Over 30 years of reporting on Congress, federal agencies and the White House for corporate America as well as national trade and professional associations.

Track-and-Trace Drug Verification

P&T Journal ... April 2011

FDA Plans New National Standards, Pharmacies Tread With Trepidation
Stephen Barlas

As if the integration of electronic health records (EHRs) into
pharmacy operations hasn’t been difficult enough, hospitals
will soon face a secondHerculean technology task imposed by
the federal government—a challenge that most medical facilities
and pharmacies don’t even know is coming. A national
requirement to “track and trace” prescription drug packages—
in order to preventing counterfeit products from getting into
pharmacies—is coming down the pike, thanks to California.
That state already has its own deadline in place for January 1,
2015; however, the FDA will almost certainly be replacing the
requirement with a national standard in order to prevent the
drug-supply chain from getting tangled up in 50 different
state laws.

The California 2015 deadline formanufacturers to
apply an electronic pedigree (e-Pedigree) to each
item-level package has been delayed twice before
because of anguished cries from manufacturers,
wholesalers, and pharmacies that were not ready to
comply. The new final deadline is July 1, 2017, for all
California pharmacies to authenticate the e-Pedigrees
of all packages that arrive at their back door.

“The delays in California gave us a little breathing
room,” acknowledges Robert J. Bepko, Jr., RPh,MHA, Director
of Professional Services at Norwalk Hospital in Connecticut.
As a result of those delays, the National Council for PrescriptionDrug
Programs (NCPDP),which develops standards
for the pharmacy industry, set up its Work Group 17.

This group has been tracking the potential impact of a California
e-Pedigree requirement on pharmacies. In December 2010,
Work Group 17 issued a white paper on the topic.Mr. Bepko,
a member of the Work Group, says that even after California’s
deadline for implementation was delayed,Work Group 17 was
made aware of efforts by New York andMassachusetts to develop
their own e-Pedigree laws.

“We are hoping for a national law,” Mr. Bepko asserts.
FDA’s Role and Timetable Are Unclear

It is not clear when the FDA will establish a national requirement
that would brush away the California program or
whether the agency needs authorization fromCongress to do
that. At a suburban Maryland FDA workshop that took place
on February 14 and 15, 2011, Grant Hodgkins, Manager of
Strategy, Standards, and Processes at Alcon’s supply chain,
asked that very question of Ilisa Bernstein, Acting Deputy
Director of the Office of Compliance at the FDA’s Centers for
Drug Evaluation and Research (CDER).
“I will defer answering that,” she replied.

The FDA does have the authority to set national standards
drug packages, as permitted by the 2007 FDA Amendments
Act (FDAAA). The February workshop had been scheduled
to obtain industry input on standards for interoperability,
authentication, and data management that the FDA plans to
write. Many in the audience equated the writing of standards
with the imposition of a national requirement to track pharmaceutical
packages (forward) and trace them (backwards
from the pharmacy). There was also confusion about the
difference between California’s e-Pedigree requirements and
the prospective requirements of a track-and-trace system (to
be imposed by the FDA at a future date).

The confusion is understandable. There are three
major permutations of an item-level drug-tagging
system meant to make it impossible for counterfeiters
to divert products. All three steps start with a
Standardized Numerical Identifier (SNI), as follows:
(1) The SNI is established and printed on item-level;
(2) the SNI is incorporated into an e-Pedigree, which
is passed forward only; and (3) the e-Pedigree becomes
part of a track-and-trace system, with each
person along the distribution channel adding
information and being able to be queried “backwards” to obtain
information or to communicate (e.g., the pharmacy with
the wholesaler or manufacturer).

The SNI is printed in a two-dimensional (2D) datamatrix bar
code—or, alternatively, on a radiofrequency identification
(RFID) tag—on the immediate package as it goes down the
packaging line.

In March 2010, in response to a requirement in the 2007
FDAAA, the agency issued guidelines onwhat to include in the
SNI: a serializedNationalDrug Code (NDC), consisting of the
manufacturer’s NDC, plus a unique serial number generated
by the manufacturer or repackager for each individual package.
Serial numbers should be numeric or alphanumeric. The
SNI conforms to the structure of the serialized Global Trade
Item Number (GTIN), GS1’s standard for trade item identification.
GS1 is a nonprofit organization (formerly called EAN
International) with headquarters in Belgium.
Overseas Requirements Are Simpler Than
California e-Pedigree or Track and Trace
Turkey and France already have requirements for drug
packages to be printed with 2D data matrix codes when they
leave a manufacturer’s plant. In this first iteration of an anticounterfeiting
(“point-of-dispensing”) system, however, the
codes are simply uploaded to a data repository and then sent
down the distribution line to the pharmacy, where that SNI is
authenticated via a 2D data matrix bar-code reader.

