340B Audit Checklist in 2026: A Practical Guide for Compliance Readiness

Introduction

Audit activity within the 340B Drug Pricing Program continues to intensify. As program complexity grows and oversight expectations evolve, covered entities must approach compliance with discipline, structure, and consistency. A reactive approach—scrambling only after an audit notice arrives—no longer works.

In 2026, successful 340B programs will be those that maintain continuous audit readiness. That readiness is built through repeatable controls, accurate data, strong governance, and regular internal validation. A comprehensive audit checklist is essential to operationalizing those expectations.

This article provides a practical, detailed 340B audit checklist for 2026, designed to help covered entities assess risk, close gaps, and demonstrate defensible compliance across all major audit focus areas.

Want help validating your audit readiness against 2026 expectations? Contact Cooper Strategy

Governance and Oversight Readiness

Confirm a Formal 340B Oversight Structure

Every covered entity should maintain a documented governance structure that includes:

• A designated 340B Authorizing Official
• A 340B Program Manager
• A cross-functional oversight committee
• Defined escalation and decision-making authority

Meeting cadence, attendance, and decisions should be documented consistently.

Maintain Up-to-Date Policies and Procedures

Policies must reflect current operations and should clearly address:

• Patient eligibility and patient definition interpretation
• Diversion prevention controls
• Duplicate discount prevention methodology
• GPO prohibition compliance (where applicable)
• Contract pharmacy oversight
• Referral capture standards
• Audit response procedures

Outdated or generic policies are a frequent audit finding.

Document Continuous Monitoring Activities

Covered entities should be able to show evidence of:

• Regular internal audits
• Issue tracking and resolution
• Corrective action implementation
• Management review of compliance metrics

Auditors expect to see proof that compliance is actively managed.

HRSA Registration and Site Accuracy

Validate All Registered Sites

Confirm that:

• All eligible outpatient sites are registered in HRSA’s database
• All registered sites remain active and operational
• Each site appears on the most recently filed cost report
• Site addresses, names, and classifications are accurate

Any mismatch between operations, cost reports, and registrations creates risk.

Confirm Child Site Eligibility

Ensure that each child site:

• Provides outpatient services
• Is listed as reimbursable on the hospital cost report
• Is not registered prematurely or incorrectly

Improper site registration is a common audit trigger.

Patient Definition and Eligibility Controls

Verify Responsibility for Care Documentation

Covered entities must be able to show:

• The qualifying encounter that established the patient relationship
• That the covered entity maintained the medical record
• That care aligns with internal policy and HRSA guidance

Referral-based claims require especially strong documentation.

Test Encounter Classification Logic

Validate that:

• Outpatient encounters are correctly classified
• Observation and ED encounters are mapped correctly
• Inpatient encounters are excluded appropriately
• Visit-type mapping aligns with clinical workflows

Misclassification leads directly to diversion findings.

Audit Referral Capture Logic

For programs using referral capture:

• Confirm referral relationships are documented
• Validate prescriber eligibility and mapping
• Confirm encounter documentation exists
• Review referral attribution logic in the TPA

Referral capture remains a high-risk audit area.

Split Billing and Accumulation Accuracy

Validate Split-Billing Configuration

Review:

• Outpatient vs. inpatient logic
• Site-of-service mapping
• Provider eligibility rules
• Encounter requirements
• Timing and accumulation windows

Split billing errors are among the most costly audit failures.

Perform Accumulation Sampling

Sample accumulations to confirm:

• Accurate eligibility determination
• Correct NDC usage
• Proper unit calculations
• Correct purchasing account assignment

Sampling should be documented and repeatable.

Confirm Replenishment Integrity

Ensure that:

• Purchases match accumulated usage
• Replenishment occurs in the correct accounts
• Inventory movement aligns with accumulation logic

Inventory discrepancies raise audit concerns.

Contract Pharmacy Oversight

Validate Contract Pharmacy Agreements

Confirm that:

• Agreements are current and signed
• Contract terms align with operations
• Responsibilities are clearly defined

Expired or incomplete agreements create audit exposure.

