Tag Archives: Florida Pedigree Law

pedigree laws

Should Regulations Dictate Technology?

4 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.In the U.S. pharmaceutical supply chain this question becomes, should regulators—state legislatures, state Boards of Pharmacies, Congress or the FDA—mandate specific technology for serialization, ePedigree and other regulations?  This question arises whenever a new regulation is considered by any of these bodies or agencies.  It’s an important question now that the FDA is considering standards for ePedigree, Track & Trace and related things and I think there are some natural conclusions that can be drawn from past examples that lead to a potential answer.  Let’s review the history first.

EXAMPLE:  EXISTING ePEDIGREE LAWS

The language of the U.S. Prescription Drug Marketing Act (PDMA) specified the kind of data that must be in a compliant pedigree but it did not identify any particular technology to carry that information.  Of course, compared with today, what kind of technology was available back in 1987 when the PDMA was first introduced in the U.S. House of Representatives?  Is it a paper pedigree?  Can it be electronic?  What is the format?  Can GS1’s Drug Pedigree Messaging Standard (DPMS) be used to comply? Continue reading Should Regulations Dictate Technology?

Pedigree models

Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.There are more than one reasons why you shouldn’t expect to use GS1’s EPCIS by itself to comply with the California pedigree law.  Part 1 of this series showed that the traditional distributed network of EPCIS repositories in the U.S. pharma supply chain doesn’t work.  But that analysis assumed the use of the “vanilla” EPCIS standard, without the use of any “extensions”.  That’s not really the way GS1 intended EPCIS to be used.  In this and future essays of this series I will explore some of the approaches that make full use of the extensibility that is built into the standard.

In this Part of the series I want to take a closer look at the work of the Network Centric ePedigree work group of the GS1 Healthcare Traceability group.  I am one of the leaders of that group along with Dr. Mark Harrison of the Cambridge University AutoId Lab, Dr. Ken Traub, Independent Consultant, and Gena Morgan of GS1, along with strong contributions from Janice Kite of GS1 and Dr. Dale Moberg of Axway.  The larger group consists of people who work for companies in the pharmaceutical supply chain, GS1, and solution providers from around the globe, although I think the majority are from the U.S.

The NCeP group published a very interesting recording of a presentation that explains the details of their work.  It is called “NCeP – Technical Analysis Sub-Group, Event Based Pedigree”.  The purpose of this recording is to help people outside of the close-knit NCeP group to learn about the pedigree models developed there, evaluate them and provide feedback to the group about which model(s) should be Continue reading Why GS1 EPCIS Alone Won’t Work For California Pedigree, Part 2

pedigree certification, security

Electronic Message Security and More on Certifications

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.

Digital electronic messages can be transmitted from one party to another using a wide range of communications technologies.  Today, businesses that make use of the internet to transmit their business messages to and from their trading partners make use of standards-based Electronic Data Interchange (EDI) message formatting.

EDI messages are typically transmitted point-to-point, from one business to one other business.  There are a large number of EDI message types defined but in the pharmaceutical supply chain the most common messages are purchase orders, purchase order acknowledgments, invoices and advance shipment notices (ASN’s).  (While I have the chance, I’d like to point out that ASN’s are not pedigrees for multiple reasons that I will not cover in this essay.)

In the U.S. pharma supply chain AS2 is the most common communications protocol in use for EDI message exchange.  AS2 provides generalized message security to ensure that the messages cannot be understood or tampered with by unauthorized parties during movement from sender to recipient.  According to Wikipedia, these are achieved through the use of digital certificates and encryption.  Messages can optionally be digitally signed by the sender to provide non-repudiation within the AS2 payload context.

Electronic pedigrees as defined by the states of Florida and California are messages that contain fairly complex legal documentation which describe the chain of custody or ownership of a given package of drugs, but they also contain several types of legally required certifications. Continue reading Electronic Message Security and More on Certifications

pedigree laws

What are Pedigree Laws Trying to Accomplish Anyway?

6 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.Conversations about the merits of various pedigree and authentication models usually start from dissatisfaction with some characteristic of the current GS1 DPMS pedigree model. I maintain that the design of DPMS—including its perceived flaws—is merely a reflection of the current state and federal pedigree laws and regulations. Characteristics that people don’t like—like digital signatures, a growing document as drugs move down the supply chain, and the fact that Supply Chain Master Data is not used by DPMS—are actually all characteristics of the laws and/or regulations, so any alternate pedigree model that would truly be usable for compliance would need those characteristics too.