The e-Pedigree system endorsed by California goes a couple
of steps further by requiring the creation of an e-Pedigree
to a third-party logistics carrier, through a warehouse,
and to the pharmacy. First, the package is placed at the end of
a packaging line inside a case with similar packages; the case
is also given an SNI. The package and case SNIs are matched
up, forming a “parent/child” relationship.
The information, in the form
of a digital shipping document
tied to a specific customer order, is passed along the distribution
channel and is added to the package every time it changes
ownership. These pedigrees would be formatted based on a
GS1 standard called the Drug Pedigree Messaging Standard,
which was developed in 2007. However, many consider that
standard to be antiquated. GS1 is working, ever so slowly, on
an updated standard.

A track-and-trace system is similar, allowing for communications
to go backward; however, an e-Pedigree can be forwarded
only. In track-and-trace systems, when the product
changes hands, the new data that were entered into the pedigree
are sent back to the repository, which maintains the product’s
travel history. For example, a pharmacy can query a
wholesaler or manufacturer or can send an acknowledgment
that a shipment was received. All participants in a manufacturer’s
supply chain would have some access to that data repository,
although access might be controlled by the drug’s manufacturer
or by a third party, often a government agency.

In both e-Pedigree and track-and-trace systems, theoretically
at least, cases must be opened in a warehouse, and the 2D bar
codes on the packages must be read to ensure that the packages
inside are the ones sent by the manufacturer. This is a
huge problem for manufacturers and distributors, especially
in terms of the time it is expected to take and the associated
costs. California allows inference, whereby wholesalers and
others would not have to pull the cases apart to check SNIs or
affirmthe parent/child relationship between each package and
the case.

Dirk Rodgers of RxTrace.com explains that California’s
Board of Pharmacymust draw up rules so that companies will
know how they can make use of inference. He says:
“It is possible that the Board could create rules that define
the concept so narrowly that it will be a far cry from what the
industry means when they use the term. We’ll have to see
where they take it.”

Costs Rise as Requirements Expand

There are also broader implications formanufacturers stemming
from requirements for repositories, inference, and the
like. Steve Drucker, Director of Global Pharmaceutical Commercialization
in Packaging Technologies and Compliance at
Merck, explains:

In a full track-and-trace system, you have to make changes to your
manufacturingmanagement systems, warehousemanagement systems,
and order-to-cash systems to track item-level SNIs andmaintain
the parent/child data instead of simply tracking lot numbers,
which is what we do now. It is a huge endeavor, and the complexity
is far beyond anything we have tried before, as are the costs.
He says that the estimated costs for full track-and-trace compliance
are as high as $100 million.

The challenges and costs for pharmacies mount as one
moves up from a point-of-dispensing system (the main requirement
is to verify the SNI), to e-Pedigree (pharmacists
must decommission the pedigree), to track and trace (pharmacists
must communicate with physicians as well as manufacturers).
These possibilities raise all sorts of questions for hospital
pharmacists such as Robert Bepko, Jr. He already has a
pharmaceutical inventory system that he purchased from
McKesson, his wholesaler. In addition, his hospital is in the
process of installing an electronic health record (EHR) system
from Cerner in order to qualify for Medicare incentive payments
for capital costs—and to avoidMedicare penalties for not
implementing an EHR system. He says:
If we knew what was going to be expected of us, we would work toward
that end. If the Joint Commission, the Drug Enforcement
Agency, or the FDA comes in to a pharmacy and asks a pharmacist
to showthempedigrees for themonth ofMarch, the pharmacist can
pull up that list from McKesson. But what if they want to see the
pedigrees for patientMr. Jones?Does that default to the Cerner system?
So you can see the difficulty we have here—preparing for what
we don’t know.

Each additional responsibility adds pharmacy costs, and a
full track-and-trace requirement is likely to be very costly to all
pharmacies. ChrissyKopple, Vice President ofMedia Relations
at theNational Association of ChainDrug Stores, says that proposals
that would mandate the tracking and tracing of prescription
drugs are faced with complexities, technical and
feasibility issues, and substantial costs for all drug supply
chain stakeholders. She says that these systems have not been
developed or fully tested yet and have not been evaluated in
pilot programs; they also lack uniform national standards and
patient privacy safeguards.

