result.

In her book, Eban follows the path of the Epogen from manufacturer to Fagan. It’s a very interesting case. A legitimate drug started out in the legitimate supply chain and it was transformed into an illegitimate drug on its way to the consumer/patient. Did it exit the legitimate supply chain, get transformed by criminals and then get reintroduced, or was the transformation executed by criminals who had infiltrated the legitimate supply chain? The answer depends on whether all of the owners were properly licensed to buy and sell that type of pharmaceutical. If they were, then the drug did not exit the legitimate supply chain. Yes, one or more of the supply chain participants were criminal enterprises, but because they were licensed, they were a legitimate part of the legitimate pharma supply chain at the time.

The point is, individual or groups of criminals can infiltrate the legitimate supply chain at any point (even in big-name companies…read the book!). Once they do, illegitimate drugs can be introduced into the supply chain…easily.

The Florida Pedigree Law

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.What is the fundamental goal of today’s drug pedigree laws? Certainly it has something to do with making it harder for criminals to introduce illegitimate drugs (counterfeit, stolen, diverted, up-labeled, improperly stored, adulterated) into our legitimate drug supply chain. But exactly how they are to accomplish that is sometimes hard to see. Like most of our laws, pedigree laws seem to suffer from design-by-committee and then they are contorted beyond comprehension by lobbyists. If a lobbyist can’t prevent new regulations from being enacted in the first place, the next best thing seems to be to ensure that the law that is passed is so twisted that it doesn’t entirely make sense.

The Florida pedigree law is a case in point. Well intentioned, but apparently designed by people who were not entirely familiar with the massive number of drug packages that pass through distribution centers and on to pharmacies in our modern pharmaceutical supply chain. This law centered around a paper document for every transaction. The proposed law went through many modifications on its way to being enacted, and even then, the legislature continued to modify it as multiple lobbies convinced state senators and representatives of their particular dislike for various requirements. The law that eventually went into effect on July 1, 2006 had a number of strange provisions.

  1. It’s paper-based
    The final law had been modified to allow an electronic representation of a pedigree, but it remained essentially a paper pedigree. Though you could store it and transmit it electronically—they required very secure FIPS standards (Federal Information Processing Standards) for the electronic version—when an inspector wanted to inspect it, the very secure electronic document had to be printed out and presented on paper. A secure electronic pedigree that is printed out onto paper loses all of its security and can be faked very easily.
  2. Pharmacies could return within 7 days without updating the pedigree
    Shortly before the law went into effect, the legislature and governor passed a modification that allows pharmacies to purchase drugs from a wholesaler and then return them to the wholesaler without providing an updated pedigree, as long as both transactions are completed within 7 days. This allows drugs to be re-introduced into the supply chain with pedigrees that legally do not reflect all of the transactions that have occurred, thus hiding potentially important transactions.
  3. Primary wholesaler invoice statement
    Also shortly before the law went into effect a provision was inserted that allowed primary wholesalers to create a “pedigree” by simply printing on their customer’s invoices a statement that asserts that the drugs on the transaction were purchased directly from the manufacturer. Any wholesaler who cannot purchase directly from the manufacturer must purchase their drugs from one of the primary wholesalers. Those drugs must come with a fully documented pedigree that the primary wholesaler created (not the kind with the simple invoice statement). A fully documented pedigree is much harder and much more expensive to generate and maintain.
  4. No manufacturer requirements
    In Florida, the manufacturer of each drug is not involved in the creation and maintenance of drug pedigrees. The first wholesaler to purchase the drugs from the manufacturer must start the pedigree to reflect that purchase. They must then update the pedigree to reflect the sale of the drug to their customer. All of this is necessary whenever the drugs are sold to another wholesaler. If they are sold directly to a pharmacy, the simple invoice statement “pedigree” is sufficient, as described above.
  5. No serialization
    The Florida law requires careful tracing of every package of drugs from first purchase from a manufacturer until distributed to a pharmacy, but without the benefit of a serial number attached to each unit. This is hard to do without costing a lot of time and money because each shipment of a given drug has a different history. It must be traced separately from all other shipments of that same drug. Without serialization, the processes necessary to do it must be performed carefully and exactly. Any mis-step can cause a break in the trace which results in drugs that cannot be sold in the state.
  6. Allows information to be redacted
    Finally, a bizarre late addition allows certain information to be redacted (removed) from a pedigree document if the information is considered sensitive. But when pedigrees are held electronically using the required FIPS standards, any modification will cause the pedigree to be broken. That is, it will appear as though someone has tampered with it—the very condition that would lead a buyer to fear that the drugs may be counterfeit or otherwise illegitimate. The provision that allows redaction is in total conflict with the provision that requires use of FIPS standards.

