Spherity is exploring how credentialing enables DSCSA compliance for pharmacies and other dispensers

Spherity’s Credentialing Service aims to relieve pharmaceutical dispensers of additional administrative burden required for DSCSA compliance

In November 2013, the U.S. congress enacted the Drug Supply Chain Security Act (DSCSA) in order to enhance the protection of patient health. To achieve this, a part of this legislation will require U.S. pharmaceutical trading partners to establish that they only interact with other trading partners who have been properly authorized. This requirement does not only affect the big players in the pharmaceutical supply chain, but also each and every dispenser. With more than 60,000 pharmacies and outpatient dispensing outlets in the U.S., there is a pressing need for a powerful solution that facilitates DSCSA compliance by November 2023. Yet, only 22 month before the deadline U.S. pharmaceutical supply chain actors still have no interoperable, electronic mechanism to validate each others’ authorized status.

Spherity Credentialing Service helps dispenser comply with DSCSA by November 2023 (Photo from Pexels)

Together with its partners from across the industry over the past two years the Open Credentialing Initiative (OCI) has been developing such a solution to support DCSCA compliance. Whilst the focus of the initial development lay on pharmaceutical manufacturers and distributors, Spherity together with fellow OCI members Legisym and RxScan has since also examined the applicability of Spherity’s Credentialing Service to pharmacies and other dispensing outlets.

“Integrating credentialing into existing warehouse or ERP solutions used by dispensers is key to enabling industry adoption. With our partners, we analyze the onboarding processes and interfaces to connect digital wallets with software solutions Dispensers are already familiar with.”

Georg Jürgens, Manager Industry Solutions at Spherity

What’s the big deal?

Under DSCSA, dispensers will have to ensure that each trading partner is legitimate, that is in DSCSA terms, an Authorized Trading Partner (ATP). This means a dispenser must be sure that the interacting party is who they say they are and is allowed to engage with them in DSCSA-relevant communication. Such communication comprises:

• Product Identifier Verification

If a dispenser encounters a product that appears suspicious, they must trigger a verification request to the manufacturer. The established Verification Routing Service infrastructure and GS1-standardized messaging protocols facilitate such communication between the two parties.

• Tracing

In case a product is illegitimate or a regulator performs an audit, the Trading Partners need systems to trace product ownership. Hence, dispensers must maintain secure, electronic, and interoperable systems and processes to provide Transaction Information and Transaction Statements for each and every transaction.

The challenge is that these software solutions must allow Trading Partners to communicate with other Trading Partners with whom they have no prior business relationship. Consequently, they do not know the authorized status of the interacting party.

Currently, GS1 Global Location Numbers (GLN) are used to identify trading partners for Product Verifications.

“When using VRS initially, we utilized GLNs to identify a trading partner. We discovered GLNs that were not active or not associated with the requesting entity. GLNs also do not inform about authorized status. Additionally, we had no proof that the provided GLN actually came from the trading partner. This was a compliance gap we had to close.”

Dave Mason, Supply Chain Compliance and Serialization Lead at Novartis

Whilst the top 5 U.S. pharmacies account for roughly 60% of total U.S. pharmaceutical prescription revenues, we shall not forget that there are many small players, too, who must find an affordable way to comply with DSCSA by November 2023. Considering the complexity of the pharmaceutical supply chain and departmental separations in large corporations, it can be extremely difficult for a small pharmaceutical outlet without access to relevant user portals to find the right contacts and obtain the correct information rapidly. The added administrative and regulatory burden not only makes life harder for incumbents, but also increases the entry barriers into this line of business.

Credentialing can help dispensers

Spherity and Legisym have partnered to enable dispensers to adopt credentialing in a lean, simple and affordable way. Our objective is to provide mechanisms to onboard small community pharmacies as well as retail chains. Within OCI’s industry network, we have assessed how to make this happen. The key challenge was to figure out how dispensers can be vetted as digitally trustworthy entities.

OCI architecture can facilitate formation of a network of verifiable digital dispenser identities.

Before we get into this, let’s dial back a bit and clarify…

What is credentialing?

Credentials exist in the physical and digital world. They are essentially certificates that attest to a certain status or achievement. Credentialing in the context of DSCSA is the process of verifying documentation that proves a certain legal or regulatory status, e.g. the formal review of a pharmacy’s State license and proof of the company’s existence. Within the digital world, electronic credentials can be issued, for example by Legisym, once electronic and/or physical documentation has been approved. Such electronic credentials can then be stored safely in a digital wallet like the one offered by Spherity. This makes it possible to automate the exchange of credentials or information about them with Trading Partners.

