By Madeleine Giaquinto, J.D., Greenleaf Health
In June 2023, with a dwindling number of months before final requirements of the Drug Supply Chain Security Act (DSCSA) must be met, impacted drug supply chain stakeholders received some additional insight into the FDA’s potential DSCSA enforcement approach through a second-of-its-kind warning letter.1 The warning letter, dated June 8, 2023, was issued to Safe Chain Solutions, LLC and addresses DSCSA violations related to the wholesale distributor’s repeated instances of distributing costly counterfeit HIV antiviral drugs that Safe Chain had sourced from unauthorized trading partners, even after having received reports from downstream trading partners that suggested the drugs were counterfeit.2
The FDA has only issued one other DSCSA-related warning letter; that warning letter was issued in February 2019 to another wholesale distributor, McKesson Corporation.3 Similarities between the first and second DSCSA warning letters help paint a picture of what the agency might be thinking about when it comes to noncompliance with forthcoming DSCSA requirements (and the DSCSA as a whole). This article examines key findings of the Safe Chain warning letter and assesses commonalities between it and the McKesson warning letter, discerning themes and predicting agency enforcement priorities.
The DSCSA was enacted in 2013 and aims to establish a secure, interoperable, and electronic track and trace system for packages of prescription drugs distributed in the U.S.4 Such a system will better enable patient protection against counterfeit, stolen, contaminated, or otherwise harmful drugs and will improve the detection and removal (e.g., via recalls) of such drugs from the supply chain. Over the last 10 years, the law’s requirements have been incrementally implemented by the FDA, with final requirements coming into effect in November 2023. (For more information about key DSCSA requirements and implementation resources, see “Navigating DSCSA Implementation: Key Requirements & 4 New FDA Guidances” and “1 Year Out, Where Do We Stand on DSCSA Implementation?”.)
Enhanced Drug Distribution Security Requirements (Due by November 2023)
The final requirements coming into effect later this year are enhanced product tracing and enhanced verification. Once in place, these requirements will help achieve system capabilities referred to in FDA guidance as “enhanced drug distribution security” (EDDS).5
Enhanced product tracing means that trading partners should have the systems and processes to exchange transaction information (TI) and transaction statements (TS) in secure, interoperable, and electronic ways.6 Such systems and processes should allow for the prompt gathering and production of TI and TS in response to tracing requests, with TI including package level product identification information for each package in the transaction. Enhanced verification means that distributors and dispensers will have systems and processes for verifying product at the package level and must be able to accept saleable returns for verification.
Calls for Enforcement Discretion
Industry readiness for achieving EDDS capabilities by the November deadline have long raised stakeholder concerns, as well as questions about how the FDA will approach enforcement of these requirements. These concerns and questions have escalated in recent years, with the COVID-19 pandemic and rampant global drug shortages further hampering industry’s implementation status.7 Now the Healthcare Distribution Alliance (HDA),8 along with some members of Congress,9 are urging the FDA to slow-roll the effectiveness of remaining requirements (beyond November 2023) out of fear of exacerbating existing drug shortages (or leading to new ones). Similarly, late last year, the American Pharmacists Association (APhA) requested that the FDA issue enforcement discretion for small business dispensers, out of concern for their ability to meet demanding requirements with limited resources.10
The FDA has yet to issue an enforcement discretion policy detailing how (and to what extent) it plans to enforce against DSCSA noncompliance.11 However, the recent Safe Chain warning letter — taken with its 2019 precursor — may offer some insight into the mindset of the agency, particularly when it comes to conducting inspections in a DSCSA context.
Safe Chain Warning Letter
The warning letter to Safe Chain outlines four “significant” DSCSA violations.12 The violations relate to shortcomings of the company’s internal systems and processes for product verification, transactions with unauthorized trading partners, inadequacies in maintaining records to demonstrate proper handling and investigations of suspect product, and a failure to respond to notifications about illegitimate product. Each of these violations are discussed in depth below.