So with the addition of these strange provisions, what is the Florida pedigree law really accomplishing? I don’t think it is having the effect that was hoped by the original creators. As far as I can tell by reading the original version, it appears that the goal was to force each buyer of drugs to actively verify that the supply chain history shown on each drug pedigree was accurate.

In this way, the responsibility for detection of criminal activity was distributed to all participants in the supply chain, rather than remaining solely with the few inspectors from the Florida Department of Health. This is the one piece of genius in the otherwise flawed law.

Considering the original proposed law and the six strange provisions listed above, a summary of the primary failures of the Florida Pedigree Law would have to include the following:

  • It’s paper-based
  • It doesn’t involve the manufacturer
  • It doesn’t rely on package serial numbers
  • It is full of holes designed to accommodate special interests

I’m afraid this pedigree law is so flawed that it has simply resulted in higher costs with little or no additional protection from criminals; nearly the worst possible outcome. Why have pharma supply chain crimes apparently decreased in Florida since the law was enacted? In my opinion, it’s entirely because the same law greatly increased wholesaler licensing requirements and the penalties for crimes.

With the development of the Florida law as backdrop, California stepped up with the intention of creating a better pedigree law. Were they successful where Florida failed? I’ll discuss their attempt soon.

Subscribing to RxTrace

The easiest way to stay up-to-date with the RxTrace blog is to register your email address with FeedBurner in the box in the upper right corner of this screen. After registration, FeedBurner will send you a small email every time a new post is entered into the RxTrace blog. That email will contain a URL that takes you directly to the new post. Really simple and very convenient.

And don’t worry about the possibility of spam generation. FeedBurner and BlogSpot are both owned by Google, which means that they are very careful with your email address. You can read Google’s Privacy Policy here, or you can just take my word for it…they don’t sell your email address to spammers.

Alternatively, you can also stay up-to-date with this blog without subscribing via email through the use of an RSS reader. I use Yahoo!’s “myYahoo” as my browser default home page. I have a pretty large myYahoo configuration with two pages and lots of news feeds–one of which is RxTrace. Sadly, it doesn’t seem to refresh so it has not reflected the last couple of posts. I need to look into that because it’s supposed to keep you current.

But there are other RSS Readers out there. To subscribe to any of the many RSS feeds, just click on the “Posts” button under the “Subscribe to RxTrace” banner to the right and select your favorite reader.

Any way you access this blog, I’d like to thank you for reading.

GS1

I’ve been an active GS1 participant since EPCglobal was first acquired by GS1 in 2003. It is an interesting organization, often both vital and frustrating at the same time. GS1 is a single source for essential supply chain standards that have global applicability. Rather than attempting to dictate those standards they invite people and companies to work with them on the definitions and the application of their standards. They have really great facilitators for some of their work groups with the very best being Mark Frey and Gena Morgan. The quality of their standards documents is quite high. And they have some really smart people in their EPCglobal Architectural Review Committee (ARC), notably Ken Traub, John Williams and Sanjay Sarma.

My hope is that this blog will be of some value to both members and non-members of GS1, but, I can only cover topics related to the organization and their public documents. Specific details about work group activities cannot be covered. However, I do not think that is too limiting and I think members and non-members will find something of interest.

GS1 is a not-for-profit member organization. The way it is organized reminds me of something out of the UN with affiliate “Member Organizations”, or M.O.’s—one for each country in the world—which participate in developing and maintaining their global standards on behalf of end-user companies within their borders. End-user companies are also able to represent themselves … if they can afford the membership fee which is based on company global revenue (and that’s on top of the fees paid for use of your GS1 Company Prefix). Consequently, standards development proceeds mostly with input from employees of GS1 affiliates and from employees of large corporations. There are notable exceptions and GS1 has made a significant effort to recruit participation from hospitals and smaller pharmacies, traditionally under-represented because they are small.

My own experience as one of those employees of an end-user member company, who has participated in standards-making work groups and the end-user groups within GS1 and EPCglobal, has been very positive. I have met and collaborated with a wide range of very smart people from my own industry and others, from the U.S. and from around the globe. I’ve learned a lot about supply chains in general and about how to perform the kind of “techno-negotiations” necessary to move forward a work group of people with very diverse backgrounds and interests toward a positive conclusion. Sometimes it’s thrilling. Sometimes it’s aggravating. It’s always a lot of hard work, but I highly recommend it to anyone considering it.

