Choosing a DSCSA Compliance Service

September 2017 - Vol.14 No. 9 - Page #24
Category: Medication Tracking

Enacted in 2013, the Drug Quality and Security Act (DQSA) legislation (and in particular Title II, the Drug Supply Chain Security Act [DSCSA]) introduces new requirements for drug traceability with the intention of protecting consumers from exposure to counterfeit, stolen, contaminated, or otherwise harmful prescription drug products.1,2 The act outlines the steps required to build an electronic system to identify and trace prescriptions throughout the US medication supply chain. As medication dispensers, hospital pharmacists are required to meet a series of deadlines in the development of this electronic system, including the November 2017 deadline, whereby hospital pharmacies are required to be able to receive electronic transaction data from their pharmaceutical manufacturers.

Implementation of this electronic system will enhance the FDA’s ability to detect and remove potentially dangerous products from the supply chain. Under this system, product information is to travel with (or ahead of) the actual product, facilitating communication among vendor, wholesaler, pharmacy, and patient (see FIGURE 1). To achieve compliance, organizations must address a series of issues:

  • Establish a new workflow
  • Maintain compliance documentation
  • Conduct quality assurance and benchmark system performance
  • Stay abreast of the DSCSA timeline and changes in the legislation as well as enforcement discretions and delays

Click here to view FIGURE 1
Click here to view FIGURE 2

While organizations may choose to address these challenges internally, utilizing a DSCSA compliance service through a third-party vendor can help uncover and bridge gaps in any or all of these high impact areas.

Implementation Timeline

The DSCSA takes a phased approach to implementation that spans the course of a decade, affecting all parties in the supply chain. The first compliance date, January 1, 2015, affected manufacturers and wholesalers. For pharmacists, the first compliance deadline fell in March of 2015, but a discretion in enforcement was applied until July of that year. See FIGURE 2 for key compliance dates affecting hospital pharmacies. See SIDEBAR for definitions of DSCSA compliance stakeholders.

Defining Traceability

Traceability ensures the ability to verify the history, location, and transaction information of a product in the supply chain. The DSCSA defines three terms related to transaction data that are used in describing traceability. Pharmacists may want to think of these as a traceability trifecta, or T3:

  • Transaction Information (TI): Includes data about the received product and the trading partners: product name, strength and dosage form, lot, National Drug Code (NDC) number, container size, number of containers, date of the transaction, and names of the new and former owners of the product.
  • Transaction History (TH): The transaction information for each previous transaction, going back to the manufacture of the product.
  • Transaction Statements (TS): Multiple statements related to the history of the product; data may be provided on paper or in electronic form.

Identifying a DSCSA Compliance Champion

Prior to choosing a third-party vendor to manage an institution’s DSCSA compliance, pharmacy leaders must determine who within the organization will lead DSCSA compliance efforts. Because the law impacts multiple points in the medication-use process, a pharmacy buyer, informatics pharmacist, or pharmacy operations staff member may be appropriate. Regardless of who maintains ultimate responsibility for compliance, engaging the pharmacy informatics team is critical to support the data retention requirements within the law. The DSCSA’s comprehensive requirements and the increased need to manage and control inventory and pharmacy costs may inspire some institutions to create a supply chain pharmacist/manager position to lead the process while assisting with other complex duties related to pharmacy supply chain management.

Steps to Effective DSCSA Management

Establishing Workflow

While some retail and long-term care facilities may be responsible for monitoring a small number of transactions, the large number of transactions hospital and health-system pharmacies are responsible for make automation key to effective compliance. When developing an automation strategy to support workflow, consider the capabilities of any software to be deployed, any assistance the wholesale distributor can offer, as well as the electronic capabilities of the manufacturers and repackagers serving the pharmacy. For example, can the manufacturers send digital transaction information in standard Electronic Data Interchange (EDI) format that can be read and processed by the compliance software?

With a DSCSA team in place, an organization must determine which compliance needs can be met by current staffing and which requirements the vendor must assume responsibility for. Most institutions can integrate some parts of DSCSA compliance into their current workflows. For example, many hospitals that employ BCMA have established quarantine areas for product that has been received but is not identified in the EMR. This quarantine, which usually occurs upon receipt from a distributor, could also be utilized for quarantine of suspect product upon receipt; see FIGURE 3 for a sample quarantine workflow.

Receiving staff, in addition to the pharmacy buyer, must be educated to understand what is included in a complete T3 and how to identify suspect product.3 Furthermore, because each institution must ensure that its trading partners are authorized, the pharmacy buyer or the DSCSA compliance service must maintain a list of these partners, and include their authorization information (eg, FDA, board of pharmacy, etc). If an institution uses only one distributor for all of its medications, the electronic storage of T3 information can usually be accessed via the distributor’s webpage, which simplifies the process.

