Free Consultation

340B HRSA Audit Preparation Guide for Covered Entities

Every U.S. hospital or health center participating in the 340B Drug Pricing Program will likely face a HRSA 340B audit at some point. Since 2012, the Health Resources & Services Administration (HRSA) has steadily increased its oversight of 340B covered entities. In fact, HRSA now conducts about 200 audits annually, targeting roughly 6% of participating hospitals each year. In other words, it’s no longer a question of if your organization will be audited, but when. Being prepared is paramount: a well-run 340B program not only passes audits with ease but also maximizes savings for your patients and community.

This comprehensive guide will walk you through what to expect from a 340B HRSA audit and how to prepare. We’ll cover the audit process, how entities are selected, what auditors typically review, how to organize your documentation, sample questions you might encounter, recent trends in audit findings, and proactive strategies for audit readiness and compliance. By the end, you’ll have a clear roadmap to make your hospital or Federally Qualified Health Center (FQHC) audit-ready – and know when to leverage expert support for extra confidence.

Understanding the HRSA 340B Audit Process

HRSA audits are systematic reviews to ensure your 340B program complies with all federal requirements. Audits generally follow a structured process:

Audit Notification (Pre-Audit): If selected, your organization’s Authorizing Official (listed in the 340B OPAIS database) will receive an engagement email from HRSA. This notice typically arrives only a few weeks before the audit and outlines the audit’s scope and initial data requests. You’ll be asked to submit a Data Request List (DRL) – often due about 2 weeks prior to the audit date – containing extensive information about your 340B program. This may include lists of 340B drug purchases, prescription and dispensing records across all outpatient and contract pharmacy sites, provider lists, and more. (HRSA provides a sample audit DRL to help covered entities know what to gather.) It’s crucial to respond by the deadline with complete, organized data.

On-Site or Remote Audit Visit (During Audit): HRSA audits typically last a few days. Auditors may conduct an on-site visit or a remote review (desk audit) depending on circumstances. They will hold an opening meeting with your key staff to review the agenda and ask initial questions. During the audit, expect a thorough examination of records and systems. Auditors will review sample 340B transactions to verify compliance – for example, tracing a prescription from prescribing to dispensing to ensure the patient, prescriber, and site were all eligible. They will likely interview staff involved in 340B administration (pharmacy directors, 340B coordinators, billing specialists, etc.) to understand your processes. It’s wise to practice answering auditor questions in advance and ensure your team knows how to retrieve records quickly during the audit. Essential areas of focus include compliance with patient eligibility rules, prevention of duplicate discounts, and accuracy of your 340B database entries (more on these shortly). The auditors will also want to see your physical or electronic systems for purchasing and inventory if applicable (e.g. tour of pharmacy or screenshots of your split-billing software). Be prepared to demonstrate how you operate your program on a day-to-day basis.

Preliminary and Final Audit Reports (Post-Audit): After the visit, the auditors compile their findings and submit a preliminary report to HRSA. HRSA then issues a formal Final Audit Report to your entity, usually within a few months. This report will detail any adverse findings (compliance violations) identified. If there are findings, HRSA will request a Corrective Action Plan (CAP). You typically have 30 days to review the findings and either concur or formally dispute them, and 60 days to submit a CAP if required. Failing to respond with a CAP can result in removal from the 340B Program, so timeliness is critical. If you disagree with any findings, you must notify HRSA in writing within 30 days with supporting evidence. HRSA will consider your response and may revise the final report if warranted. Once your CAP is approved, you’re expected to implement corrective measures and, if applicable, repay any manufacturers for incorrect discounts within about six months. The audit is officially closed only after you’ve completed all required fixes and HRSA is satisfied with your compliance going forward. Importantly, most findings result in corrective action and repayment rather than program termination – HRSA has rarely removed a covered entity entirely for audit issues, as long as the entity cooperates and resolves the problems. In short, if you take remediation seriously, you can usually retain 340B eligibility even after a rough audit.

Throughout this process, communication with the auditor and HRSA is key. Maintain a courteous, transparent approach – auditors are not adversaries but rather doing their job to ensure program integrity. If you demonstrate a proactive compliance culture, it can only help your outcome. Later in this guide, we’ll discuss how to formulate strong corrective action plans and remediate issues effectively.

