Regulatory compliance is a lot like a treasure map from an old pirate movie. You’ve got to follow the directions to the letter, a task made more difficult by the cryptic language that serves as your guide. Decipher everything correctly and you can reap an abundance of rewards. One false move, though, and you could lose everything. In both cases, there’s a big risk of peril. Of course, treasure maps are works of fiction, which explains why no one ever invented software to help you manage your quests for stolen gold. Regulatory compliance, on the other hand, is a much more serious topic to consider, and with the right planning you can avoid perilous situations altogether.
A case in point is the Drug Supply Chain Security Act (DSCSA), a set of rules that became law in 2013 in the United States in order to better track and trace every bit of medication as it makes its way from manufacturers to patients. The law was created to better monitor the flow of drugs along the supply chain, and to enable fast and decisive action in identifying and removing from circulation any medication found to be contaminated, counterfeit, or stolen. To achieve this, all parties along the supply chain—from the biggest pharmaceutical producers to the smallest independently owned pharmacies—need to be able to do the following in order to be compliant:
- Maintain the appropriate licensing and registrations, and confirm the same with their trading partners.
- Receive, validate, and store all the necessary tracing documentation.
- Investigate any suspicious medication and notify their trading partners of same.
- Respond quickly to any audits or inspections, as well as to any investigations conducted by their partners.
Every aspect of this compliance needs to be documented, and that documentation needs to be kept for six years. Should any of those documents need to be retrieved, you must do so within 48 hours upon request. Now, for the larger businesses that exist along the supply chain—the manufacturers, the hospitals, the national pharmacies—compliance isn’t necessarily easy, but it’s also not a showstopper. These companies have the resources to ensure they stay within the bounds of the law. They can invest in the hardware, software, and personnel needed to accomplish all this.
Companies on the small to medium size, however, tend to approach compliance like a treasure hunt, cautiously and one step at a time, adding the necessary tools as the map demands it (and resources allow). Often these critical operations are managed with paper, spreadsheets and entry-level accounting software—making regulatory compliance a difficult, time consuming task.
Ad Hoc or Add Value?
For small businesses, ad hoc setups are a way of life. IT infrastructure is often built out piecemeal, on an as-needed basis. The processes and protocols that a company adheres to are often developed on the fly, going undocumented and existing in the brains of staff before being passed along to new staff—more company culture than company policy. Because of this, it would be easy to adapt to DSCSA just by adding one more piece of the puzzle. While large companies are performing holistic tech refreshes that automate compliance, many small and medium sized distributors are, at best, merely performing some updates to their existing accounting software or ERP platform. In the case of those whose ERP system isn’t tailored to specific pharmaceutical needs, there’s always the option of integrating a third party plugin, or going with a DSCSA-Compliance-as-a-Service provider.
However, while this approach may solve an immediate need, it isn’t very sustainable . Short-term technical restraints might be addressed, but there’s no long-term added value. Compliance is a moving target, with rules that can and will change in the future. This means your ERP system needs the ability to adapt, update and evolve automatically, keeping you in line with regulations. Piecing together disparate software, with add-ons and plug-ins, won’t achieve this and will only bring complexity. If something breaks, finding the source of the problem is more difficult. Vendors will be only too happy to blame other pieces of software or hardware and get you out of their support queue. A setup like this guarantees a headache and makes it more difficult to establish internal processes meant to ensure compliance.
DSCSA requirements are the same whether your company has 10 or 10,000 people. You’re playing in the same league as some of the biggest companies in health care; so you need tools that are just as comprehensive. There are three areas which you can look to keep streamlined:
Hardware: The advent of cloud computing has ushered in a new era of enterprise computing, one where even small and medium businesses get access to top-of-the-line tools—the latest hardware, including redundancy, backups, and 24/7 monitoring of systems—for only the cost of a monthly subscription. For companies that don’t want to share processing power with other users, co-locating your own hardware and software in another facility helps you to retain ownership while still lowering the cost and complexity of managing everything locally. The less you have to manage the better.
Software: With the final deadline for DSCSA coming—November 27, 2023, when full interoperability between all entities in the supply chain must be in place—it’s a good time to be looking at the software you’re using and consolidating into a single solution. Back to our example of small/medium sized distributors, try and fold compliance into the core functionality of your ERP, not a patchwork of solutions. Beyond the mission-critical business functionality you need like sales, warehousing and accounting, there is an entire set of needs for DSCSA provisions alone: state and local DEA license checks, serialization, lot and batch expiration traceability, full ARCOS reporting capabilities and chargeback management to name a few. When those are considered a core part of the software, awareness of DSCSA requirements is, too. In this way, your software becomes a de facto compliance officer—enforcing the rules, cataloging the inventory, and retaining the data.
Internal Processes: Finally, define the processes and procedures for all compliance requirements and make sure all employees have familiarized themselves with more than just how to handle their own responsibilities. Define their DSCSA-related tasks clearly and in writing. Train them on how to work with software to ensure everything is being done correctly. Eliminate room for interpretation of the requirements; instead make those requirements the foundation for how certain tasks should be handled.
The DSCSA is unwieldy and complicated, sure. But it exists for good reason, and playing by its rules should and can be a simple matter. By folding as many tasks and processes into a single, integrated system—where protocols overlap with software, and software ensures compliance—you can streamline day-to-day operations. While there’s nearly three years left before the law is fully in effect, much of it has already been phased in. There’s literally no time like the present to keep things simple for your business.