by Matt Crusan — Director, DEA Compliance and Services


In accordance with Drug Enforcement Administration (DEA) rules, drug manufacturers and distributors are mandated to design and implement a system that identifies suspicious ordering activity of controlled substances; however, there is no clear guidance provided for how to establish a perfect Suspicious Order Monitoring (SOM) program.  Industry members want to comply, but many are left feeling that their hands are tied regardless of the good intentions of policy and procedure.

Many manufacturers and distributors don’t know how to initiate the process of establishing an SOM program, while others make the risky presumption that their system is proficient as is.  Even major players in the pharmaceutical industry are susceptible to this pitfall, with many being penalized for excessive shipment of abuse-prone prescriptions drugs.

With companies that have millions of dollars to implement robust SOM programs falling short of DEA standards, how can the rest of industry be confident that their SOM is impeccable, or even adequate?

The truth is that it is impossible to know what constitutes an acceptable SOM program until DEA issues an Order to Show Cause for excessive distribution of controlled substances.  I frequently hear from industry members that are reluctant to modify their SOM program because their facility had been previously inspected by DEA and there were no issues with their SOM program at the time.  Of course, a one-time passed inspection does not necessarily mean that your programming is up to par.  At the time of the inspection, you may not have had a customer who was ordering with unusual size, pattern, or frequency.  However, this doesn’t mean that your system has the blessing of DEA; in fact, they will never officially endorse any SOM program (a DEA endorsement would undermine the agency’s ability to enforce their regulations against any such business if a suspicious order was found).

Although developing a robust SOM program that meets DEA standards may initially seem like a daunting task, there are fairly simple measures that can be taken to ensure an exceptional program.

Before you initiate your SOM program, you must have a solid understanding of DEA’s “Know Your Customer” policy, which will be the foundation of your program.  The policy states, “it is fundamental for sound operations that handlers take reasonable measures to identify their customers, understand the normal and expected transactions typically conducted by those customers, and, consequently, identify those transactions conducted by their customers that are suspicious in nature”(DEA website).  The following steps define the reasonable measures that should be taken to identify customers within the supply chain.

First, you must develop a system that monitors orders and can identify which orders are of unusual size, pattern, or frequency.  This part is crucial.  If this is a manual process, the likelihood of a suspicious order being overlooked and accidently distributed is extremely high.  Furthermore, this type of system is highly subjective.  A manual process is not recommended; in fact, DEA even states that, “using a computer to manage and report on high-volume transaction business activities with extremely short order cycle times (receipt to delivery) is the only viable, cost-effective methodology for the reporting of orders which may be considered excessive or suspicious” (DEA website).

There are a number of factors that must be considered when developing your system.  It must be robust enough to identify truly suspicious orders; at the same time, it should not interfere with compliant customers who are within their rights.  The system must be validated on a continual basis in order to minimize false positive orders that could be filtered.  Perimeters must be established that define which orders will be of interest.  Customers are categorized and separated in several ways in order to compare similar customers to one another and thresholds should be established based on ordering history.  The system must then use “red flags” to identify orders that exceed a perimeter set up within the system.  For example, there may be a red flag for exceeding a quantity threshold for a particular drug family, or the customer isn’t ordering a mix of non-controlled drugs compared to controlled drugs.  There are many more red flags that can be implemented in an SOM system.  The more red flags a system has, the more thoroughly customer ordering patterns can be identified; however, be cautious: the more red flags in the system, the more validation must occur to substantiate customer orders.

The next step in this process is to review the orders of interest that are generated from your system.  Now that the SOM system has been established and your system of red flags is identifying suspicious orders, these items of interest must be reviewed.  Please note that these flagged orders should not be under the scrutiny of one person since this methodology is too subjective.  Instead, several people should be part of this process.  Some companies have taken the additional measure of creating a committee to determine final approval on the release of held orders.  Regardless of your individual approach, the review must be thorough and objective.

After reviewing the flagged orders, a customer on-site inspection process must be established.  This can be performed by internal resources, an outside consulting company, or a combination of both.  In my experience, even the largest, most reputable manufacturers and distributors don’t have the internal resources available to conduct thorough on-site inspections on their own.  With hundreds, sometimes thousands of line items shipped on a daily basis, how can there be an effective “Know Your Customer” policy relying on internal resources alone?  Regardless of the method, the customer is inspected to gain an in-depth knowledge of the business practices regarding controlled substances.  This information is then relayed to the company’s compliance department of the company from which the order originated.  Based on their feedback, a decision can be made about releasing the flagged order.  If the order is found to be unjustified, then it must be reported in writing to DEA.  Failure to report could result in millions of dollars in civil penalties.

While the above steps provide solid groundwork for your SOM program, it is recommended that you align your company with a consulting firm that has a rich understanding of regulatory policies and best practices for DEA compliance, in order to develop as robust a program as possible.

Throughout the development and implementation of your SOM program, don’t settle for an adequate system that will pass the bare necessities required by DEA; instead, aim for an exceptional program that delivers the superior quality your company deserves.