“Our goal was to simplify the credentialing of dispensers to make the process as intuitive as possible and with it requiring the least amount of time to complete. Through everyone’s efforts we believe this has been accomplished.”

Max Peoples, Owner RxScan

Automation simplifies and speeds up product verification

In principle, DSCSA permits manual verification of suspicious products. Due to the potential complexity of such a process and varying experience levels amongst dispenser staff, it can take a few days, if not longer, to clear a legitimate product. In this period the sale of the product in question is on hold. Consequently, patients may have to wait, reducing their quality of care and possibly also confidence in the dispenser. Furthermore, storage space is blocked and revenue is delayed.

In contrast, the electronic system proposed by OCI partners enables real-time responses after scanning a suspicious product. The software is designed to be compatible with existing data or warehouse management systems established by solution providers like OCI member RxScan. These service providers are able to integrate via API with the Spherity Credentialing Service.

How can credentials enable DSCSA-compliant interactions?

Digital credentials allow instant confirmation of a Trading Partner’s identity and ATP status in line with DSCSA requirements.

The Identity Credential confirms that a Trading Partner is indeed who they claim to be. This credential is the basis for all further verification. Once this crucial credential has been validated, an ATP credential can be issued for the same entity as long as they comply with the applicable DSCSA criteria. With these two key credentials in place, DSCSA-compliant trading interactions can take place between ATP. Note that credentials are revoked when an entity’s compliance with the relevant requirements fails. It is the task of a Credential Issuer, like OCI member Legisym, to issue and revoke credentials by performing due diligence assessments. This aspect is fully integrated in the Spherity Credentialing Service. A dispenser can store and manage their credentials in a digital wallet provided by Spherity.

“By enabling the use of DEA Signing Certificates, OCI can leverage within just a few minutes this fast, dependable method that local pharmacies and small dispensers are already commonly familiar with — keeping the onboarding process simple and secure.”

David Kessler, President & Co-Owner at Legisym, LLC

For any suspicious product verifications (see figure), a dispenser would scan the product code and send the verification request to their data management service provider who offers directly or indirectly Verification Routing Service (VRS) capability in the background. VRS integration takes the pain away from having to identify the correct manufacturer contacts. Thanks to the automatic inclusion of the dispenser’s ATP credential in the message exchange (GS1 has approved usage of credentialing in the header of the message), the manufacturer will respond even if they may have never dealt with the dispenser before. Because the manufacturer also attaches their ATP credential to the reply, the dispenser can be sure that the answer is trustworthy and the entire interaction is DSCSA-compliant. Should the ATP credential from one of the two Trading Partners be invalid, the process flow would stop at the point of ATP status verification and no further messages regarding the product would be exchanged in this interaction. The digital wallet stores transaction data of the described exchanges and, thus, automatically creates an audit trail.

Suspicious product verification: Credentials are automatically embedded in the product verification process

Note that all a dispenser has to do in this process is to kick off the product verification request by submitting the product scan in their app user interface and then act on the response upon receipt. There is no technical integration effort for dispensers because their data service provider takes care of the rest.

Join the ecosystem to foster interoperability

Legisym and Spherity founded along with other early adopters of credentialing the Open Credentialing Initiative (OCI) in April 2021. This newly formed organization incubates and standardizes the architecture using digital wallets and verifiable credentials for DSCSA compliance with Authorized Trading Partner requirements.

Besides U.S. pharmaceutical manufacturers, wholesalers and dispensers, the OCI is also open for other solution providers integrating with the ATP architecture. Collaboration within the OCI ensures that all service providers offering an ATP solution are interoperable. Both industry and regulators have recognized that interoperability is paramount.

Act now to meet the 2023 deadline

Following successful proof-of-concept and pilot projects, a group of VRS providers, wholesalers and manufacturers under coordination by the OCI has started a validation phase of using ATP credentials in product verification interactions. The entry into production environments is scheduled for the first half of 2022. This will leave the industry around 18 months until fall 2023 to adopt credentialing.

Currently, there is no other solution for electronic ATP verification available. Hence, leading trading partners, standard organizations and industry associations emphasize the importance of starting adoption now.

OCI has just launched an Early Adopter Program for any business in the U.S. pharmaceutical supply chain that will be required to comply with the DSCSA ATP requirements. Register your interest now!

For any further questions, please contact Spherity under atp@spherity.com or visit our website to learn more about our credentialing service named CARO.

For more detailed information, download ATP Credentialing for Dispensers Report here and peruse OCI’s proposal for Credential Issuer conformance criteria here and Digital Wallet conformance criteria here.

If you just want to stay sphered, sign up for Spherity’s Newsletter or follow us on LinkedIn and Twitter.