Is Your 340B Patient Definition Audit-Proof? A Compliance Checklist

Few things create more anxiety for pharmacy leaders than a 340B audit finding tied to the patient definition. It’s one of HRSA’s most frequently cited—and most misunderstood—requirements.

While the 340B statute doesn’t spell out every operational nuance, HRSA guidance is clear: if your organization can’t prove that every 340B prescription meets patient eligibility, your compliance integrity—and your savings—are at risk.

This article provides a step-by-step checklist for assessing whether your 340B patient definition is truly audit-proof, drawing on Cooper Strategy’s field-tested compliance frameworks and audit remediation experience.

Why the 340B Patient Definition Matters

The 340B patient definition determines who qualifies for discounted drugs under your covered entity’s participation. HRSA expects that every prescription or administration of a 340B drug can be traced back to an eligible patient, prescriber, and encounter.

If that chain breaks—even once—it’s considered diversion.

An audit-ready patient definition protects:

• Program Integrity: Ensures drugs are dispensed only to eligible patients.
  
• Financial Performance: Prevents disallowances or paybacks from HRSA audits.
  
• Reputation: Demonstrates control and accountability to regulators and stakeholders.
  

In short, your patient definition is the compliance backbone of your 340B program.

Understanding HRSA’s Core Patient Definition

HRSA’s patient definition—commonly referenced from its 1996 guidance—includes three key criteria:

1. Established Relationship:
   The individual has received healthcare services from a provider employed by, contracted with, or otherwise an arrangement with the covered entity.
   
2. Medical Record Maintenance:
   The covered entity maintains records of the patient’s care, documenting the clinical relationship and the nature of the visit.
   
3. Service Eligibility:
   The healthcare service provided must be consistent with the entity’s HRSA registration and scope of services.
   

If all three conditions are met, the patient qualifies. If one is missing, the encounter and prescription do not.

Cooper Strategy’s 340B Patient Definition Compliance Checklist

The following audit-proof checklist is designed for pharmacy, compliance, and audit teams to self-assess and strengthen their documentation and data workflows.

1. Provider Relationship Documentation

• Maintain a master prescriber list (with NPIs) that identifies employment or contractual status.
  
• Update quarterly—or immediately when new providers join or leave.
  
• Ensure your contracts and credentialing files explicitly define covered arrangements.
  
• Map prescriber NPIs to their registered child sites in OPAIS.
  

Audit Tip: HRSA auditors will request prescriber employment or contract verification. Keep digital copies accessible and version-controlled.

2. Patient Encounter Validation

• Confirm that the encounter occurred in a registered outpatient site under your OPAIS listing.
  
• Verify that the type of service (e.g., specialty care, telehealth, lab follow-up) is consistent with your HRSA-registered scope.
  
• Implement encounter-type logic in your split-billing or TPA system to flag ineligible visit codes.
  

Audit Tip: Maintain an internal “eligible encounter type” matrix that’s reviewed annually by compliance and pharmacy leaders.

3. Medical Record Accessibility

• Ensure that the covered entity maintains or has access to the full medical record for every 340B patient encounter.
  
• Verify that referral-based prescriptions are supported by encounter notes, not just lab results or verbal orders.
  
• For referred care, implement data-use agreements (DUAs) or Business Associate Agreements (BAAs) to allow secure record sharing.
  

Audit Tip: HRSA expects documentation that demonstrates an ongoing clinical relationship—not just a referral form.

4. Referral Capture Controls

• Create a documented referral capture process that links external prescribers back to the CE encounter.
  
• Ensure referred providers are included in your 340B scope through formal arrangements or contracts.
  
• Validate all referral claims with both encounter data and prescriber eligibility before inclusion.
  

Audit Tip: HRSA routinely examines referral capture documentation. Each referral prescription must be traceable back to an eligible encounter.

5. Prescriber Attribution Accuracy

• Reconcile prescriber NPI files monthly against HR, credentialing, and TPA rosters.
  
• Confirm that TPA logic correctly attributes prescriptions to eligible prescribers.
  
• Exclude locum tenens or residents unless they meet employment or contractual criteria.
  

Audit Tip: Create a “prescriber verification log” that captures validation dates, responsible staff, and exception notes.

6. Contract Pharmacy Oversight

• Ensure contract pharmacy agreements are aligned with HRSA registration and include data-sharing provisions.
  
• Verify that claims files from contract pharmacies match eligibility logic in your split-billing or TPA systems.
  
• Conduct quarterly reconciliation to detect anomalies between in-house and contract pharmacy encounters.
  

Audit Tip: Maintain documentation that demonstrates how contract pharmacy claims are verified for patient definition compliance.

7. Medicaid Carve-In/Carve-Out Alignment

• Verify that MEF (Medicaid Exclusion File) settings align with your state’s billing practices.
  
• Ensure carve-in logic is applied consistently across all 340B claims.
  
• Cross-check Medicaid claims to confirm no duplicate discounts occur.
  

Audit Tip: HRSA auditors compare MEF status to Medicaid billing data—discrepancies are red flags.