But that’s not exactly what I want to discuss in this essay. Instead, I wanted to explain my theory of what U.S. pedigree laws are trying to accomplish in the first place. Forget about how they do it for now. What were the goals of those who wrote these laws and regulations? I’ll agree that this is impossible to know for sure but I think I can construct a pretty convincing theory. I don’t know any of the legislators or congresspeople who wrote these laws, but I have studied their work for over four years now. I have made the following observations.

  1. The highest priority goal of the Florida and California laws appears to be to detect the introduction of illegitimate drugs (counterfeit, stolen, up-labeled, diverted, etc.) into the legitimate supply chain as early as possible, preferably at the very first transaction. These laws accomplish this by requiring companies buying drugs within the supply chain to receive the full supply chain history of those drugs at the time of the purchase (contained in a “pedigree”), and, most importantly, by requiring them to verify the legitimacy of those prior transactions. In Florida that verification can be performed by direct contact, such as a phone call, email, fax, etc., or, optionally, through the use if digital signatures. In California, this verification can only be performed through the use of digital signatures. The federal PDMA, on the other hand, does not appear to obligate the buyer to do any verification of the information provided on pedigrees they receive.Finally, Florida and California both require the recipient of the shipment to confirm that the physical drugs they received match those described by the pedigrees they received. That seems obvious, doesn’t it? Why would any legislative body require all or some supply chain participants to go through all the expense to generate and pass pedigree information but stop short of requiring anyone to actually look at it? Well, oddly, the federal PDMA appears to do just that.
  2. There is a clear attempt in the laws to help identify who participated in the introduction of the illegitimate product. This is important if your goal is to efficiently and quickly investigate the suspected crime. This would aid in shutting down the criminals as quickly as possible before they are able to spread bad medical products very deeply into the supply chain. Continue reading What are Pedigree Laws Trying to Accomplish Anyway?
California Pedigree Law, DPMS, EPCIS, Florida Pedigree Law, GLN, GS1 General Specification, GTIN, master data, PDMA, supply chain master data

Pedigree Models and Supply Chain Master Data

3 Comments

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.Right now there is only one industry standard that can be used to comply with the various drug pedigree laws in the United States. That’s the GS1 Drug Pedigree Messaging Standard (DPMS), which was created in 2006 by a group of technology experts and participants from nearly all segments of the U.S. supply chain culminating in GS1 ratification in January 2007. Many of those companies began using DPMS even before it was ratified because the Florida Pedigree Law went into effect in July 2006. Since then, companies are using it to comply with other state pedigree laws as well as for the pedigree provisions of the federal government’s Prescription Drug Marketing Act (PDMA) of 1988 (stayed until December 2006). Interestingly, a few companies have chosen to require DPMS pedigrees today for trading partner risk mitigation even where there is no existing regulatory requirement to do so.

A few months after GS1 ratified the DPMS standard, they ratified the Electronic Product Code Information Services (EPCIS) standard. This is a more general purpose standard intended for use in all supply chains that have a need to track and trace serialized products. Everyone acknowledges that it doesn’t make sense to try to use it for compliance with PDMA, Florida or other state pedigree laws because they do not require serialization, but in 2015 the California Pedigree Law will go into effect and one of its unique provisions requires item-level serialization.  Some see this as an ideal place to apply EPCIS.

There are lots of ways to contrast these two standards and their use for pedigree law compliance, but probably the most striking difference is how they each treat Supply Chain Master Data (SCMD). I defined SCMD in a previous post as “…that persistent, non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the supply chain.

GLN as SCMD

Addresses are an example of a “business entity” that can be treated as SCMD. GS1 defines a location identifier they call a Global Location Number (GLN) that can be used to refer to an address. A GLN is a structured series of digits that can be assigned to refer to a single address (among other things). Refer to the GS1 General Specification for the details. Continue reading Pedigree Models and Supply Chain Master Data

FIPS, Florida Pedigree Law, lobbyists, paper pedigrees, serialization

The Florida Pedigree Law

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.What is the fundamental goal of today’s drug pedigree laws? Certainly it has something to do with making it harder for criminals to introduce illegitimate drugs (counterfeit, stolen, diverted, up-labeled, improperly stored, adulterated) into our legitimate drug supply chain. But exactly how they are to accomplish that is sometimes hard to see. Like most of our laws, pedigree laws seem to suffer from design-by-committee and then they are contorted beyond comprehension by lobbyists. If a lobbyist can’t prevent new regulations from being enacted in the first place, the next best thing seems to be to ensure that the law that is passed is so twisted that it doesn’t entirely make sense.