The violations are based on FDA findings made during a May 2022 inspection of Safe Chain’s wholesale drug distribution facility in Cambridge, MD. That inspection resulted in the issuance of a Form 483. As part of its response to the 483 observations, Safe Chain hired a third-party consultant to help develop the company’s SOPs for its handling of suspect and illegitimate product. Despite these efforts, the subsequent warning letter notes that newly issued SOPs were still not aligned with DSCSA requirements, and even where SOPs were aligned, Safe Chain was not adhering to them. Ultimately, although the violations related to Safe Chain’s verification obligations generally, the warning letter as a whole speaks to shortcomings of the company’s overall DSCSA quality system, which may extend from a lack of understanding about what the law asks of firms in Safe Chain’s shoes.
For example, the warning letter refutes the company’s claim that Safe Chain did not “knowingly” purchase illegitimate product because it believed the product issues were being generated downstream from their operations (i.e., at the dispenser level) and that ongoing investigations would reveal this. However, Safe Chain was unable to show documentation supporting this rationale, underscoring that the FDA finds trading partner accountability up and down supply chains, not just within the walls of individual facilities. Thus, in addition to having internal systems and processes for fulfilling requirements, a DSCSA quality system will entail strong coordination and communication with trading partners, too.
Violations #1 & #2
The first warning letter violation addressed Safe Chain’s failure “to have systems in place to enable compliance with … DSCSA verification requirements.”13 Specifically, the FDA couldn’t find that Safe Chain’s SOPs would assure compliance with proper handling, notification, and disposition of suspect and illegitimate product. When a suspect product is detected at a firm’s facility, the firm is required to quarantine the product until an investigation has determined that the product is or is not “illegitimate.” Recall that a suspect product is one where there is “reason to believe” the product is: counterfeit, diverted, or stolen; subject to a fraudulent transaction; or has been intentionally adulterated or appears otherwise unfit for distribution.14 Following an investigation, if product is determined to be illegitimate, trading partners must notify immediate trading partners within 24 hours, in addition to filing a Form 3911.15
According to the warning letter, Safe Chain’s SOPs lacked information about how to: (1) identify suspect product; (2) conduct an investigation into suspect product in coordination with trading partners; (3) handle product determined to be illegitimate; (4) handle requests for verification of suspect product from FDA; (5) make notifications of cleared product; and (6) maintain records documenting the investigation of suspect product or disposition of illegitimate product. Additionally, the company’s SOP for handling vendor and transaction history authentication did not sufficiently state that immediate trading partners be notified “within 24 hours of an illegitimate product determination.” Thus, compliance with DSCSA verification should involve detailed written procedures and systems that demonstrate a firm’s understanding of their obligation under this requirement (and all DSCSA requirements, for that matter).16This includes obligations related to internal processes for product verification, and processes for engaging and coordinating with relevant trading partners, and the FDA, per this requirement.17
The second warning letter violation addressed the company’s conduct with respect to “transactions with trading partners that were not authorized.”18 Here, the FDA found that Safe Chain did not adhere to their SOP for verifying trading partner licensure statuses and, subsequently, failed to verify that all trading partners were appropriately authorized. To be authorized in accordance with the DSCSA, wholesale distributors and third-party logistics providers (3PLs) must have a valid state license (under respective state laws)19 and must report this license to the FDA on an annual basis (under section 503(e)(2)(A)).20 Valid state licensure can be confirmed through state databases or through the FDA’s online database21 for self-reported state licensure information.
Despite having an adequate SOP for verifying trading partner licensure and reporting statuses, Safe Chain seemingly did not adhere to this procedure. In the warning letter, the FDA indicated that Safe Chain had engaged in purchases of the drug Biktarvy, used to treat HIV infection, with wholesale distributors that failed to report their state licensure status with the FDA. In addition to not reporting, another distributor provided Safe Chain with a fraudulent license and, thus, failed to be appropriately licensed in the first place. Because of these licensing and reporting failures, the trading partners were considered unauthorized. In several of these instances, where Safe Chain had purchased Biktarvy from unauthorized trading partners, the company later received notification that bottles stemming from these transactions had been returned to dispensers from patients because they contained different medications than what was purported on product labels. The FDA further found that Safe Chain continued transacting with the same unauthorized trading partners after receiving notification, causing further dissemination of suspect product. In this second violation, the FDA points out that, while having adequate SOPs is essential (as highlighted by Violation #1 in the warning letter), the existence of SOPs alone does not achieve DSCSA compliance. Instead, documented adherence to SOPs is part and parcel to having a strong DSCSA quality system.