Sample Quarantine Workflow - Click here to view FIGURE 3

Maintaining Documentation

Once current workflows and staffing are optimized to ensure DSCSA compliance, pharmacy leadership should prioritize the needs of the selected DSCSA compliance service. As most institutions use a variety of distributors, wholesalers, and vendors, electronic receipt, storage, and retrieval of T3 information is a priority (keep in mind that this information must be maintained for at least 6 years). Being able to obtain compliance information in a portable/transferrable fashion is critical, considering the quick evolution of these systems, GPO contract changes, etc. In addition, consider what steps will need to be taken should the organization choose to switch vendors.

Paper documentation can quickly become a constraint to compliance. To simplify the documentation, many medication suppliers now offer electronic links to DSCSA compliance vendors. However, should a supplier not offer this, the institution must identify a manual process to compensate. Vendors take a variety of approaches to managing the manual addition of information from transcribing paper T3 documents for dispensing institutions to requiring the institution to transcribe the data into a Web-based portal. Consider the importance of reducing/eliminating manual paperwork wherever possible as increased frontline staff involvement in manual, rote processes may lead to errors, and thus, compliance gaps. Additionally, if your team has yet to implement an electronic solution, consider how you will obtain access to these paper documents. A compliance service can only assist in maintaining information that has been provided from the dispenser.

QA and Benchmarking

In addition to ensuring that basic compliance requirements are met, the organization must establish procedures with its DSCSA compliance service describing the procedure for resolving discrepancies or errors in the system. There is a possibility of incorrect T3 data being sent to hospitals; therefore, a mechanism must be in place to remove erroneous data, to avoid creating a compliance risk.

Moreover, the institution must be vigilant in auditing the program to ensure data integrity is maintained. Scheduled audits of T3 data by the pharmacy buyer or another staff member should be included in the workflow as part of system maintenance. For example, does your quarantine process actually catch suspect products? Consider running a drill for QA purposes, which is an excellent opportunity to involve students and/or frontline staff.

While no institutions have been cited by the FDA to date, DSCSA establishes stiff penalties for entities and individuals who fail to comply with the DSCSA requirements. As the law is written, penalties could technically include (though these outcomes are believed to be unlikely):1

  • Imprisonment for not more than 1 year and/or a fine of not more than $1000;
  • Imprisonment of not more than 3 years and/or a fine of not more than $10,000 for subsequent or intentional violations; and
  • Equitable remedies, such as restitution, disgorgement of profits, and product seizure. The Federal Criminal Code also authorizes a general fine of up to $250,000 for individuals and $500,000 for entities.

Stay Up to Date

While the core of DSCSA’s intent has remained steadfast throughout its deployment, keep in mind that DSCSA’s compliance deadlines may be subject to change. Multiple delays and changes in enforcement discretion have occurred throughout the implementation process, the most recent of which suggests a 1-year delay in enforcement for manufacturer serialization efforts, which will have a direct effect on any dispenser’s ability to become compliant with the law.

The FDA also posts guidance documents fairly regularly to its website, such as those providing support information to first responders and tracing requirements for dispensers. Pharmacy leaders should expect any chosen DSCSA compliance service to assist in keeping abreast with changes, delays, and other important information. When negotiating with a vendor, consider how this service is reflected in the contract.


Partnering with a DSCSA compliance service is an effective way to meet compliance requirements. New solutions for ensuring DSCSA compliance are being developed rapidly, so it is critical to maintain awareness of these options. Remember that ultimately, responsibility for compliance with the law rests with the dispensing entity or pharmacy.

More information about the impact of the DSCSA on pharmacy management from 2015-2023 is available as an ASHP Practice Resource, available at:


  1. H.R.3204 – Drug Quality and Security Act. Public Law No: 113-54 (11/27/2013). Accessed July 25, 2017.
  2. Drug Supply Chain Security Act. Accessed July 20, 2017.
  3. Drug Supply Chain Security Act Implementation: Identification of Suspect Product and Notification Guidance for Industry. Accessed July 24, 2017.

David Aguero, PharmD, is the manager of medication systems and informatics at St. Jude Children’s Research Hospital in Memphis, Tennessee, and an assistant professor at the University of Tennessee Health Science Center. He specializes in the coordination, communication, and support of pharmacy services and the medication-use process, with experience spanning multiple electronic health record and medication distribution platforms in multi-facility systems, academic, and research hospital settings.

Tommy Lupton, PharmD, MBA, BCPS, CAHIMS, is the manager of pharmacy at Dignity Health Glendale Memorial Hospital and Health Center in Glendale, California, and an adjunct assistant professor of pharmacy practice at the University of Southern California. His practice focuses on technology implementation and optimization, regulatory compliance, medication safety, quality, and education and training for pharmacy students and staff.

Who Are the Stakeholders?

The legislation standardizes the definition of several entities, including the following:


Like what you've read? Please log in or create a free account to enjoy more of what has to offer.

Current Issue