This week, we held the latest session in our monthly series The LSPedia DSCSA Deadline Webinar, titled, “What to do before – and after – November 27, 2023.”
With these webinars, we deliver immediate, updated, and actionable information about DSCSA. And there’s scarcely a more important time for it than October 2023, just about a month out from the date when the entire industry will move from implementing DSCSA compliance solutions to stabilizing them. It’s no small step, marking the completion of the decade-long, industry-spanning transformation of the pharmaceutical supply chain.
Each month, we aim to bring together some of the best minds in the industry for insights into complying with DSCSA on schedule, understanding FDA guidance as it emerges, and avoiding misinformation and pitfalls. Tuesday's session featured an overview by Tish Pahl, one of the industry's leading voices on DSCSA implementation and compliance.
Tish Eggleston Pahl is a principal at Olsson Frank Weeda Terman Matz PC. She is regulatory counsel to drug, cosmetic, dietary supplement, and food clients with concerns before the Food and Drug Administration, the Federal Trade Commission, and other federal agencies. Since November 2013, Tish has worked closely with pharmaceutical supply chain stakeholders, including manufacturers, repackagers, and wholesale distributors, on DSCSA implementation.
Pahl opened with a recap of the DSCSA requirements currently in place, those they should already be complying with. (As she emphasized: Not after November 27, but now.) All pharmaceutical trading partners must:
- Only do business with Authorized Trading Partners.
- Have systems in place for verification, with the ability to
- Have a product identifier for all drug packages and homogenous cases, unless dealing with product that is subject to grandfathering, waivers, exceptions, or exemptions by the FDA.
- Provide, receive, and maintain lot-level transaction data when exchanging product with trading partners.
- Respond to government requests for information by providing lot-level transaction data.
- Retain transaction data related to suspect/illegitimate products for six years.
Pahl emphasized that these will be enforced by FDA and state regulators, with violations incurring seizure, injunction, criminal fines and penalties, and other measures that can be undertaken as responses to serious violations and threats to public health. She also noted that trading partners can (and many are already) setting other incentives for compliance, including contractual obligations and supply agreements; violations can incur product liability or class action challenges, and can seriously hurt the reputation of the company responsible. As examples, Pahl referenced the FDA warning letter to Safe Chain Solutions (detailed in our July 5 post) and the indictment of Steven Diamantstein (detailed in our June 30 post).
The requirements set to go into effect November 27, 2023, are referred to as “Section 582(g)(1)”, “package-level”, “enhanced drug distribution security” or simply “2023” requirements.
These mandate that trading partners must:
As the FDA has noted, these requirements can be satisfied by Electronic Product Code Information Services (EPCIS) files with accurate product identifiers for each package; exchanging serialized data in EPCIS enables package-level tracing.
Pahl took care to clear up a misunderstanding regarding the FDA’s recent statements on the deadline. In August, the FDA announced that it “does not intend to take action to enforce” 582(g)(1) until November 27, 2024. However, the FDA took pains to clarify its intentions with a statement (with FDA’s own unusual emphasis):
In short, FDA still expects trading partners to have systems and processes in place to meet their requirements as of November 27, 2023 – not a year later. Trading partners are expected to keep using current methods to handle transaction data while they begin to stabilize and make their systems fully interoperable for “accurate, secure, and timely electronic data exchange.” Thus, the FDA’s stabilization period is not enforcement discretion, meaning that businesses are at risk of regulatory enforcement actions if they aren't complying with current requirements, or if they're stopping or slowing their compliance with 582 (g)(1).
“In other words, if you heard, ‘I’ve got a year, I’m gonna take my foot off the gas’ – don’t do that. The FDA has specifically said, don’t do that. You’re putting yourself at risk if you do.” – Tish Pahl