As a pharma distributor, compliance challenges are nothing new. In a high-stakes industry where your products affect the health and lives of millions of consumers, you are kept on strict controls. In addition to the numerous provisions of the DSCSA, you’re also responsible for complying with Suspicious Order Monitoring (SOM) regulation, part of the Controlled Substances Act.
What is Suspicious Order Monitoring?
SOM is a set of requirements for detecting and reporting suspicious customer orders from pharmacies, hospitals, and physicians. Its purpose is to prevent diversion, or the movement and sale of drugs from legitimate sources to illicit markets (i.e. drug abuse and drug trafficking).
Although SOM regulations serve an important purpose, the requirements and definitions are complex and extensive, yet vague.
For example, SOM regulations require distributors to “design and operate a system” to disclose suspicious orders of controlled substances, and to electronically report suspicious orders immediately to the DEA’s new central database, the Suspicious Orders Report System (SORS).
What exactly constitutes a “suspicious order”? And how can you “design and operate a system” to identify them?
Part 1301 of the regulation defines “suspicious orders” as “orders of unusual size, orders deviating substantially from a normal pattern, and orders of unusual frequency”. But what does this mean in practical terms for distributors? How can you implement methodology to identify orders that fit such vague, broad parameters?
This is precisely why many small and medium-sized distributors find themselves “Monday morning quarterbacking” when they get flagged for a suspicious order.
In the meantime, SOM regulations continue to be updated. There’s also the proposed legislation from November 2020. New parameters for designing and operating a system for suspicious orders now also includes identification of “orders based on facts and circumstances that may be relevant indicators of diversion in determining whether a person (or a person submitting an order) is engaged in, or is likely to engage in, the diversion of controlled substances.” The proposed legislation also adds some new definitions for due diligence, order, and order received under suspicious circumstances (ORUSC).
Clear as mud, right? What “facts and circumstances” can indicate diversion? What constitutes an “order received under suspicious circumstances”?
Reporting requirements for SOM
It will come as no surprise that the reporting requirements are also extensive. There is now a two-option framework that distributors can use to handle receipt of an ORUSC: you can either 1) decline to distribute the order and immediately file a suspicious order report, maintaining a record of the order and any associated due diligence; or 2) conduct due diligence of each suspicious circumstance of the ORUSC, while maintaining a record of your due diligence. At a minimum, successful compliance with either of these options requires extensive recordkeeping, tracing, and audit trails.
Distributors will have seven days to investigate; if the suspicious circumstances are not dispelled by then, it must be reported as a suspicious order.
Additionally, when you report suspicious orders to the DEA, you must include essential identification information for the order, registrant, and controlled substances in question. And you need to keep a record of every suspicious order and ORUSC for at least two years, with key information on suspicious circumstances, due diligence, conclusions, and whether you decided to transact.
The Cost of Non-Compliance
Despite the lack of guidance on SOM requirements, the DEA maintains a stringent standard of enforcement in the form of steep fines and penalties. Distributors are held liable both civilly and criminally when it comes to preventing diversion—to the tune of tens of millions of dollars.
Here are some examples of civil court orders for fees paid by registrants found in violation of SOM requirements:
- $13,500,000 from McKesson, 2008
- $34,000,000 from Cardinal Health, 2008
- $80,000,000 from Walgreens, 2013
- $44,000,000 from Cardinal Health/Kinray, 2016
- $150,000,000 from McKesson, 2017
- $35,000,000 from Mallinckrodt, 2017
Manual SOM Compliance: Next to Impossible
How can small and medium sized distributors and wholesalers ensure SOM compliance? The sheer amount of human judgement involved with manual SOM compliance introduces risk and potential for error. Not to mention manual compliance is time-consuming and frustrating.
And, leaving SOM to personnel instead of a central system means you’re applying the controls in a haphazard way. In this scenario, compliance information resides only in the minds of certain individuals when it could be easily accessible and standardized across the organization. What happens, for example, if the person who usually handles SOM leaves your organization? Most likely the responsibility gets passed to a different person who doesn’t check for suspicious orders in the same way. What happens when personnel shift back and forth between working on site and at home as almost everyone was forced to do in 2020? Now the records you need are spread across multiple locations. Let’s hope you don’t have to contend with an audit in such a state.
Simplifying SOM Compliance with an ERP System
Successful SOM hinges on your organization’s ability to keep track of many moving parts and parameter updates. Manual processes can’t keep pace, but a robust and integrated ERP system can. Here’s why:
- Digital document management, record-keeping, and automatic look-up. Rather than scattered across Excel sheets, file cabinets, and the minds of your employees, the data you need is organized and digitized in a central electronic system that can be accessed at any time by pre-determined staff members.
- Automatic system of record and audit trail for actions and due diligence. Easily provide DEA auditors with all the information needed for your SOM compliance efforts.
While an ERP system is the foundation for effective SOM, an ERP designed specifically for pharmaceutical distributors can offer further advantages when it comes to SOM:
- System of record for all requirements within the two-option framework for SOM reporting, including why orders or ORUSCs were accepted or rejected and corresponding customer communications.
- Automatic sync with the latest requirements and regulatory parameters. Relieve your staff from the burden of interpreting vague requirements.
When it comes to SOM, there are more questions than answers at the moment. Still, investing in an ERP system will set your organization up as best as is possible for compliance. Get in touch to learn more.
Register now for an overview of SOM requirements as enforced by the DEA & DOJ