It's additionally noteworthy that the warning letter spends some time highlighting the risk Safe Chain’s practices (i.e., transacting with unauthorized trading partners) posed to patients. According to the drug’s prescribing information, Biktarvy is indicated to treat HIV in a daily dosing regimen that, with disruption, can lead to the infection’s resistance against the treatment. The severity of this risk to patients is made apparent by the “black box warning” on Biktarvy’s packaging, something that the warning letter further underscores. The exposure of patients to suspect product, and heightened risk of irregular Biktarvy courses, is clearly a key reason Safe Chain was the subject of this enforcement action, as opposed to other similarly situated firms. That is, the FDA’s priority when it comes to enforcement will always take into account greater threats to patients.
Violations #3 & #4
The third warning letter violation cited the company’s failure “to maintain records of suspect product investigations.”22 As mentioned, the FDA found evidence that Safe Chain had been notified that suspect product purporting to be Biktarvy had been distributed from its facility. However, Safe Chain was unable to provide any documentation that the product had been quarantined upon its return to the facility or that immediate trading partners had been notified. Additionally, in other instances, Safe Chain had submitted Form 3911s to the agency, following determinations that the company had illegitimate product in their possession or control. However, no records pertaining to the suspect product investigations were made apparent. The DSCSA requires trading partners to maintain records about investigations into suspect product for six years. Having accessible records and information that fully document a firm’s activities surrounding its holding and release of suspect product from quarantine is an essential component of a robust tracing system. Without adequate records, the FDA has no way of confirming that all relevant suspect product has been identified and cleared. This can either cause potentially harmful products (like fake Biktarvy pills) to slip under the radar and reach patients, or it can lead to the recall of larger quantities of product from the market, unnecessarily constraining supply and potentially causing drug shortages.
The fourth warning letter violation addressed Safe Chain’s failure “to respond to a notification of illegitimate product.”23 Similar to Violation #3, Safe Chain was unable to provide any information demonstrating it properly responded to notice about illegitimate product. In addition to notifying others about illegitimate product detected via internal investigations, the DSCSA also asks trading partners to respond to notifications about illegitimate product detected by other trading partners. As part of their obligations to respond, firms must identify all relevant illegitimate product in their possession or control and quarantine and investigate such product. Without documentation of a proper response, Safe Chain had no way of confirming that it had met its obligation to quarantine and investigate the product in question and, thus, potentially released illegitimate product into the drug supply chain.
These violations speak to the importance of maintaining adequate records that demonstrate a firm’s accountability for its products across supply chains. That is, Safe Chain not only needed a more robust record of its internal verification processes and investigational history, but it also needed to show healthy lines of communication with trading partners for purposes of coordinating investigations, as is required under the DSCSA.24 Proper documentation and coordination of all DSCSA-related investigations are critical to the targeted isolation and removal of bad product from the supply chain.
Predicting FDA Enforcement Priorities
McKesson Warning Letter
As previously discussed, there has only been one other DSCSA-related warning letter issued to date – to wholesale distributor McKesson in February 2019.25 The McKesson warning letter similarly cited the distributor for shortcomings related to verification requirements (i.e., failures to quarantine and investigate suspect product, to respond to notifications of illegitimate product, and to maintain records of suspect product investigations). Findings in the McKesson warning letter were based on observations made during a July 2018 inspection.
Additionally, like the Safe Chain warning letter, potentially harmful products were at the center of the FDA’s decision to take enforcement action against McKesson. Instead of fake HIV pills, the McKesson warning letter took issue with, in part, McKesson’s role in distributing oxycodone in violation of controlled substance regulations stemming from opioid epidemic-related legal actions brought against the corporation.26 It’s worth noting that before receiving its recent warning letter, Safe Chain, too, found itself in legal hot water when Gilead Science and Johnson & Johnson each sued the company for its part in the dissemination of the counterfeit Biktarvy medication.