Review Contract Pharmacy Performance

Audit:

• Claim capture rates
• Prescription eligibility logic
• Prescriber mapping accuracy
• Reversal rates
• Fee structures

Covered entities remain accountable for contract pharmacy compliance.

Test Contract Pharmacy Claims

Sample claims to verify:

• Patient eligibility
• Prescriber eligibility
• Accurate encounter matching
• Duplicate discount prevention

Contract pharmacy claims remain a major audit focus.

Duplicate Discount Prevention

Validate Medicaid Carve-In/Carve-Out Status

Confirm that:

• HRSA Medicaid Exclusion File settings are accurate
• Billing practices align with MEF status
• Managed Medicaid logic is applied correctly

Misalignment creates significant audit risk.

Test Duplicate Discount Controls

Review:

• Claim routing logic
• Payer identification accuracy
• Managed care carve rules
• Coordination-of-benefits handling

Duplicate discounts are a top enforcement priority.

GPO Prohibition Compliance (DSH Hospitals)

Confirm Purchasing Account Structure

Ensure:

• Separate 340B, WAC, and GPO accounts exist
• Outpatient drugs are never purchased on GPO accounts
• Inpatient drugs are correctly routed

Audit Mixed-Use Areas

Review:

• Infusion centers
• Observation units
• ED transitions
• Provider-based departments

Mixed-use environments present the highest risk.

Data Integrity and Integration

Validate EHR-to-TPA Integration

Confirm that:

• Encounter feeds are complete and timely
• Provider files are current
• Location mapping is accurate
• Error logs are monitored

Integration failures often cause silent compliance gaps.

Test Data Reconciliation Processes

Ensure reconciliation exists between:

• EHR and TPA
• TPA and purchasing systems
• Contract pharmacy and accumulation data

Reconciliation must be documented.

Audit Response Preparedness

Maintain an Audit Response Playbook

Your organization should have a documented process that includes:

• Roles and responsibilities
• Communication protocols
• Data retrieval workflows
• Timeline management

Preparedness reduces disruption and risk.

Test Audit Response Readiness

Conduct mock audits to evaluate:

• Speed of document retrieval
• Accuracy of responses
• Consistency of explanations
• Alignment across departments

Mock audits reveal gaps before real audits do.

Want a customized audit checklist tailored to your organization? Contact Cooper Strategy

Conclusion

A strong 340B audit checklist is not a one-time exercise—it is an operational discipline. In 2026, covered entities must demonstrate continuous oversight, accurate data, and defensible processes across every aspect of their 340B programs.

By implementing this checklist and embedding it into regular operations, organizations can move from audit anxiety to audit confidence—protecting both compliance and the financial value of their 340B programs.

Frequently Asked Questions About 340B Audit Checklist in 2026

How often should covered entities use a 340B audit checklist?

Covered entities should apply a comprehensive audit checklist at least annually, with targeted reviews conducted quarterly or monthly for high-risk areas such as referral capture, contract pharmacy claims, and split billing. Continuous use ensures issues are identified early and corrected before external audits occur.

What areas create the most audit risk in 2026?

The highest-risk areas include patient definition documentation, referral capture, contract pharmacy oversight, duplicate discount prevention, split billing accuracy, and GPO prohibition compliance. Data integration failures and inconsistent documentation across systems also drive many findings.

Should audit checklists differ by covered entity type?

Yes. While core requirements apply universally, entity type influences risk areas. DSH hospitals must emphasize GPO prohibition compliance, while grantees may focus more on patient definition and service scope. Customization improves effectiveness.

How detailed should audit documentation be?

Documentation should clearly show how compliance determinations were made. Auditors expect encounter-level detail, eligibility logic, policy alignment, and proof of ongoing oversight. Vague summaries are insufficient.

How can Cooper Strategy support audit checklist implementation?

Cooper Strategy helps organizations customize audit checklists, perform internal audits, conduct mock audits, and implement corrective actions. We translate regulatory expectations into operational controls that support long-term compliance and audit readiness.

Contact Cooper Strategy