How HRSA Selects Covered Entities for Audit

Many covered entities wonder, “Why (and when) will we be audited?” HRSA employs both random selection and risk-based criteria to choose audit targets. In the early years of auditing, selection was largely random to establish baseline oversight. Today, with over 13,000 participants in 340B, HRSA still uses a lottery element but also focuses on entities that meet certain risk factors:

  • High Program Volume: Entities with exceptionally large 340B purchase volumes or extensive outpatient drug utilization are more likely to draw scrutiny. High volume can correlate with greater complexity and risk of errors, so HRSA wants to ensure big players are compliant.
  • Many Contract Pharmacies: Having a large network of contract pharmacies is another risk factor. Each contract pharmacy arrangement introduces potential compliance challenges (e.g. tracking prescriptions from outside locations). HRSA tends to audit entities with numerous pharmacy contracts to verify they’re managing those relationships properly.
  • Operational Complexity: The more complex your 340B program setup – multiple clinic sites, various child sites, mixed-use areas, contract pharmacies, specialty drugs, etc. – the higher the chance of an audit. Complexity can breed inadvertent mistakes, so auditors target a mix of entity types, including Disproportionate Share Hospitals (DSH), Critical Access Hospitals (CAH), FQHCs, Ryan White clinics, and others.
  • Prior Findings or Self-Disclosures: If your organization has had a previous audit with findings, HRSA may conduct a re-audit to ensure past issues were fully resolved. Similarly, if you have filed a self-disclosure of a 340B violation to OPA (Office of Pharmacy Affairs), that could flag your program for a follow-up audit. HRSA has re-audited dozens of entities and will especially revisit if the same problems appear repeatedly.
  • Targeted or Complaint-Driven Audits: While most audits are routine, some may be triggered by specific allegations. For instance, a drug manufacturer or whistleblower might raise concerns about a covered entity’s 340B practices (especially related to duplicate discounts or diversion). HRSA can initiate a targeted audit in response, though the scope will still cover all major compliance areas. Manufacturer-initiated audits are also allowed under the law (focused on diversion/duplicate discount), but those are less common and must be approved by HRSA.

In practice, any active 340B participant should assume an audit will happen eventually. HRSA’s goal is to audit a cross-section of entities each year. As noted, roughly 200 audits are done annually, including hospitals and community health centers. You might not know why you were picked – the notice will not list a reason – but understanding the risk factors above can help you gauge your chances.

The takeaway: Be ready at all times. Don’t wait for an audit letter to start preparing. In the next sections, we’ll cover exactly what HRSA auditors look for and how to keep your program compliant year-round.

What HRSA Auditors Review During a 340B Audit

While every audit is slightly different, HRSA consistently focuses on core compliance areas across all covered entity types. Knowing what auditors are likely to review helps you prioritize your preparation. Here are the main elements under the microscope:

  • Eligibility and 340B Database (OPAIS) Accuracy: First, auditors confirm that your organization was and is eligible for 340B participation. They will verify your hospital’s classification (CAH, DSH, etc.) or your health center’s grant status, Medicare Cost Report data, and other eligibility criteria. A common finding is inaccurate 340B OPAIS records – for example, incorrect listing of addresses, cost report dates, or contact information in the 340B online database. Auditors check that all outpatient sites where 340B drugs are used are properly registered in OPAIS and that terminated sites or contract pharmacies were removed timely. Tip: Before an audit, double-check your 340B OPAIS entries for accuracy (site names, addresses, dates, etc.), as even a single typo or outdated entry can flag a finding.
  • Duplicate Discount Prevention (Medicaid Billing): HRSA will scrutinize how you prevent duplicate discounts, which occur if a drug manufacturer gives a 340B discount and pays a Medicaid rebate on the same drug. Auditors review your Medicaid Exclusion File (MEF) status for each site – i.e., whether you have opted “carve-in” or “carve-out” for Medicaid patients. They will likely ask for Medicaid billing records or policies to ensure you followed your stated method. In recent audits, inaccurate or incomplete MEF entries account for the vast majority of duplicate discount findings. For instance, if you billed Medicaid for 340B drugs without properly listing that in HRSA’s database, it’s a violation. Be prepared to demonstrate your billing processes and any state-specific Medicaid arrangements. If you carve-in, show how you include the claim identifier to prevent rebates; if carve-out, show that you truly never bill Medicaid for 340B drugs. Double-check that your MEF listing is correct for each site to avoid errors.