Key FDA Enforcement Themes Illuminated By The McKesson And Safe Chain Warning Letters
The similarities between the FDA’s call outs of Safe Chain and McKesson point toward three key themes:
- Having an overall quality system for DSCSA is critical and will be a standard part of FDA inspections moving forward. This means that, in order to demonstrate DSCSA compliance, firms should, of course, ensure they have adequate SOPs, but they should also ensure SOPs are operationalized and adherence to them is sufficiently documented.
- Firms must understand that their verification obligations under the DSCSA extend along supply chains; they do not end with a firm’s in-house systems and processes but entail coordinated investigations and communication with trading partners up- and downstream from them.
- The DSCSA should be thought of as another tool in the FDA’s toolbelt for carrying out its core mission. This means that FDA enforcement against DSCSA violations will be a natural extension of its overall priorities; at the end of the day, products posing heightened threats to patients will be of the utmost concern to the agency.
What Might Enforcement Discretion Look Like?
As discussed earlier, many firms across industry have fallen behind on implementation timelines and likely do not have systems and processes in place to meet their DSCSA requirements before November 2023.27 Stakeholders, such as the HDA and the APhA, have been open about this and called on the FDA to phase in final requirements in order to give trading partners more time to come into compliance.28
Recognizing these challenges, the FDA could decide to issue some type of enforcement discretion policy ahead of the November 2023 deadline. The exact parameters of such a policy have yet to be made known, however, several goals will motivate whatever the FDA decides to do next. These are:
- The FDA will first want to ensure that patient access to necessary medications is uninterrupted, and that any enforcement discretion policy sufficiently weighs risks of drug shortages.
- The agency will also want to ensure that trading partners, at a minimum, uphold existing safeguards already implemented under the DSCSA, such that continued integrity of the supply chain is met.
- Last, the FDA will want to ensure that DSCSA implementation progress continues; that is, any enforcement discretion policy will aim to maintain pressure on trading partners to work toward achieving full implementation as quickly as feasible.
As part of their June 2023 letter to the FDA, the HDA offered a proposal for phasing in final requirements over a two-year timeframe while also ensuring that the FDA’s goals are met.29 The proposal outlines three phases, concluding in November 2025, at which point all trading partners (manufacturers, wholesale distributors, and dispensers) are expected to be in full compliance with DSCSA’s package level data requirements. While it’s hard to predict what the FDA will decide to do about DSCSA enforcement, the HDA proposal, along with other stakeholder input, are potential approaches that may be under consideration by the agency as November draws near.
Regardless, and to sum, one should expect any enforcement discretion policy to be aligned with the agency’s overall priorities for ensuring quality drug products reach patients through productive use of resources. For example, the significance of McKesson’s and Safe Chain’s shortcomings indicate the weighted focus the FDA places on products that pose the greatest risks to patients. This is something that, of course, aligns with the holistic priorities of the agency’s compliance programs and is a good reminder that DSCSA requirements will not be upheld in a vacuum. Thus, falling back on fundamental principles of having mature quality management systems for the purpose of protecting patients while preventing drug shortages is a good frame of reference when anticipating the FDA’s enforcement approach come November 2023.
- Title II of Public Law 113-54, “Drug Supply Chain Security,” (November 2013), available at https://www.govinfo.gov/content/pkg/PLAW-113publ54/pdf/PLAW-113publ54.pdf. See also, FDA Webpage, “Drug Supply Chain Security Act (DSCSA)”, available at https://www.fda.gov/drugs/drug-supply-chain-integrity/drug-supply-chain-security-act-dscsa.
- FDA Warning Letter #636044, “Safe Chain Solutions, LLC,” (June 2023), available at https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/safe-chain-solutions-llc-636044-06082023.
- FDA Warning Letter #565854, “McKesson Corporation Headquarters,” (February 2029), available at https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/mckesson-corporation-headquarters-2719-565854-02072019.
- FDA DSCSA Webpage, available at https://www.fda.gov/drugs/drug-supply-chain-integrity/drug-supply-chain-security-act-dscsa.
