What is DSCSA for, and why does my pharmacy need to comply in time?

July 6, 2023

At LSPedia, we're steeped in DSCSA each and every day, and at this point in 2023, it feels like we've answered every variation on every kind of question about it. After all, DSCSA is our business, and by now, every trading partner should know what's required of them under the new law.

However, every so often we run into the most fundamental question, one that we need to answer before we can get into the myriad, intricate details of DSCSA compliance: Why?

What is DSCSA for, why was it enacted, and why do pharmacies need to comply?

Back to basics on DSCSA

In 2012, a deadly multi-state meningitis outbreak spotlighted critical vulnerabilities in the pharmaceutical supply chain, particularly around communication between trading partners and coordination on information sharing. Lawmakers responded by formulating a system under which any company handling prescription drugs would have a full view of each individual product's journey from manufacturer to dispenser, immediate notification of suspicious activity in its transaction history, and procedures to gather such details.

This was done via changes to the Federal Food, Drug, and Cosmetic Act that gave the FDA new powers to monitor and regulate the supply chain. The Drug Supply Chain Security Act was signed into law by President Obama in 2013, as part of the Drug Quality and Security Act introduced by Michigan Rep. Fred Upton. DSCSA introduced traceability requirements for all trading partners, with requirements for collaborative information-sharing procedures that ensure the drugs reaching patients haven't been redirected, compromised, recalled, or counterfeited.

DSCSA describes a secure, interoperable system where trading partners can safely and appropriately access one another's relevant data and conduct data exchanges before or during any product transaction. The standard for these exchanges is EPCIS, a more complex file type that serves as a complete transaction history of any given item, supporting the law's requirement to trace drugs not just at the lot level, but to the level of the individual package. Some describe the layer of security this provides as a reframing of the question asked during an information exchange. Rather than answering the question of how many of an item are being sold/moved/quarantined/etc, DSCSA data answers the question of which one is doing so.

A key element of DSCSA, then, is that each trading partner is responsible for their own requirements, data, and procedures. The sets of requirements vary somewhat between the different types of businesses on the pharma supply chain, but the major requirements apply to each company individually. (We've become aware that some dispensers believe their trading partners can manage DSCSA for them; this largely occurs when a supplier provides a portal to share order information. This is by no means a full DSCSA solution for that dispenser, and only really helps transact orders with that supplier.)

Why does DSCSA apply to dispensers?

Past the fact that DSCSA applies to all trading partners, some dispensers still ask why they'll be under regulatory scrutiny, noting that they're the final step in the supply chain before the patient. Further, some argue that DSCSA is too much of a burden for those working in a patient-facing role. For these reasons, there's a misperception among many dispensers that they will be overlooked after the November 27, 2023 enforcement deadline.

This isn't true. The information sharing requirements of DSCSA are as critical for dispensers as any other type of trading partner. Each medication manufactured and moved through the supply chain must have a record of where it's dispensed, toward protecting patients from illegitimate or potentially dangerous drugs; patients can't afford to have their dispensers out of the loop regarding situations like recalls.

The verification requirements of DSCSA help ensure that legitimacy and good status of any product aren't in question before the patient receives it; further, should any problem still occur, that information must be recorded accurately for investigation to prevent more widespread problems. Finally, some counterfeiters and fraudsters specifically target or imitate pharmacies.

Will DSCSA Be Part Of FDA Inspections?

Yes, they will. As an expert told Regulatory Focus, FDA inspections are likely to review Authorized Trading Partners, interoperable data connections, whether data is exchanged ahead of transactions, and if product identifiers are used properly. Additionally, a recent FDA warning letter shows an inquiry into verification, product investigation, and reporting.

“It is likely that with the upcoming interoperability requirements taking effect, that FDA will use its inspection force to evaluate DSCSA compliance as a normal part of inspections,” said Howard Sklamberg, a partner at Arnold & Porter. Sklamberg noted that inspectors will want to see that trading partners have the systems DSCSA outlines, including those for tracking Authorized Trading Partners, investigating suspect products, and responding to verification requests.

Sklamberg also discussed the benefits of serialization, noting that systems for meeting DSCSA requirements can overlap with good manufacturing practices. DSCSA compliance may work best when it's viewed as part of ongoing SOPs and operations, rather than regarded as fully separate workstream.

What does DSCSA require of dispensers?

Authorized Trading Partners

DSCSA defines and provides licensure requirements for pharmaceutical trading partners to do business as Authorized Trading Partners. This doesn't include veterinarians or other businesses that only dispense products for animals. To be considered an Authorized Trading Partner, a dispenser must:

  • Accept or transfer direct ownership or possession of a product from or to another pharmaceutical trading partner, including manufacturers, repackagers, wholesale distributors, and other dispensers.
  • Hold a valid license under state law.

As well, they must meet one of the following criteria:

  • Operate a retail pharmacy; operate a hospital pharmacy; or operate a group of chain pharmacies, under common ownership and control, that do not act as a wholesale distributor.
  • Be authorized by law to dispense or administer prescription drugs.
  • Operate affiliated warehouses or distribution centers of a dispenser, under common ownership and control, that does not act as a wholesale distributor.

There are also measures for management of trading partners. Dispensers must:

  • Implement protocols to verify any applicable state laws for licensure and registration for all new trading partners.
  • Implement protocols for regular audits to verify the status of its trading partners.


DSCSA requires trading partners to form interoperable point-to-point connections to conduct transactions, using systems that can import and process one another’s data. After this requirement goes into effect, dispensers can only receive shipments with serialized and properly aggregated data. The industry has largely adopted GS1’s EPCIS standard for interoperable data.

The EPCIS onboarding process must be completed between each pair of trading partners; each implementation can take a few weeks, so it's a good idea to start on this with several months to spare before the DSCSA deadline.

Under this requirement, dispensers must exchange serial data in a secure, interoperable, electronic manner. As well, they must implement systems and process that can:

  • Verify serialized products.  
  • Respond to FDA requests.
  • Accept saleable returns.

Serialization, Verification, and Enhanced Security

Dispensers can only buy or sell prescription drug products that are encoded with serial numbers in the 2D data matrix barcode and the human-readable text format, with exceptions for certain grandfathered products.

You'll need systems and processes in place to handle suspect or illegitimate products.

  • Verify suspect products using serialized data.
  • Quarantine suspect products until they can be either cleared to be dispensed or removed from the supply chain.
  • Conduct investigations to determine illegitimacy.
  • Resolve discrepancies in transaction information within three business days. (This is an element of exceptions management, which is a must for all pharma trading partners!)
  • Report findings to the FDA, including notifying the agency of illegitimate product within 24 hours (via FDA Form 3911).
  • Report findings to trading partners, including notifying immediate trading partners of illegitimate product within 24 hours.

You can satisfy DSCSA’s verification requirements by developing a secure electronic database, or using a secure electronic database developed by a third party.

Product Tracing

Product tracing relies on electronically delivered 3Ts data: Transaction History, Transaction Information, and Transaction Statement. (Note that Phase II of DSCSA eliminates the requirement for Transaction History.)

Dispensers must:

  • Receive or send transaction data for each product before or at the time of a given transaction.
  • Capture transaction data as necessary to investigate a suspect product.
  • Maintain this information for at least six years after a transaction.

Requests for Information

Dispensers must respond to any request for information from the FDA, or any other state or federal agencies, relating to a recall or suspect product investigation.

Need more details on how dispensers can meet their DSCSA requirements? Visit our Dispensers page.