The Florida pedigree law is a case in point. Well intentioned, but apparently designed by people who were not entirely familiar with the massive number of drug packages that pass through distribution centers and on to pharmacies in our modern pharmaceutical supply chain. This law centered around a paper document for every transaction. The proposed law went through many modifications on its way to being enacted, and even then, the legislature continued to modify it as multiple lobbies convinced state senators and representatives of their particular dislike for various requirements. The law that eventually went into effect on July 1, 2006 had a number of strange provisions.

  1. It’s paper-based
    The final law had been modified to allow an electronic representation of a pedigree, but it remained essentially a paper pedigree. Though you could store it and transmit it electronically—they required very secure FIPS standards (Federal Information Processing Standards) for the electronic version—when an inspector wanted to inspect it, the very secure electronic document had to be printed out and presented on paper. A secure electronic pedigree that is printed out onto paper loses all of its security and can be faked very easily.
  2. Pharmacies could return within 7 days without updating the pedigree
    Shortly before the law went into effect, the legislature and governor passed a modification that allows pharmacies to purchase drugs from a wholesaler and then return them to the wholesaler without providing an updated pedigree, as long as both transactions are completed within 7 days. This allows drugs to be re-introduced into the supply chain with pedigrees that legally do not reflect all of the transactions that have occurred, thus hiding potentially important transactions.
  3. Primary wholesaler invoice statement
    Also shortly before the law went into effect a provision was inserted that allowed primary wholesalers to create a “pedigree” by simply printing on their customer’s invoices a statement that asserts that the drugs on the transaction were purchased directly from the manufacturer. Any wholesaler who cannot purchase directly from the manufacturer must purchase their drugs from one of the primary wholesalers. Those drugs must come with a fully documented pedigree that the primary wholesaler created (not the kind with the simple invoice statement). A fully documented pedigree is much harder and much more expensive to generate and maintain.
  4. No manufacturer requirements
    In Florida, the manufacturer of each drug is not involved in the creation and maintenance of drug pedigrees. The first wholesaler to purchase the drugs from the manufacturer must start the pedigree to reflect that purchase. They must then update the pedigree to reflect the sale of the drug to their customer. All of this is necessary whenever the drugs are sold to another wholesaler. If they are sold directly to a pharmacy, the simple invoice statement “pedigree” is sufficient, as described above.
  5. No serialization
    The Florida law requires careful tracing of every package of drugs from first purchase from a manufacturer until distributed to a pharmacy, but without the benefit of a serial number attached to each unit. This is hard to do without costing a lot of time and money because each shipment of a given drug has a different history. It must be traced separately from all other shipments of that same drug. Without serialization, the processes necessary to do it must be performed carefully and exactly. Any mis-step can cause a break in the trace which results in drugs that cannot be sold in the state.
  6. Allows information to be redacted
    Finally, a bizarre late addition allows certain information to be redacted (removed) from a pedigree document if the information is considered sensitive. But when pedigrees are held electronically using the required FIPS standards, any modification will cause the pedigree to be broken. That is, it will appear as though someone has tampered with it—the very condition that would lead a buyer to fear that the drugs may be counterfeit or otherwise illegitimate. The provision that allows redaction is in total conflict with the provision that requires use of FIPS standards.

So with the addition of these strange provisions, what is the Florida pedigree law really accomplishing? I don’t think it is having the effect that was hoped by the original creators. As far as I can tell by reading the original version, it appears that the goal was to force each buyer of drugs to actively verify that the supply chain history shown on each drug pedigree was accurate.

In this way, the responsibility for detection of criminal activity was distributed to all participants in the supply chain, rather than remaining solely with the few inspectors from the Florida Department of Health. This is the one piece of genius in the otherwise flawed law.

Considering the original proposed law and the six strange provisions listed above, a summary of the primary failures of the Florida Pedigree Law would have to include the following:

  • It’s paper-based
  • It doesn’t involve the manufacturer
  • It doesn’t rely on package serial numbers
  • It is full of holes designed to accommodate special interests

I’m afraid this pedigree law is so flawed that it has simply resulted in higher costs with little or no additional protection from criminals; nearly the worst possible outcome. Why have pharma supply chain crimes apparently decreased in Florida since the law was enacted? In my opinion, it’s entirely because the same law greatly increased wholesaler licensing requirements and the penalties for crimes.

With the development of the Florida law as backdrop, California stepped up with the intention of creating a better pedigree law. Were they successful where Florida failed? I’ll discuss their attempt soon.