- See FDA Guidance, “Enhanced Drug Distribution Security at the Package-level,” (draft issued June 2021), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/enhanced-drug-distribution-security-package-level-under-drug-supply-chain-security-act, and FDA Guidance, “DSCSA Standards for the Interoperable Exchange of Information, (revised draft issued July 2022), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/dscsa-standards-interoperable-exchange-information-tracing-certain-human-finished-prescription-drugs.
- See DSCSA Virtual Public Meeting, Connie Jung, RhP, PhD, “Overview of Enhanced Drug Distribution Security Requirements,” (December 2022), available at https://www.fda.gov/media/164085/download at p.53.
- For the past 7 years the HDA has released annual survey reports highlighting ongoing implementation challenges its members’ face. See HDA Research Foundation, “Serialization Readiness Survey: Executive Summary”, (October 2022) available at https://www.hda.org/~/media/pdfs/center/2022-serialization-survey.ashx.
- HDA Statement to FDA, “HDA Recommends a Phased Approach to Implementing the Final Requirements of the DSCSA,” (June 2023), available at https://hda.org/newsroom/2023/hda-recommends-a-phased-approach-to-implementing-the-final-requirements-of-the-dscsa/.
- Members of Congress Letter to FDA to ensure DSCSA requirements do not lead to drug shortages, (August 2023), available at https://balderson.house.gov/uploadedfiles/
- APhA Request to FDA, “Request for Enforcement Discretion for DSCSA Small Business Dispensers,” (December 2022), available at https://s3.amazonaws.com/filehost.pharmacist.com/CDN/PDFS/Advocacy/
- On August 10, 2023, the FDA published a federal register notice that requests comments from relevant stakeholders on proposed topics and questions for use in a small business dispensers assessment. The DSCSA directs the FDA to conduct such an assessment to better understand the technology and software capabilities of small business dispensers (25 or fewer full-time employees) and to determine the feasibility of EDDS requirement compliance for them. See FRN, Docket No. FDA-2023-N-3103, available at https://public-inspection.federalregister.gov/2023-17140.pdf.
- See supra n.2.
- FD&C Act section 582(c)(4)(A) & (B).
- See FDA Guidance, “Definitions of Suspect Product and Illegitimate Product for Verification Obligations,” (final issued March 2023), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/definitions-suspect-product-and-illegitimate-product-verification-obligations-under-drug-supply.
- FD&C Act section 582(c)(4)(B)(ii).
- See FDA Guidance, “Verification Systems Under the DSCSA for Certain Prescription Drugs,” (draft issued March 2022), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/verification-systems-under-drug-supply-chain-security-act-certain-prescription-drugs.
- Trading partners’ verification obligations, including notification, are outlined under section 582(b)(4), (c)(4), (d)(4), and (e)(4) of the FD&C Act).
- FD&C Act section 582(c)(3).
- FD&C Act section 583.
- FD&C Act section 581(2)(B).
- FDA Database, “Wholesale Distributor and Third-Party Logistics Providers Reporting,” https://www.accessdata.fda.gov/scripts/cder/wdd3plreporting/index.cfm.
- FD&C Act section 582(c)(4)(A)(iii).
- FD&C Act section 582(c)(4)(B)(iii).
- FD&C Act section 582(c)(4)(A)(i)(II).
- See supra at n.3.
- See Barbara Unger, “FDA’s First DSCSA Warning Letter – A Closer Look” (March 2019), available at https://www.outsourcedpharma.com/doc/fda-s-first-dscsa-warning-letter-a-closer-look-0001.
- See supra n.8.
- See supra n.8-10.
- See supra n.8.
About The Author:
Madeleine Giaquinto is director of regulatory affairs at Greenleaf Health, an FDA regulatory consulting company based in Washington, DC. She provides clients with timely analysis of FDA regulations, policies, and guidance documents related to good practice standards for all FDA-regulated medical products. She also advises clients on strategic engagement with the FDA on a range of policy and compliance-focused matters. Giaquinto’s public health policy and regulatory compliance expertise stem from her 9+ years working across legal, government/legislative affairs, and hospital administrative settings. She has a J.D. from George Mason University and a B.S. in biology from Georgetown University.