  • Drug Diversion (Patient and Prescription Eligibility): Diversion means giving 340B drugs to individuals who are not eligible patients of your entity, or using 340B meds in an ineligible location. Auditors will examine a sample of prescriptions and medical records to ensure that each dispensed 340B drug went to a qualified patient and was written by a qualified provider at a registered site. The 340B patient definition (per HRSA guidance) generally requires that the patient has a health record at your facility and received services from your health care professional. Auditors often find diversion in the context of contract pharmacies – for example, a retail pharmacy filling a 340B prescription written at a private practice or other unregistered clinic. In fact, an overwhelming 82% of diversion-related findings involve contract pharmacies dispensing for prescriptions from non-340B sites. HRSA will consider those prescriptions categorically ineligible. To prepare, ensure you have robust referral capture or provider tie-back mechanisms to prevent unauthorized scripts from slipping through. Auditors may ask questions like “How do you determine if a prescription is 340B-eligible?” and “What is your process if an ineligible prescription is identified?” Have a clear explanation, referencing your policies.
  • Covered Entity Policies and Procedures: HRSA auditors will request your 340B written policies and procedures (P&Ps) and will read them closely. They expect you to have “stand-alone” 340B policies that detail how you comply with all major requirements. During the audit, they may ask staff if actual practices match the written policy. Be ready to present current P&Ps covering areas such as patient eligibility, procurement and inventory management, dispensing processes, contract pharmacy oversight, self-auditing, and handling of violations. Make sure your policies are up-to-date and reflect reality. If you have separate policies for different departments (pharmacy, billing, etc.), ensure consistency. Tip: Include in your policy a section on routine self-audits and how you address any findings – auditors appreciate a strong internal compliance cycle.
  • Auditable Records and Documentation: HRSA’s mantra is that covered entities must maintain auditable records for all 340B activity. Practically, this means you should be able to produce transaction documentation for any sample the auditor picks. Key documents often requested include: purchase records (invoices or purchase order history from wholesalers) for the audit period, dispensing records from pharmacies, drug inventories or accumulation logs, clinic medical records for patients in question, and provider credentialing lists. Auditors may also ask for a list of all 340B prescribers/providers used during the review period to ensure they were employed or contracted appropriately. It’s wise to prepare a comprehensive binder (or electronic folder) of documentation before the audit begins – we cover this in the next section.
  • Contract Pharmacy Agreements and Oversight: If you utilize contract pharmacies, expect scrutiny here. Auditors will likely ask for copies of your contract pharmacy agreements and the list of all pharmacy locations you use. (Failure to have a contract or to remove old pharmacy relationships is a common finding.) Auditors also assess how you oversee contract pharmacy compliance – they might ask, “How do you ensure prescriptions filled at the contract pharmacy are for eligible patients?” and “Do you perform regular audits of your contract pharmacies?” HRSA recommends annual independent audits of contract pharmacy operations, so having documentation that you or a third party reviewed those pharmacies can demonstrate good faith compliance. Any contract pharmacy that cannot meet compliance standards may need to be terminated, so show that you monitor them closely.
  • Previous Audit or Self-Disclosure Follow-up: If you have previously self-reported an issue to HRSA or had a prior audit, the auditor will review those and confirm that corrective actions were implemented. They might ask for evidence that you repaid manufacturers or changed policies as you had promised in a past CAP. Always keep a file of past communications with HRSA and be ready to discuss any historical issues.