GS1 also runs “adoption” end-user groups out of their M.O.’s. The purpose of these groups is to encourage the adoption of GS1 standards within the country that the M.O. represents. For example, the GS1 U.S. Member Organization operates the GS1 Healthcare U.S. group which has work groups targeted at accelerating the adoption of GTIN, GLN, GDSN and Traceability the GS1 way in the healthcare sector. These work groups do not work on standards, but they work on guidelines for use in applying those standards to solve various supply chain problems within the U.S. (also known as “toolkits”).

Actual standards have traditionally been developed in two different sub-organizations of GS1: EPCglobal and GSMP (Global Standards Management Process). GS1 is currently in a state of transition as they move the standards development arm of EPCglobal into GSMP. That’s a good thing, because these two organizations have had different approaches and, at times, seemed to operate as two independent organizations. Unfortunately, in my view, EPCglobal’s process operated better than GSMP. So far I am encouraged by the little evidence I have seen that they are retaining the good parts of the EPCglobal approach. We’ll see how far it goes.

One very commendable thing that EPCglobal has done that GSMP has not is to make their ratified standards documents freely available for download on the internet. The GSMP approach is to roll all of their diverse standards into a single and very large document known as the “GS1 General Specification” (or, “GenSpec”) and they’d like to charge you for a copy of it. Fortunately there are enough M.O.’s around the world that make it available that you can usually find a copy for free download by simply Googling it. I hope that the merged GSMP does not fold the individual EPCglobal specifications into the GenSpec and keep them hidden until you pay, but I must admit, even ANSI and ISO charge for their ratified standards documents.

GS1 also has a lobbying arm which applies pressure to governments around the world to adopt policies that are favorable to GS1 and the technologies that their standards are based on. For example, they applied considerable effort to get governments around the world to open up RF frequency bands around 915MHz so that UHF passive RFID tags could operate worldwide without violating the law somewhere. They have been very successful in that effort, as I understand it.

Another example of GS1 lobbying is when they act as technology experts before U.S. state and federal regulatory agencies. Here GS1 provides guidance toward the adoption of regulations and laws that can be met through the use of their standards. I get a little concerned about this type of lobbying because I fear that GS1 makes themselves out to be unbiased when, in fact, they do have a bias. I hope these agencies are aware of that and take it into consideration.

GS1 will be a frequent topic of this blog since they are focused on the same “intersection” as I am (see the tag line for this blog on the masthead).

Dangerous Doses

If you have chosen to read this blog but you still haven’t read Dangerous Doses by Katherine Eban, you have made the wrong choice. The book is a great read. It documents the events in the early 2000’s that led the State of Florida to pass the first state pedigree law in 2003. You can draw a straight line between those events and all of the state pedigree laws that came after it. The book is a detailed accounting of crimes that occurred after a few criminals realized that law enforcement and the courts would not take seriously any drug crime that did not involve illegal drugs. But a small group of detectives and a lone prosecutor took them on and eventually brought them to justice. The book alternates between narratives of the crimes, the pursuit of the criminals by the detectives, and Eban’s explanation of how the pharmaceutical supply chain worked back at that time.

But that’s just it. The book was written at a time when things were different than they are now in some very important ways. As I understand it, back then, you could have spent less money on a license to distribute pharmaceuticals than you would if you obtained a license to open a bar. As a consequence, there were thousands of drug wholesalers licensed in Florida. But in 2003 the state toughened its licensing laws, greatly increased the cost of the licenses and increased the penalties for crimes related to wholesale distribution of pharmaceuticals. The HDMA cataloged the significant changes to Florida’s drug distribution regulations as the result of those changes. The number of licensed wholesalers plummeted to only a few hundred in the following years.

Oh, and they passed a pedigree requirement too.

I have to admit that I don’t have a good window into what exactly is going on in the Florida crime scene today but given the heightened awareness in the press of counterfeiting and diversion stories, I have to think that there is not nearly the problem that there was back in 2002, or we would hear about it.

So that pedigree requirement really worked, right? Maybe, but I have to think that the increased licensing fees and other requirements, the increased penalties and the increased interest by the courts are the things that really caused criminals to think twice about getting into that business.

Dangerous Doses is a great book and I still highly recommend it to anyone, especially those like me, who are responsible for working on pedigree, serialization and track & trace systems for companies in the supply chain. But as you read it try to keep in mind, that era doesn’t exist anymore. Since that time many other states have taken comparable steps to strengthen their licensing and toughen penalties. And many of them have also passed some type of pedigree law. Stay tuned for more about some of those laws in later posts.

