Are you ready for the new DSCSA Tracing Requirements?

This blog is the second part of a two-part series from Two Labs Director of Serialization, Michael Rowe.

Check out the first blog for an introductory dive into what the new DSCSA tracing requirements are.

Integration with Suspect Product SOPs

One of the biggest takeaways from the roundtable sessions was that tracing is essentially an extension of what companies should already have in place in their suspect drug investigation procedures. The tracing request should not be looked at in a vacuum but as another component of a robust suspect drug investigation.

At its core, a tracing request includes pulling a sales detail report and showing which units were sold to which customer. The finalized guidance of “Verification Systems Under the Drug Supply Chain Act” enumerates that the FDA expects that, as part of a robust investigation, companies should evaluate which customers might have impacted products in their possession.

This is a current requirement today, so many participants at the HDA DMC roundtable were able to share how they are modifying their suspect product SOPs to accommodate the ability to make a tracing request in conjunction with their overall suspect drug investigation steps.

Folks in the room talked about how they are training their customer service departments to field these types of requests and making sure the quality assurance departments know where and how to get the DSCSA Transaction Data, which could be in different systems than they are used to searching.

The concept was that companies are building triage teams to look at these suspect drug investigations from multiple perspectives. It was noted that it was important to understand that completing a tracing request doesn’t mean that the suspect drug investigation is over. The investigation will continue through the necessary product quarantining and notification of potentially impacted products to trading partners.

Turning Tracing Theory into Practice

I won’t bury the headline here. Come this November, I do not see an automated or systemic process for tracing requests to be handled.

The industry is so far behind on the basics of passing serialization data with shipments that there isn’t enough bandwidth to develop the technology to make these tracing requests less manual.

For the most part, I see most major wholesalers rallying around sending and responding to tracing requests via email (although some companies have developed technology to automate these processes). But in my opinion, there is hesitation from the industry to automatically respond with transaction data, especially if it is related to a suspect drug investigation. Given the sensitive nature of these requests, they want humans to review and respond for accuracy and accountability.

But there is also the question of whether email is a sustainable or secure approach. One comment from the roundtable that was eye-opening for me was that each state board of pharmacy does, on average, two investigations into a pharmacy every month. That doesn’t even account for all the routine inspections that occur. What that means is that as part of those investigations, a flurry of tracing requests could get generated that the industry will need to respond to.

That is only an anecdote that a peer shared with me, but it shows the quantity of investigative activity occurring in the industry. And we predict that tracing requests will only increase over time.

Checking In on The NABP & FDA

There is a lot of activity from the National Association Boards of Pharmacy (NABP) in the tracing arena. It has hosted several webinars and a pilot on how state inspectors might conduct tracing requests piggybacking off a system they are already using. The benefit here is that the NABP is pushing a web-based tool. Having the requests processed through their system can help build consistency and trust in handling things outside of email.

However, in the Enhanced Drug Distribution Security at the Package Level guidance (over which the industry has lambasted the FDA for how it tries to enforce requirements not outlined in the law), the FDA seems to envision that tracing requests will be performed within one day and that a single targeted request will be able to capture all the required data.

Whatever system the FDA is describing remains a mystery to those of us who are following this closely. Over the years, I have seen the FDA collaborate with the industry to adjust guidance documents, so there may be a revision in the works based on how public forums have responded.


Whenever I am in a tracing conversation, the topic of credentialing always comes up.

One of the challenges with fulfilling a tracing request is trusting that the initiator is a legitimate trading partner or someone from the FDA. With such sensitive data, we need to be confident in relying on email to send and receive data.

I won’t get into much detail on credentialing in this article as it could warrant its own discussion. The concept of credentialing has surfaced as a way to develop standard messaging protocols that demonstrate that requestors are properly licensed and who they say they are. The Open Credentialing Initiative (OCI) has done some great work in this area: getting industry collaboration and developing open/public standards that anyone can use.

Instead of doing manual license checks and developing a “safelist” of email addresses, the providers offering credentialing services (who are following the OCI standards) can be an attractive option for companies that anticipate a lot of tracing requests or have a lot of indirect customers.


I encourage you to read the actual statute and the PDG blueprint, and listen to what NABP is doing.

Take a refreshed look at your suspect product investigation SOPs. Does your team have readily available access to the transaction information now that you are setting up those customer connections? Are you prepared to take tracing requests from multiple sources and even indirect customers or suppliers you don’t usually deal with? Can you respond within 24 hours?

The processes and industry best practices for facilitating a tracing request will evolve, especially after November 27, 2023, once the serialization data becomes more available in the supply chain.

We also expect that more tracing requests will surface as other federal and state agencies get more familiar with the DSCSA. Not because more suspect drugs are out in the market, but because it is another tool as they investigate and certify that trading partners in the industry can do this if ever needed.

Tracing is a critical element of the enhanced drug distribution security efforts that DSCSA envisions. It will be critical to make investigations and recalls more robust. It is an essential tool to identify fraudulent activity, so it is a requirement all trading partners must take seriously.

How do you feel about your tracing operations ahead of DSCSA?

Reach out to schedule a consultation with our DSCSA experts. We can talk through what you should be focused on for the next six months, what to expect in November, and how it will impact your launch strategies moving forward.

About the Author

Michael Rowe is the Director of Serialization at Two Labs. He is well known for his DSCSA expertise and has spoken at several industry conferences and events, and he is a Lean Six Sigma Black Belt. Prior to Two Labs, he spent time with a large wholesale distributor as a manager of their Track & Trace program, advising all their divisions, suppliers, and customers on DSCSA requirements.