Explaining the DSCSA Draft Guidance

January 24, 2023

There’s not much time left to get plans in place for DSCSA. In this post, we’ll review the FDA’s recent draft guidance on the new law, and help you get on track for this critical year.

Guidance for the last year of DSCSA

The Drug Supply Chain Security Act, part of 2013’s Drug Quality and Security Act, has a 10-year timeline for enforcement via a phased approach. The law has been transforming the industry at all levels on the path to its final deadline of November 27, 2023.

Its key requirements include the following:

  • Trading partners must exchange data electronically when product changes hands.
  • Companies in the pharma supply chain must meet operating and licensing criteria as Authorized Trading Partners for their business type.
  • Interoperable data connections must support data exchanges between any trading partners.
  • Products must be traceable individually and within their via serialized labeling.
  • Returned products must be verified before redistribution.

In July 2022, the FDA released two pieces of draft guidance for DSCSA. Put briefly, these clarified the requirements for each type of trading partner, and affirmed that paper transaction records must be phased out for electronic methods. Certain elements here have sparked important discussions.

First, the guidance contained the FDA’s recommendation of a standard for the exchange of transaction data between trading partners. What is Electronic Product Code Information Services (EPCIS), and why is it important that the FDA recommends it? Next, the very fact that these are the final DSCSA releases prompt a tricky twofold question: With November 2023 on the horizon, and these being the last such announcements – will that date stand, and is it appropriate to take action based on this draft guidance?

What the FDA said in July

The first part of the July release clarifies the definitions of each type of business in the pharma supply chain under DSCSA, and hence, which licenses and requirements enable them to operate as Authorized Trading Partners. In particular, it addresses entities that are less common, or may fit more than one definition, such as private-label distributors, salvagers, returns processors, and reverse logistics providers. Further, it details the licensure and reporting requirements for 3PLs and wholesale distributors (WDDs). Trading partners at all points in the supply chain now should have a clear picture of what will be expected in terms of state and federal licensure, and what data they’ll be required to capture and make available.

That a new set of definitions was necessary, and that the FDA acknowledged the need for greater clarity over their initial handling, points to the release’s intent to add certainty and shore up lingering points of argument that could stall compliance in the remaining months to November 2023. The FDA’s other release affirms this further, adding an interpretation of “interoperability for enhanced drug distribution security” that specifically calls for the use of electronic transaction information and transaction statements. It’s a point that may not seem to need clarification, as nearly every other facet of DSCSA seems to reflect electronically stored, accessed, and exchanged data; however, it removes any possibility that companies could either intentionally or unintentionally continue doing business outside DSCSA compliance.

The EPCIS standard

This gives way to the FDA’s recommendation of the GS1 global standard EPCIS. The statement recognizes that EPCIS has gained industry consensus as well as the FDA’s own approval, stating: “FDA believes that EPCIS is an appropriate globally recognized standard, and FDA understands there is considerable agreement among stakeholders that EPCIS is a suitable standard to adopt for the enhanced drug distribution security requirements.”

The passage also emphasizes that pharma businesses ought to “make a collaborative effort” to follow the shared standard. While the FDA says it’d be unreasonable to expect all players to “rely upon a single technological approach,” it does find it appropriate to recommend that they accept the EPCIS standard (and that they use additional systems and practices to ensure confidentiality and security).

The implication here is that players who ignore EPCIS risk damaging themselves and their partners. The FDA recognizes EPCIS as the most secure data standard between trading partners, and the path of least resistance thanks to its existing uptake. As LSPedia CEO Riya Cao said during a September 2022 webinar, “There’s no looking back. The FDA has confirmed it, and the industry has conformed.”

While alternatives are available, companies who do not standardize on EPCIS will likely be increasingly few in number, thanks to both the merits of EPCIS and the necessity of using it to do business with existing trading partners. Opting for a different standard will pose a greater nuisance as well as a business opportunity cost, given that the majority of businesses in the prescription drug supply chain will require EPCIS support for data exchanges.

A hard deadline

It’s critically important to understand that there is every reason to believe that DSCSA’s final deadline will indeed be November 27, 2023. The deadline concludes a 10-year phased rollout, every other step of which has now passed. The intent of the release was to provide broadly applicable direction with enough notice for companies to transition to compliant methods and systems by the deadline.

Given that perspective, the remaining 10 months seems a rather short span of time for those who haven’t made much progress yet to enact significant changes. Such businesses will need, among several other updates, to form individual interoperable connections with each of their trading partners, a repeated process that can take weeks or months. On the downside, these companies are at risk of seeing their operations grind to a halt when partners are unable to accept their data, and could face state and federal audits; on the upside, education and sensible peer pressure from compliant trading partners – toward simply being able to do business as usual after November 2023 – is likely to push such businesses to take the necessary steps to comply.

DSCSA and the bottom line

Leaders responsible for compliance who have been waiting to take action on DSCSA should act quickly. Planning for DSCSA is a complex, multi-pronged process, and taking a piecemeal or “bolt-on” approach — or failing to understand DSCSA’s full implications for one’s business — comes with harsh, and possibly hidden, tradeoffs. For example, a data exchange solution without smart exceptions management tools or a robust quality system could still leave operations vulnerable to costly delays.

A well-planned integration built around compliance can carry positive effects on operational efficiency and cost. Companies can save money by simply avoiding what would be the additional costs that come with incomplete programs for exceptions management and verification. These tend to require more staff time or outside personnel to manage frustrating recurring problems, rather than fixing them at the system level.

Pharma businesses can also see long-term productivity and efficiency gains from proactively working with solutions experts who can analyze a business’ progress and vulnerabilities to determine the best fit.  

In short, solving for DSCSA proactively will always save more time, labor, and stress than doing so reactively. The remaining months to implementation will hold unknown challenges, such as a new wave of exceptions resulting from this year’s massive increase in EPCIS exchanges, but that only makes it more important to make good use of the information, tools, and guidance that’s already been made available.

Contact LSPedia today to get help with DSCSA.