So far, wholesalers such as McKesson haven’t focused on
helping their pharmacy customers get ready for e-Pedigrees,
much less track and trace. Ron Bone, Senior Vice President of
Distribution Support at McKesson, explains:
Once we have established a process to quickly on-board manufacturers,
we will then be able to use this as a basis for on-boarding our
pharmacy provider community.With the California pedigree deadline
for the provider community at July 2017, we have not engaged
with this segment as yet.
Pharmacies Are Particularly Vulnerable
Pharmacies, to a large extent, have been at themercy of the
drug manufacturers, which have been driving the drug package
identification process through their involvement withGS1,
the global standards group. The FDA’s designation of an SNI
in March 2010—based on a GS1 standard—illustrates why
pharmacies in particular are worried about the FDA’s next
steps—establishing standards for interoperability, authentication,
and data management.
The FDA’s SNI guidance prescribed an identifier that contains
the National Drug Code and a second 20-digit alphanumeric
code that a company would choose and that would be
unique to a particular drug package. (There is no require-
Track-and-Trace Drug Verification
2 P&T® • April 2011 • Vol. 36 No. 4
continued on page 208

ment that the SNI guidance must be followed, but it is, in
essence, a de jure standard.) Pharmacy data systems, however,
use a field that allows for only 19 characters. That field is set
by a standard fromthe NCPDP, and pharmacies use it to send
data to health insurers when a patient comes in to fill a prescription.
“We would have to make changes to our data systems to
accommodate the FDA’s SNI,” says John Klimek, RPh, Senior
Vice President of Industry Information Technology at the
Part of the concern within the pharmacy community is that
the FDA relied too heavily onGS1 in writing the SNI guidance,
and the agencymight do so again when it writes the new standards.
Phillip D. Scott, Senior Vice President of Business and
Development at the NCPDP, explains that GS1, which is
dominated by large drug manufacturers, has “owned” the
e-Pedigree space, but its initiatives essentially stop when the
package gets to the pharmacy back door.
“We have felt for some time that we need to make sure that
any transaction could translate once it got inside the pharmacy,
to the physical transaction of filling the prescription,” he
The NCPDP set upWork Group 17 partly as a watch group
to provide information to the FDA, which would counterGS1’s
Big Pharma slant.
The formation of the NCPDP Work Group, as well as the
issuance of its December 2010 white paper, is just one indication
of the pharmacy industry’s interest in what the FDA is
doing. Companies represented at the FDA workshop on February
14 and 15 included Walgreens, Osborn Drugs, CVS
Caremark,Wal-Mart, Rite-Aid, and several pharmacy associations,
such as the American Society of Health-System Pharmacists.
Swedish Pharmacy Pilot Program Provides Hints
So far, almost nowork has been performed in theU.S. on the
potential impact of pharmacy authentication of drug package
pedigrees. The only pilot program ever instituted was in
Sweden under the auspices of the European Federation of
Pharmaceutical Industries and Associations. In this point-ofdispensing
pilot program, which took place in September 2009,
25 of Sweden’s Apoteket AB retail pharmacies verified 2D
datamatrix bar codes on 95,000 drug packages supplied by 14
drug manufacturers. All par ticipating pharmacies were
equipped with new scanners that could read these codes to
verify the products. Existing point-of-sale software was also
amended to include the necessary extra functionality. Product
verification and dispensing operations were fully integrated
into the ordinary pharmacy workflow.
Although each pharmacy in the pilot program received the
new camera-based scanning equipment, the pilot report does
not indicate that cost or the cost of software upgrades. The
pharmacies were basically able to integrate package verification
via the new bar-code readers into the everyday workflow
with little difficulty; however, this was possible only because
of the high rate of e-prescriptions already coming through the
pharmacies, the quality of the Apoteket point-of-sale systems,
and the standardization of systems within the Apoteket pharmacy