Overall, HRSA audits primarily focus on program eligibility, prevention of duplicate discounts, and prevention of diversion. They are checking that you only dispense 340B drugs to eligible patients, don’t get Medicaid rebates on those drugs, and keep accurate records. If you organize your approach around those pillars, you’ll cover the auditors’ main concerns.

Compliance checkpoint: Before the audit, perform a mini “mock audit” on these areas. Are all sites and pharmacies correctly listed in OPAIS? Is your Medicaid exclusion status accurate and documented? Can you pull a prescription and show who the provider was, where it was filled, and that it was compliant? Being able to emphatically answer “yes” to these will put you in a strong position.

Organizing Your Documentation for an Audit

One of the smartest moves you can make is to prepare an audit document package in advance. Time is short once HRSA notifies you, so having key materials readily available is a lifesaver. Here’s how to organize your 340B documentation for quick access and review:

  • Policies & Procedures Manual: Ensure you have a compiled 340B policy manual (printed or digital) that you can hand to auditors. Tab or bookmark sections on eligibility, purchasing, dispensing, inventory, Medicaid billing, contract pharmacy, self-auditing, and corrective action. Auditors will definitely ask to see this. Confirm the manual is dated with the most recent update and that staff are familiar with its contents.
  • OPAIS Registration Records: Keep a current printout of your 340B OPAIS listing (all registered sites and pharmacies). Double-check that it matches reality on the ground. If any clinic locations have closed or moved, make sure they were removed/updated in OPAIS before the audit. Similarly, have on hand the registration letters/emails for any child sites or contract pharmacies as proof of enrollment dates. Auditors often cross-check site activation dates and may request this info.
  • Covered Entity Eligibility Proof: File copies of documents that establish your eligibility: for hospitals, the latest Medicare Cost Report (and the DSH percentage if applicable) and any DSH adjustment notices; for FQHCs or grantees, your HRSA grant award documents or designation letters. These show you meet the criteria to be in 340B. If you’re a hospital that must adhere to the GPO Prohibition (e.g., DSH, children’s, cancer hospitals), include a memo or policy affirming you don’t use a group purchasing organization for outpatient drugs.
  • Provider List: Prepare a list of all providers (prescribers) who generate 340B prescriptions at your facilities during the audit period. Include names, credentials, and their relationship to your entity (employed, contracted, referral arrangement, etc.). HRSA auditors might use this to verify that each prescription in the sample was written by an eligible provider. Keeping this list updated continuously is a best practice.
  • Pharmacy and Wholesaler Information: Be ready with a list of all pharmacy locations dispensing 340B drugs for you – both in-house pharmacies and contract pharmacy partners. Also compile a list of your wholesalers or vendors from whom you purchase 340B medications. Auditors may ask for the wholesaler list and sample purchase orders or invoices to ensure you bought drugs under the correct 340B accounts. You should be able to show purchase records that align with the dispenses (for instance, demonstrating how you replenish inventory for contract pharmacy fills).
  • Sample Patient and Prescription Documentation: It’s extremely helpful to pre-gather documentation for a handful of sample 340B prescriptions across different scenarios (e.g. one outpatient clinic prescription, one contract pharmacy prescription, one infusion center dose if applicable). For each sample, pull the patient’s medical record or visit note showing they were seen at your facility, the prescription order, and the pharmacy dispense record. Essentially, create a mini “audit trail” for a 340B transaction. This can serve as a training exercise for staff and also be provided to auditors if they happen to select the same or similar samples.
  • Medicaid Billing Records: If you carve-in Medicaid, have readily available pharmacy claims data or reports that show 340B drugs billed to Medicaid during the period. You’ll want to demonstrate those claims were handled properly (e.g., Medicaid was notified or excluded from rebate). If you carve-out (don’t bill Medicaid 340B at all), prepare a short statement or policy excerpt to that effect, and you might even run a quick check to confirm no such claims slipped through. Auditors sometimes ask for a Medicaid billing crosswalk or examples of billing modifiers used.
  • Contract Pharmacy Agreements & Audits: Keep a binder of all contract pharmacy contracts (fully executed copies). HRSA will want to confirm that a contract exists for each pharmacy you use. In that same binder or folder, include documentation of any annual independent audits of contract pharmacies you’ve done or any site visit reports. This shows proactive oversight. If you use a third-party administrator (TPA) for 340B, you might also include relevant correspondence or reports from the TPA regarding compliance (for example, quarterly performance reviews or any noted issues).
  • Self-audit Reports and Logs: If your team conducts regular self-audits (e.g. monthly chart reviews or quarterly pharmacy audits), maintain a file of those self-audit results and any corrective actions taken. An auditor might ask, “Do you self-monitor your 340B compliance, and can you show an example?” Having evidence of internal audits underscores your commitment to compliance. It’s also useful to log any corrective actions or training done in response to minor errors – that can demonstrate a culture of continuous improvement.
  • Prior Audit or Disclosure Documentation: As noted, if you’ve been audited by HRSA before or have disclosed issues, have those past reports, response letters, and CAPs on hand. Show that you addressed prior issues fully. Auditors will follow up on these, so you should too.

Organizing the above into a neat system – whether physical binders, shared drive folders, or both – will reduce stress when the audit hits. Essentially, you want to avoid scrambling for documents. A pro tip is to use a checklist (many are available from 340B advocacy organizations or create your own) to ensure you haven’t overlooked something critical.

Finally, consider assigning a point person for documentation on your team. During the audit, one person can focus on retrieving and providing documents so that others can focus on answering questions. This division of labor, rehearsed in advance, makes the on-site audit day run much smoother.

Sample Audit Questions: What to Expect from HRSA Auditors

Being aware of common audit questions can help your team practice and respond confidently. While every auditor has a unique style, here are some sample questions and scenarios frequently encountered in 340B audits:

  • “Walk us through your 340B process.” Auditors often start broad. Be prepared to give a concise overview of how your program operates – from registration, purchasing, dispensing, to monitoring. Highlight control points (e.g., “We use split-billing software to track accumulations and prevent diversion in our mixed-use areas.”)
  • “How do you determine if a patient is eligible for 340B?” Expect a deep dive here. Your team should clearly explain the patient eligibility criteria per your policy. For instance: patients must have a record in our clinic, see a provider employed or contracted by us, and receive outpatient services – and we only use 340B for those encounters. If you rely on referral capture (prescriptions from outside clinics), describe how you document and qualify those cases. The auditor may throw specific examples (“If a patient was seen by a specialist not on your payroll, would that prescription be 340B-eligible?”) – ensure staff answer in line with policy.
  • “How do you prevent diversion in the pharmacy?” They want to know how you ensure 340B drugs aren’t used for ineligible patients (or inpatient use). You might be asked about your accumulation software or pharmacy information system. For example, an answer could be: “Our pharmacy system is configured to dispense 340B drugs only for patients with an eligible visit in the past Clinics. It flags any prescription without a matching encounter, which our 340B coordinator then reviews.” Be specific about mechanisms in place.
  • “How do you prevent duplicate discounts with Medicaid?” This is crucial. Auditors will likely ask, “Are you carving in or carving out for Medicaid? Show us where that is indicated.” If carving in, they may ask which state Medicaid programs you bill and how you handle modifiers or the state exclusion file. If carving out, they may ask how you ensure no 340B claims slip through. Have your billing expert explain clearly, and provide a policy excerpt or billing samples as backup.
  • “Can you provide these specific records?” Auditors will test your documentation on the fly. For example: “Please pull the purchase invoice for Drug X that was dispensed to patient Y on this date,” or “Show me the contract pharmacy dispense report for the month of March.” This is where your documentation prep pays off. Practice navigating your systems quickly to retrieve such info. A related question: “Who are your wholesalers and how do you order 340B stock?” – they are verifying you purchase under correct accounts. Be ready to list your vendors and account setup (e.g., separate 340B vs GPO accounts).
  • “What is your process for internal self-audits?” Auditors appreciate when entities self-police. They might ask if you conduct routine audits of 340B prescriptions or inventory. An ideal answer includes frequency (e.g. “monthly random sample reviews of 340B outpatient encounters and quarterly audits of each contract pharmacy” as recommended), documentation of findings, and how leadership is informed. Mention any external audits too (“We engage an independent firm annually to audit our contract pharmacies, per HRSA guidance.”). This shows you’re not waiting for HRSA to find problems.
  • “How do you address non-compliance or mistakes when they’re found?” This digs into your corrective action approach. You should convey that any issue is promptly investigated, documented, and remedied. For example: “If an internal audit finds an ineligible prescription was filled as 340B, we immediately remove that transaction from 340B (inventory adjustment) and if needed, work with our wholesaler to purchase a replacement at full price. We then retrain the staff involved and document the incident. If it were a significant violation, we would consider self-disclosing to HRSA.” Showing a proactive stance can sometimes mitigate the severity of a finding.
  • “Describe your contract pharmacy oversight.” If you have contract pharmacies, auditors will likely probe how you manage them. Be ready for questions like: “How do you ensure contract pharmacies don’t dispense 340B drugs for ineligible patients?” Explain your reconciliation process with the pharmacy’s data and any periodic audits. They may also ask: “Do you review your contract pharmacy agreements periodically?” and “Have you had to terminate any pharmacies for non-compliance?” These are meant to gauge if you’re actively overseeing those external relationships.
  • “Have you ever had to repay a manufacturer or done a self-disclosure?” Auditors might already know the answer (if you did, it’s on record), but they want to see if you’re forthcoming. Honesty is the best policy here. If yes, briefly explain the situation and how you corrected it. If no, emphasize that to your knowledge you’ve remained compliant but you remain vigilant and would disclose if needed.

Each auditor’s questioning will vary, but they all aim to test whether your staff is knowledgeable and your processes are robust. Encourage your team to answer directly and not guess if they don’t know something – it’s fine to say “I will get that documentation for you” or “Our policy on that is X, and I can pull it up to show you.” The key is demonstrating that there is a clear method and responsible individuals for every aspect of 340B compliance.

A valuable exercise is to hold a mock Q&A session before the audit. Have someone play the auditor and pepper your team with these kinds of questions. This rehearsal can identify any weak spots in answers or understanding so you can address them ahead of time.

Trends in Recent HRSA Audit Findings

Understanding recent audit findings trends can help you focus your compliance efforts on the areas most likely to cause problems. The good news for covered entities is that overall 340B compliance has improved in some critical areas – but challenges remain, especially with administrative errors. Here are a few notable trends from the past few years of HRSA audits:

  • Fewer Diversion and Duplicate Discount Findings: Compliance with the core 340B prohibitions (no diversion, no duplicate discounts) has significantly improved among hospitals. In FY2018, about 40% of audited hospitals had a diversion finding, and 31% had a duplicate discount finding. By FY2022, those rates dropped to just 10.7% for diversion and 13.2% for duplicate discounts. This 5-year decline of over 60% reflects that most covered entities have tightened up patient eligibility checks and Medicaid billing processes. Many hospitals have invested in better tracking systems and staff training, and it’s paying off in audits showing no adverse findings in these categories. It’s important to note that if you’re following best practices (as outlined in this guide), the likelihood of a major diversion or duplicate discount issue is much lower today than it was a decade ago. Nevertheless, vigilance is needed because even a single oversight (like a Medicaid billing misstep) can trigger a payback.
  • Rise of Database and Record Errors: While clinical compliance got better, paperwork errors have become the #1 audit pitfall. The most frequent findings now are incorrect 340B OPAIS records. In FY2024, for example, 62% of audits cited an OPAIS record issue – such as a miscoded hospital cost report date, forgetting to list an off-site clinic, or failing to remove an old contract pharmacy. These mistakes are often unintentional but can still be considered violations. The takeaway: keep your 340B database entries updated and double-check details during annual recertification (and whenever changes occur). Similarly, auditors frequently find Medicaid Exclusion File errors. In fact, a recent analysis showed 91% of duplicate discount findings stemmed from inaccurate Medicaid Exclusion File entries (e.g., a site not properly listed as carving in/out). These are preventable errors – ensure whoever manages your 340B database information is detail-oriented and informed about any changes in your billing setup.
  • Contract Pharmacy Oversight Issues: As noted, many diversion findings involve contract pharmacy activity. HRSA expects covered entities to tightly oversee their pharmacy partners. Recent audits have required some entities to terminate contract pharmacies for non-compliance – about 4% of audits in FY2024 resulted in a contract pharmacy termination requirement. Common triggers include discovering a contract pharmacy dispensing 340B for prescriptions from unregistered sites (a clear diversion) or realizing that a contract was never in place for a pharmacy location. The trend is clear: if you use contract pharmacies, you must actively manage them or risk serious findings. Document your oversight efforts (regular data reviews, annual audits, training of pharmacy staff, etc.) to show HRSA you treat this as a priority.
  • Corrective Actions: Repayment is Common, Termination is Rare: When findings do occur, HRSA’s typical remedy is to require the covered entity to repay manufacturers for any ineligible discounts received. For example, if diversion happened, you must buy replacement product at full price and repay the difference to the drug maker. In FY2024 audits, about 18% of audited entities had to do repayments due to findings. While repayments can be financially painful, they resolve the non-compliance and allow the entity to continue in the program. Termination of a covered entity from 340B remains very rare and usually would occur only for willful or egregious violations or failure to implement a corrective plan. HRSA did not terminate any covered entities through audits in recent years, even in cases where significant issues were found. This underscores that if you work diligently to fix problems, you can maintain your 340B status. Nonetheless, prevention is far better than cure – avoiding findings altogether is ideal.
  • Heightened Manufacturer Scrutiny: An external trend affecting audits is the increased scrutiny from drug manufacturers and policymakers on 340B compliance. Manufacturers have been pressing for stricter oversight, which has translated into HRSA being thorough in its audits. However, data shows that 340B hospitals are largely compliant compared to drug companies (which have their own audit issues in overcharging). The narrative you can take from this is that most covered entities are doing a good job, but the few bad apples or mistakes cast a spotlight on everyone. Therefore, adopting a stance of “beyond reproach” – documenting everything, fixing issues proactively – not only helps you pass audits but also helps defend the 340B program’s reputation.

In summary, recent audits suggest that administrative diligence (accurate databases, paperwork, and contracts) is as important as the traditional compliance areas. A hospital or health center might be serving only eligible patients and avoiding Medicaid conflicts, yet still falter by not updating a form. The lesson: treat the 340B program like a regulated financial account – reconcile it regularly, cross your t’s and dot your i’s, and you will greatly reduce risk. In the next section, we’ll delve into strategies to ensure you stay ahead of these issues through continuous audit readiness.

Strategies for 340B Audit Readiness and Compliance

Achieving “audit-ready” status means embedding compliance into your daily operations, not just scrambling when an audit notice arrives. The most successful 340B programs are those that treat compliance as an ongoing mission. Below are key strategies – drawn from HRSA guidance and industry best practices – to help your organization stay prepared, identify issues early, and remediate effectively.