Do drugs still get counterfeited and sold in the U.S.? Probably, but the criminal activity seems to have moved from the supply chain to the internet where criminals can hide just across the borders. Check your spam folder for the evidence.

The Importance of Standards

I’ve written before about the importance of supply chain standards and how pedigree standards can be categorized as “communications standards”. I drew the analogy of the importance of standards in making cell phones work together. Because U.S. cell phone companies agreed to make use of certain standards, you are able to call your friends who chose to buy service from Sprint, when you have chosen to buy your service from Verizon, or any of a number of other U.S. carriers. Without those standards and the agreement of each company to use them, you would only be able to call people who happened to sign up with the same phone company that you did.

I won’t reproduce the whole article here but its contents are just as pertinent today as they were two years ago when it was published in Pharmaceutical Commerce magazine. That article stressed the importance of the GS1 Drug Pedigree Messaging Standard (DPMS, a.k.a. the GS1 Pedigree Ratified Standard), but any approach selected by an individual company to address pedigree legislation has to consider interoperability with whatever approach their trading partners choose. Interoperability is the goal of standards but right now there are two standards-based approaches to pedigree out there and they are not currently interoperable. That’s a problem for everyone, because the supply chain is so interconnected and diverse at the same time.

The two standards are DPMS and EPCIS–both from GS1. The history of these two standards and the differentiating characteristics of each one is too complex to cover in a single post so I’ll just provide an introduction here. I’ll continue the discussion in later posts, although I don’t plan to make the whole thing contiguous because there are other topics that I also want to cover over the same timeframe.

EPCIS (Electronic Product Code Information Services) is a GS1 standard that defines a set of interfaces for the purpose of capturing and querying serial number “visibility” data. “Visibility” data is meant to be observations and transactions that are based on observations of serial numbers that are attached to items and logistical containers of products within supply chains. I still haven’t found an easy-to-understand way to explain it, but I think those two sentences describe it fairly concisely and accurately. If you have a better way to explain it, please post a comment below.

Notice that the description doesn’t say anything about pedigree or regulatory compliance. EPCIS is a standard, but it’s a general purpose IT thing that you have to apply a specific way in order to make it work as a pedigree system. The standard is designed to be very flexible and for serialized product, it could be quite powerful if used right. There are a couple of problems for those who want to use it as a pedigree system, however.

  • There is currently no standard that describes exactly how to apply it as a drug pedigree system that would ensure interoperability across the supply chain;
  • There is the general tendency to talk about ways to turn EPCIS into a pedigree system, but I haven’t heard one yet that is likely to comply with existing pedigree laws.

I’ll cover those issues in more detail in later posts.

DPMS (Drug Pedigree Messaging Standard) is a GS1 standard that was specifically created to assist the pharmaceutical supply chain with creating an interoperable system to trace drugs in a way that can comply with existing pedigree laws. That includes Florida, California, the PDMA and all of the other states that currently have pedigree laws. The problem is, it doesn’t do much to assist companies with all of the many problems they face dealing with serial numbers on items. DPMS can take serial numbers and use them to trace those items, but there are a lot of other, non-compliance issues that must be dealt with first.

So there are problems with both standards. Perhaps an obvious solution is one that I, and others, proposed last year to combine EPCIS and DPMS to create a system that benefits from the best of both standards.

As you might imagine, there is a lot more I could discuss on this topic in later posts. But I’m going to try to stay out of the details and talk more about implications of each approach. Stay tuned…

DISCLAIMER: RxTrace contains some of the personal thoughts, ideas and opinions of Dirk Rodgers. The material contained in RxTrace is not legal advice. Dirk Rodgers is not a lawyer.
The reader must make their own decisions about the accuracy of the opinions expressed in RxTrace. Readers are encouraged to consult their own legal counsel
and trading partners before taking any actions based on information found in RxTrace. RxTrace is not a vehicle for communicating
the positions of any company, organization or individual other than Dirk Rodgers.

RxTrace, a comprehensive exploration of the intersection between healthcare supply chains, track and trace technology, standards and global regulatory compliance.
Contact Us | Privacy Statement
Copyright © 2009-2017 Dirk Rodgers Consulting, LLC. All Rights Reserved.
RxTrace is a registered trademark of Dirk Rodgers Consulting, LLC
L, A, S, C
SiteLock