Turkey already imposes a point-of-dispensing requirement
on all incoming drug products; thus, Americanmanufacturers
packaging products for Turkey are now serializing drug packages
for that country. These companies includeGEHealthcare,
which packages contrast media products used in conjunction
with x-ray and magnetic resonance imaging (MRI) devices at
its manufacturing facility in Cork, Ireland. Those products go
to Turkey, theU.S., and elsewhere.GEHealthcare hiredOptel
Vision of Canada to serialize that packaging line; as products
move down the line, each one is given a differentGlobal Trade
Item Number.
When the Cork packaging line becomes fully operational,
perhaps by the end of 2011, GE Healthcare will serialize 12
other lines in Norway, Ireland, and Shanghai, says Gordon
Glass, Director of Manufacturing Project management. He is
now deciding between two vendors for an Electronic Product
Code Information System (EPCIS) for data management.
EPCIS is a GS1 standard that allows “event” data on the packaging
line to be uploaded to a data repository and to be shared
with other company data systems as well as systems outside
the company.
Turkey uses GS1 standards (mainly the Global Item Trade
Number unique numbering scheme), as does France; other European
countries that are working on their own requirements
will probably also use it. That puts the pressure on the FDA to
also pay close attention to standards of interoperability, authentication,
and data management that GS1 is developing.
The FDA, however,will have to consider the needs of all players,
not just Big Pharma. That probably will force the agency
to make some tough choices. For example, according to Bill
Fletcher, Managing Partner of Pharma Logic Solutions, the
larger pharmaceutical companies favor a distributed database,
which each company controls, instead of a central data clearinghouse,
which is run by a third-party chosen by the FDA.
“Small pharmacies at the end of the supply chain will likely
not be able to support costly distributed systems and will likely
require faster authentication response times than largerwholesalers,”
he said.
How Heavily Will the FDA Lean on GS1?
Mr. Fletcher and others have argued that GS1 functions as
a “Big Pharma boys club.”Multinational companies can pay upwards
of five figures formembership in GS1, and they, for the
most part, “pay the bills,” sinceGS1 is a nonprofit organization.
Jon Mellor, a spokesman for GS1 Healthcare U.S., explains,
though, that more than 80% of GS1 members are small to
mediumbusinesses spending in the three or four figures. Bill
Fletcher is a member, but he has mixed feelings about GS1.
He says:
They are open to new ideas, but it would be easier to develop standards
for Pharma if we didn’t have to contend with their bureaucracy.
The weekly participants in the work groups are fromvery Big
Pharma, wholesalers, and a handful of solution providers. In fact,
my joining, because I aman unbiased subjectmatter expert and consultant,
required special approval.
Apart from questions about how representative the organization
is, GS1 has had some issues with the standards it has
already developed. Right now, even the e-Pedigreemessaging
standard that GS1 adopted in 2007 is under fire; it was rushed
into final formtomeet the needs of a Florida law that was going
into effect at the time.
Ruby Raley, Director of Health Care Solutions at Axway,
explains that the document pedigree-management system
standard adopted by GS1 focuses on collecting data on a package’s
chain of custody. The system does not provide information
about the physical location of the package at a particular
moment in time, based on an SNI.
Bob Celeste,Director ofGS1HealthcareUS, admits that the
current data-messaging standard is ill-suited to an e-Pedigree
system. He explains that it was developed in 2006 to meet the
requirements of a Florida law that required the passing of
master data, which every participant in the distribution chain
adds to, resulting in considerable redundancy of information.
However, he admits that there is not much going on with that
GS1 is now in the process of developing new standards that
could be used by the FDA as the basis for a robust track-andtrace
system, in which data would flow forward from the
manufacturer; the pharmacy could also query back to the
wholesaler andmanufacturer. For example, a pharmacy could
send a receipt back to a trading partner to acknowledge that
the pharmacy received a shipment or even a particular package.
To accommodate the needs of pharmacies for this type of
reverse data transmission, GS1 is developing a discovery
service standard.
Whether or not the FDA leans on GS1 as heavily as it did in
coming up with SNI guidance, the agency will be under pressure—
in an antiregulatory environment—not to go overboard
in terms of the complexity of the standards it writes. At its
February workshop, the FDA presented some preliminary
thoughts on its forthcoming standards.McKesson’s Ron Bone
Authentication, as the FDA defined it at themeeting, is slightly different
than how the industry has been looking at it. Now that we
have insight into what the FDA is proposing, the industry can discuss
the ramifications and effectively address it in our responses to
the docket due on April 16.
The FDA is likely to be inundated with various entreaties.
Wholesalers such as McKesson and the large, multinational
drugmanufacturers will dominate the chorus. The question is
whether the pharmacy industry’s voice will be drowned out.