  1. Build a Strong 340B Oversight Team and Committee Don’t go it alone – establish a 340B oversight committee that meets regularly (e.g., quarterly) to review program performance and compliance. This committee should include stakeholders like your 340B program manager/coordinator, pharmacy leadership, finance/billing, compliance officer, and IT support for pharmacy systems. The committee’s role is to set policies, review audit reports, approve corrective actions, and ensure top-level visibility of 340B operations. Many leading health systems have a dedicated 340B steering committee or at least include 340B as a standing agenda item in pharmacy or compliance meetings. HRSA auditors often ask who is responsible for 340B – having a multi-disciplinary committee shows you take it seriously. Within your team, ensure clear roles and responsibilities. For example, assign one person as the primary 340B compliance specialist (often a 340B pharmacist or coordinator) and another as backup. Identify who will handle purchasing tasks, who will manage OPAIS registrations, who will conduct self-audits, etc. When everyone knows their part, the program runs more smoothly and no aspect is neglected. And as the Ohio Pharmacists Association recommends, know your team and practice together – even to the extent of rehearsing audit day logistics and questions with relevant staff.
  2. Conduct Regular Self-Audits and Monitoring Routine self-auditing is perhaps the most powerful tool for maintaining compliance. Don’t wait for HRSA to find an issue that you could catch yourself. Develop a self-audit plan that covers all facets of your 340B program:
    • Monthly or Quarterly Sample Audits: For example, every month randomly select 5–10 outpatient prescriptions that were processed as 340B and verify each one’s eligibility (check the patient encounter, provider, and dispense location). Do the same for a sample of inpatient (to ensure none were mistakenly 340B) and a sample from each contract pharmacy every quarter. Document any discrepancies and investigate their cause.
    • Inventory Reconciliation: Periodically reconcile purchase records with dispense records. Essentially, ensure that for every 340B drug dispensed, you have a corresponding purchase, and vice versa. Unexplained variances might indicate diversion or accounting errors. This is especially important in mixed-use settings where physical inventory or virtual accumulation is complex.
    • Medicaid Billing Checks: If you carve in, routinely audit a batch of Medicaid claims to confirm they were properly flagged to avoid rebates. If carve out, check that no 340B accumulations are occurring for Medicaid patients (some split-billing software can produce a Medicaid carve-out report). This helps catch any setup mistakes with state programs.
    • Contract Pharmacy Oversight Audits: As mandated by HRSA policy, if you have contract pharmacies, arrange for an independent audit of each contract pharmacy at least annually. This can be done by hiring a third-party auditor or through your own internal audit department if they have the expertise. The audit should verify that the pharmacy is only dispensing 340B for eligible prescriptions and following all contract terms. Additionally, perform quarterly reviews of your contract pharmacy dispensing data – many entities request detailed reports from their pharmacy partners or TPA and review a sample of transactions.
    • Policy and Documentation Audits: Periodically review your policies and OPAIS registrations to ensure they reflect current operations. For instance, do a semi-annual OPAIS audit: verify all active sites and pharmacies, remove any that have closed, and update any contact info or Medicare cost report dates that have changed. Likewise, audit your provider list a few times a year to add new clinicians and remove those who left.
    HRSA expects covered entities to integrate self-auditing into their program. By doing so, you accomplish two things: you catch and correct issues proactively, and you build a body of evidence (audit reports, checklists, logs) that you can show to HRSA demonstrating your compliance efforts. If an auditor sees you have robust self-policing, they are likely to be more confident in your program.
  3. Keep Staff Trained and Informed (Build Internal Expertise) Compliance is only as strong as the people who implement it. Invest in training your staff on 340B intricacies. This includes pharmacy technicians, pharmacists, billing coders, clinic managers – anyone whose work intersects with 340B. Key training topics: the 340B patient definition, dispensing rules, use of modifiers for Medicaid, spotting potential diversion scenarios, and what to do if an error is found. One best practice is to have at least one team member attain formal 340B certification or advanced training. For example, the Apexus 340B University and 340B Apexus Certified Expert (ACE) programs create 340B subject matter experts. These individuals are well-versed in the latest policy changes and common problem areas. If you can’t spare someone for that, ensure your team stays current by attending 340B conferences, webinars, or subscribing to updates from organizations like 340B Health and HRSA OPA. Staying abreast of the latest developments (such as changes in guidance or emerging manufacturer restrictions) is part of being audit-ready – the landscape can shift, and you don’t want to be caught off-guard by a new rule you didn’t know about. Moreover, make compliance everyone’s responsibility. Cultivate a culture where front-line staff feel comfortable flagging potential issues. For instance, if a pharmacy tech notices a prescription from an unregistered clinic, they should alert a supervisor rather than just processing it. Regular team huddles or emails highlighting 340B “tips” or recent findings at other organizations can keep awareness high. The more eyes watching for compliance, the better.
  4. Simulate HRSA Audits (Mock Audits and Drills) A highly effective preparation technique is to conduct mock audits. This can be an internal exercise or done by an outside consultant. Treat it as a dress rehearsal:
    • Documentation Drill: Have your team respond to a fictional audit DRL in a short timeframe. Are they able to compile the required data and documents quickly? This will expose any weaknesses in your record-keeping or data systems.
    • Interview Practice: As mentioned, do a Q&A session with staff playing the role of auditor. Ask tough questions and see how clearly and accurately staff respond. Provide coaching on any answers that were incomplete or incorrect. Practicing “auditor interview questions with relevant staff” builds confidence and identifies training needs.
    • On-Site Simulation: If possible, walk through an on-site audit scenario – from the entrance conference to pulling sample records. Ensure the environment is prepared: a comfortable room for auditors, arranged access to required systems, IT support on standby in case of system issues, etc. Little details like a reliable internet connection for remote audits, or having spare computers ready, can make a difference.
