A common and critical question among pharmacy leaders, compliance officers, and executives is simple: who audits 340B? The answer, however, is layered. Multiple entities have authority to review, audit, or otherwise scrutinize 340B program operations, and each does so with different motivations, methods, and consequences.
Understanding who audits 340B programs—and how those audits work—is essential for risk management, financial stewardship, and long-term program sustainability. Audit activity has increased steadily as the 340B program has grown in size, complexity, and visibility. Covered entities that treat audits as rare or unlikely events often discover too late that gaps in documentation, data integrity, or governance leave them exposed.
This article provides a clear, comprehensive explanation of who audits 340B programs, what those audits focus on, and how covered entities can protect themselves through proactive compliance strategies.
Need help assessing your audit exposure? Contact Cooper Strategy
The Primary Authority: HRSA Audits
HRSA’s Role in 340B Oversight
The Health Resources and Services Administration (HRSA) is the federal agency responsible for administering and enforcing the 340B Drug Pricing Program. HRSA conducts formal audits of covered entities to ensure compliance with statutory requirements and program guidance.
HRSA audits are regulatory in nature. Findings can lead to corrective action plans, repayment obligations, or removal from the 340B program.
How HRSA Selects Covered Entities for Audit
HRSA uses both targeted and random selection methods. Covered entities may be selected based on:
- Program size or growth
- Previous audit findings
- Complaints or referrals
- Data anomalies
- High contract pharmacy utilization
- Changes in program structure
No covered entity is immune from selection. Small programs and large systems alike face audit risk.
What HRSA Audits Examine
HRSA audits typically focus on:
- Patient definition compliance
- Diversion prevention
- Duplicate discount prevention
- GPO prohibition compliance (for DSH hospitals)
- Accurate site registration
- Contract pharmacy oversight
- Documentation of responsibility for care
HRSA expects covered entities to demonstrate compliance through clear documentation, not verbal explanations.
Consequences of HRSA Audit Findings
HRSA findings may result in:
- Required corrective action plans (CAPs)
- Manufacturer repayment obligations
- Program suspension or termination
- Heightened scrutiny in future audits
Audit outcomes are public, increasing reputational risk.
Manufacturer Audits: Increasingly Common and Aggressive
Why Manufacturers Audit 340B
Drug manufacturers are permitted to audit covered entities to ensure that 340B drugs are not diverted to ineligible patients and that duplicate discounts do not occur. Manufacturer audits are typically narrower in scope but can be frequent and persistent.
Manufacturers are motivated by:
- Financial exposure
- Contract pharmacy growth
- Specialty-drug utilization
- Claims data disputes
How Manufacturer Audits Differ From HRSA Audits
Manufacturer audits often:
- Focus on specific drugs or therapeutic classes
- Examine prescription-level data
- Target contract pharmacy claims
- Scrutinize referral capture logic
- Challenge patient eligibility documentation
While manufacturers do not have authority to remove a covered entity from the program, findings can trigger repayment demands and future audit activity.
Manufacturer Audit Risks
Manufacturer audits may lead to:
- Large repayment requests
- Disputes over data interpretation
- Operational disruption
- Increased audit frequency
- Escalation to HRSA
Covered entities must manage manufacturer audits carefully and consistently.
OIG and Government Oversight
The Role of the Office of Inspector General
The Office of Inspector General (OIG) conducts evaluations of the 340B program at a systemic level. While OIG does not typically audit individual covered entities directly, its reports influence HRSA enforcement priorities and policy direction.
OIG activity often results in:
- Expanded audit focus areas
- Increased documentation expectations
- Program rule clarification
- Heightened scrutiny of specific practices
OIG oversight indirectly affects every covered entity.
State and Medicaid Oversight
State Medicaid Program Audits
State Medicaid agencies may review 340B claims to ensure duplicate discounts are not occurring. These audits focus on:
- Medicaid carve-in/carve-out status
- Billing practices
- Claims routing
- Managed Medicaid arrangements
Misalignment between Medicaid billing and 340B records creates audit exposure.
Managed Care Scrutiny
As managed Medicaid expands, payers increasingly review claims for compliance. Incorrect carve-out logic can result in recoupments and compliance findings.
Internal Audits: The Most Important Line of Defense
Why Covered Entities Must Audit Themselves
Internal audits are not optional. HRSA expects covered entities to maintain active oversight and monitoring of their 340B programs.