8. Policy, Procedure, and Training Integration

• Embed patient definition standards into your written 340B policy manual.
  
• Provide annual training for pharmacy, billing, and compliance staff.
  
• Require signed attestations for anyone managing 340B eligibility workflows.
  

Audit Tip: HRSA often requests staff training records to confirm policy implementation.

9. Continuous Monitoring and Internal Auditing

• Schedule quarterly internal audits to review random patient encounters for eligibility validation.
  
• Document findings, corrective actions, and revalidation steps.
  
• Track trends in ineligible encounters to identify systemic gaps.
  

Audit Tip: Maintain a “Patient Definition Audit Tracker” to monitor results and demonstrate proactive oversight.

10. Corrective Action and CAP Readiness

• If an issue is identified, immediately document findings and begin a Corrective Action Plan (CAP) process.
  
• Capture root causes, responsible owners, and completion timelines.
  
• Report CAP progress to the 340B Oversight Committee and compliance leadership.
  

Audit Tip: HRSA values transparency. Prompt self-disclosure and documented CAP implementation can mitigate penalties.

Building a Sustainable Patient Definition Framework

Audit-proofing isn’t a one-time exercise—it’s an ongoing discipline.

Your organization should institutionalize a Patient Definition Governance Model that includes:

• A cross-functional oversight committee (pharmacy, compliance, IT, legal).
  
• Defined audit cadence and thresholds.
  
• Periodic reviews of policy, vendor logic, and encounter data.
  
• Version-controlled documentation and sign-off by the Authorizing Official (AO).
  

When governance, documentation, and oversight align, your patient definition doesn’t just meet HRSA’s standard—it exceeds it.

How Cooper Strategy Helps Covered Entities Strengthen 340B Patient Definition Compliance

Cooper Strategy’s 340B compliance experts partner with covered entities nationwide to build defensible patient definition frameworks. We integrate policy design, audit simulation, data validation, and referral capture enhancement—ensuring your 340B program operates with confidence and clarity.

Our team has helped hospitals and health systems turn findings into frameworks—transforming HRSA audit challenges into opportunities for lasting operational control.

Strengthen your audit posture today: Contact Cooper Strategy

Frequently Asked Questions About Is Your 340B Patient Definition Audit-Proof? A Compliance Checklist

1. Why is the patient definition such a common source of HRSA audit findings?

Because the 340B statute offers broad guidance, interpretation errors are common. HRSA auditors scrutinize how covered entities apply the three-part patient definition—relationship, record, and scope—across encounters and prescribers. Many findings occur when documentation doesn’t prove the clinical relationship, encounters happen outside registered sites, or external referrals lack supporting data. A strong patient definition process provides clear evidence of eligibility for every claim. With detailed SOPs, consistent TPA logic, and verified documentation, covered entities can avoid findings and build audit resilience.

2. How can covered entities make referral capture programs compliant with HRSA’s patient definition?

Referral capture programs succeed when they mirror HRSA’s intent: the covered entity must remain the patient’s primary point of care. To stay compliant, establish formal arrangements or contracts with referred providers, implement secure data-sharing agreements, and document encounters in the covered entity’s medical record. Automate eligibility checks using TPA logic that links prescribers, encounters, and patient IDs. HRSA auditors often request to see this data lineage, so transparency and traceability are key. Effective referral capture balances patient access expansion with airtight compliance documentation.

3. What documentation should be available during an HRSA audit to prove patient eligibility?

Auditors typically request complete records for each sampled prescription, including the encounter note, prescriber NPI, site registration, and medical record access documentation. For referral claims, they’ll also expect signed DUAs or BAAs. Covered entities should maintain digital “audit binders” containing validated encounters and prescriber contracts. Organizing these by date, NPI, and patient ID accelerates audit response time and demonstrates program control. Remember, HRSA doesn’t just want to see that you can find the records—they expect you to explain the logic that proves eligibility.

4. How often should a covered entity audit its own patient definition compliance?

Best practice is to conduct quarterly internal audits that review both random and targeted encounters. Audits should assess encounter eligibility, prescriber status, and documentation completeness. Quarterly cadence allows timely identification and correction of systemic issues. Incorporating mock HRSA audits annually further strengthens preparedness. Regular audits demonstrate continuous compliance—an E.E.A.T. principle HRSA respects. Document findings, corrective actions, and closure validation to show a full lifecycle of oversight. Audit frequency isn’t just a checkbox—it’s your frontline defense against compliance erosion.

5. How can Cooper Strategy support our team in maintaining patient definition compliance?

Cooper Strategy offers specialized 340B compliance services focused on patient definition controls, documentation validation, and HRSA audit preparation. Our experts perform gap analyses, develop SOPs, test TPA logic, and train internal teams on eligibility verification. We also design referral capture frameworks and corrective action processes tailored to your operational model. Whether you’re building your compliance program or responding to findings, Cooper Strategy ensures every 340B claim stands up to audit scrutiny.
Schedule a compliance consultation: Contact Cooper Strategy