    If budget allows, consider bringing in an external 340B compliance expert (like a consulting firm or the Prime Vendor’s audit readiness team) to perform a full mock audit. They’ll look with fresh eyes and likely catch things you might overlook due to familiarity. This also gives leadership a realistic picture of how the organization would fare in a real audit and what gaps need closing. Cooper Strategy’s audit support services are designed for this purpose – to conduct realistic mock audits and shore up compliance before HRSA comes knocking. Engaging an outside specialist can provide peace of mind and expert guidance on remediation. (Contact Cooper Strategy’s 340B audit experts for a tailored audit readiness assessment.)
  5. Develop a Rapid Response Plan for Audit Notification When that audit notice arrives (often with little lead time), you need a game plan. Audit readiness isn’t only about long-term compliance but also short-term execution. Create an audit response checklist in advance:
    • Who gets notified first internally (CEO, CFO, pharmacy director, etc.)?
    • Assign a primary audit coordinator to interface with the HRSA auditor and organize responses.
    • Assemble the documentation package you’ve prepared and identify any missing pieces to gather immediately.
    • Schedule daily debriefs among your team during the audit to discuss any requests or issues that arose and plan for the next day.
    • Ensure leadership is ready to allocate resources (if an auditor needs someone’s time or a report generated ASAP, other duties might need to be backfilled).
    • Prepare communications: If staff across the organization need to know an audit is happening (for example, to prioritize responding to auditor requests), have a message drafted from leadership emphasizing cooperation and accuracy.
    By treating an audit with priority status – essentially, clearing the decks to focus on the audit – you minimize the chance of delays or mistakes. As one tip: let your C-suite know that when a HRSA audit comes, it “will trump other priorities” for that period. Their support will ensure you have what you need (personnel, time, focus) to get through it successfully.
  6. Plan for Remediation and Continuous Improvement Despite best efforts, findings can still occur. What sets a great program apart is how you respond to issues. Have a framework for remediation:
    • Immediate Action: As soon as a potential violation is identified (whether via self-audit or HRSA audit), stop the problematic practice. For instance, if you realize an off-site clinic wasn’t registered, cease 340B use there right away and register it (or hold off until eligible). If a contract pharmacy was non-compliant, consider suspending activity through that pharmacy until fixes are in place.
    • Root Cause Analysis: Don’t just address the symptom – find out why the issue happened. Was it a training gap? A system configuration error? A communication lapse with providers? Understanding the root cause guides your corrective action plan so the problem doesn’t repeat.
    • Corrective Action Plan (CAP): Draft a CAP that includes specific steps, deadlines, and responsible persons. For example, if the finding was “inaccurate OPAIS entry – missed site,” the CAP might be: 1) Immediately update OPAIS to remove/add correct information; 2) Implement a quarterly review of OPAIS entries by the 340B coordinator and CFO; 3) Provide training to registration staff on notifying the 340B team when new clinics open. A good CAP is concrete and verifiable. HRSA will expect to see these elements in any CAP you submit, and they will follow up to ensure you did them.
    • Repayment and Disclosure: If an error led to ineligible discounts, proactively begin calculating the scope and repayment amounts to manufacturers. It is the covered entity’s responsibility to notify affected manufacturers and refund any undue discounts. This process can be time-consuming, so starting early is wise. If you catch a major issue internally, consider self-disclosing to HRSA. Self-disclosure can demonstrate transparency and may result in more favorable considerations. Always consult legal or compliance experts when navigating self-disclosures to get it right.
    • Follow-Up Monitoring: After implementing a fix, monitor that area more frequently to ensure the fix is working. If, say, duplicate discounts occurred due to Medicaid billing confusion, after your CAP, audit Medicaid claims monthly for a few cycles to confirm no further incidents. Keep documentation of these follow-up checks.
    • Learn and Educate: Turn any audit experience into a learning opportunity. Share the outcomes (appropriately) with your team and even with other departments. If you had no findings, celebrate that success and emphasize what practices led to it. If there were findings, reinforce training on those points and the improvements made. Update your policies to reflect any new procedures from the CAP. Essentially, bake the lessons learned into your program.
    Remember that HRSA can re-audit to verify that a finding was fixed. Particularly, repeat findings (the same issue occurring in multiple audits) are taken very seriously and could lead to harsher penalties. Thus, once you fix something, keep it fixed. Lastly, don’t hesitate to seek external help for remediation if needed. Sometimes an outside perspective, like a 340B compliance consultant, can assist in developing a robust CAP or handling the complex task of manufacturer repayments. At Cooper Strategy, our team has helped many covered entities navigate post-audit remediation – from crafting effective corrective actions to directly interfacing with manufacturers for settlement. If you find your resources stretched thin, engaging experts can expedite recovery and strengthen your compliance infrastructure. (Reach out to Cooper Strategy’s 340B compliance team for support in audit remediation or any stage of audit readiness.)

Final Thoughts

Facing a HRSA 340B audit may seem daunting, but with the right preparation and mindset, it can be a manageable process that ultimately strengthens your 340B program. U.S. hospitals and health centers rely on the 340B program to stretch resources for their communities – maintaining compliance is essential to protect that mission. By understanding the audit process, anticipating what auditors scrutinize, and embedding a culture of compliance (through self-audits, training, and vigilant oversight), you position your organization not just to survive an audit, but to excel in one.

In summary, know what to expect and plan for it. Keep meticulous records, correct issues when they’re small, and treat every day as “pre-audit” in terms of readiness. Trends show that covered entities are largely rising to the challenge – high compliance rates in recent years are evidence of the hard work put into governance and oversight. By following the strategies in this guide, you can join the ranks of those who undergo HRSA audits with no findings, demonstrating to regulators and manufacturers alike that your program is sound and trustworthy.