Strong internal audits demonstrate:
- Good-faith compliance efforts
- Continuous improvement
- Early detection of errors
- Strong governance
Internal audits often mitigate penalties when external findings occur.
What Internal Audits Should Cover
Effective internal audits evaluate:
- Patient definition adherence
- Encounter documentation
- Provider eligibility
- Referral capture integrity
- Contract pharmacy performance
- Split billing accuracy
- Medicaid exclusion alignment
- Inventory and replenishment processes
These audits should be documented, repeatable, and reviewed by leadership.
Third-Party and Independent Audits
Why Independent Reviews Matter
Many covered entities engage independent experts to perform mock audits or compliance assessments. Independent audits provide objective evaluation and identify gaps internal teams may overlook.
Benefits include:
- Fresh perspective
- Specialized expertise
- Benchmarking against best practices
- Reduced audit anxiety
Independent audits are especially valuable before HRSA or manufacturer audits.
Common Audit Triggers Covered Entities Overlook
Rapid Program Growth
Expansion of:
- Child sites
- Contract pharmacies
- Specialty services
without governance alignment increases risk.
Poor Documentation
Missing encounter notes, referral documentation, or provider records frequently drive audit findings.
Inconsistent Data Across Systems
Mismatched EHR, TPA, billing, and pharmacy data undermines audit defensibility.
Overreliance on Vendors
Covered entities remain responsible for compliance—even when vendors manage operations.
Preparing for Any 340B Audit
Establish Strong Governance
Oversight committees should meet regularly, review performance metrics, and document decisions.
Maintain Audit-Ready Documentation
Records must be complete, consistent, and easily retrievable.
Monitor High-Risk Areas Continuously
Referral capture, contract pharmacy claims, Medicaid billing, and specialty drugs deserve heightened oversight.
Test Your Program Regularly
Mock audits and data sampling reveal weaknesses before auditors do.
Want to know how audit-ready your program really is? Contact Cooper Strategy
Conclusion
So, who audits 340B? The answer includes HRSA, manufacturers, Medicaid agencies, and—in many ways—the covered entity itself. Each form of oversight carries unique risk, but all share one expectation: covered entities must be able to prove compliance through clear documentation and reliable data.
Programs that invest in proactive governance, continuous auditing, and independent validation are best positioned to withstand scrutiny and protect the financial and mission-driven value of their 340B programs.
Frequently Asked Questions About Who Audits 340B?
Who has the primary authority to audit 340B programs?
HRSA holds the primary regulatory authority to audit 340B-covered entities. HRSA audits focus on statutory compliance, including patient eligibility, diversion prevention, duplicate discount avoidance, site registration accuracy, and contract pharmacy oversight. Findings from HRSA audits can result in corrective action plans, repayment obligations, or removal from the program. While other entities may review aspects of 340B operations, HRSA audits carry the most significant regulatory consequences.
How often do manufacturer audits occur?
Manufacturer audits can occur frequently and may target specific drugs, pharmacies, or claims patterns. Unlike HRSA audits, manufacturers often focus on narrow scopes and may repeat audits if concerns persist. Covered entities should expect manufacturer audits as an ongoing risk rather than a one-time event, particularly for high-cost or specialty medications. Strong documentation and consistent audit response protocols help reduce disruption.
Can a covered entity be audited by multiple parties at the same time?
Yes. It is not uncommon for a covered entity to face a manufacturer audit while preparing for or responding to a HRSA audit. State Medicaid reviews may also occur concurrently. This is why centralized documentation, standardized processes, and coordinated governance are essential. Fragmented responses increase risk and weaken audit defensibility.
What happens if an audit identifies noncompliance?
Outcomes depend on the auditor and severity of findings. HRSA may require corrective action plans, manufacturer repayments, or program termination. Manufacturer audits may lead to repayment demands or future audit escalation. In many cases, demonstrating proactive monitoring and corrective efforts can mitigate consequences. However, unresolved or repeated violations increase risk significantly.
How can Cooper Strategy help with 340B audit readiness?
Cooper Strategy provides comprehensive audit readiness assessments, mock audits, corrective action planning, and ongoing compliance monitoring. We help covered entities identify risks, strengthen documentation, validate vendor logic, and build governance structures that withstand scrutiny. Our approach ensures organizations are prepared not just for one audit—but for sustained oversight across the life of the 340B program.