discover how we can help

Top 5 HRSA Audit Findings in 2024–2025 and How to Prevent Them

HRSA audits remain one of the most significant compliance risks facing 340B-covered entities. While the core regulatory expectations of the program have not fundamentally changed, how those expectations are enforced—and the level of scrutiny applied—has evolved considerably.

Between 2024 and 2025, audit findings have become more data-driven, more detailed, and more focused on documentation integrity and operational consistency. Covered entities are no longer evaluated solely on intent or policy—they are evaluated on whether they can prove compliance at the claim level, consistently, across all systems.

Understanding the most common HRSA audit findings is one of the most effective ways to strengthen your program. This article outlines the top five HRSA audit findings from 2024–2025 and provides practical strategies to prevent them.

Want to identify your audit risk before HRSA does? Contact Cooper Strategy. 

Why HRSA Audit Findings Are Increasing in Complexity

Shift Toward Claim-Level Validation

HRSA audits now focus heavily on:

  • Individual claim eligibility
  • Documentation consistency
  • Data alignment across systems

High-level compliance is no longer sufficient—auditors expect transaction-level proof.

Increased Focus on High-Risk Areas

Audit attention has intensified around:

  • Referral capture
  • Contract pharmacy claims
  • Specialty drugs
  • Data integrity

These areas represent both the highest value and the highest risk.

Finding #1: Failure to Meet the 340B Patient Definition

What HRSA Is Finding

The most common finding remains failure to meet the patient definition. This includes:

  • Missing or incomplete encounter documentation
  • Lack of clear responsibility for care
  • Weak or unsupported referral relationships
  • Prescriptions not tied to qualifying services

In many cases, organizations believed patients were eligible—but could not prove it.

Why This Happens

  • Overreliance on assumptions instead of documentation
  • Inconsistent referral workflows
  • Gaps in EHR documentation
  • Misalignment between policy and practice

How to Prevent It

Standardize Documentation Requirements

Ensure every eligible claim includes:

  • A qualifying encounter
  • Clear provider attribution
  • Clinical documentation supporting the prescription

Strengthen Referral Capture Controls

Require:

  • Documented referral orders
  • Defined responsibility for care
  • Consistent linkage between encounter and prescription

Conduct Routine Sampling

Regularly review claims to confirm patient definition compliance.

Finding #2: Diversion Due to Ineligible Sites or Settings

What HRSA Is Finding

Diversion findings frequently stem from:

  • Use of 340B drugs at unregistered locations
  • Incorrect site-of-service mapping
  • Misclassification of inpatient vs. outpatient encounters
  • Observation status errors

Even minor mapping errors can lead to systemic diversion.

Why This Happens

  • Outdated HRSA registration records
  • Inconsistent location mapping across systems
  • Poor coordination between finance, compliance, and IT

How to Prevent It

Validate Site Registration Regularly

Ensure:

  • All active outpatient sites are registered
  • Sites align with the cost report
  • System location codes match HRSA records

Audit Mixed-Use Areas

Pay special attention to:

  • Emergency departments
  • Observation units
  • Infusion centers

Align Systems Across the Organization

EHR, TPA, and billing systems must use consistent site definitions.

Finding #3: Duplicate Discount Violations

What HRSA Is Finding

Duplicate discount findings occur when:

  • Medicaid rebates and 340B discounts are applied to the same drug
  • Carve-in/carve-out settings are misaligned
  • Managed Medicaid claims are not properly identified

This is one of the most serious compliance violations.

Why This Happens

  • Inconsistent payer identification
  • Lack of managed Medicaid visibility
  • Misalignment between billing and TPA logic

How to Prevent It

Align Medicaid Strategy Across Systems

Ensure:

  • HRSA Medicaid Exclusion File settings match billing practices
  • Managed Medicaid logic is clearly defined

Monitor Claims Continuously

Identify and resolve:

  • Payer mismatches
  • Routing errors
  • Duplicate discount risk signals

Conduct Payer-Specific Audits

Regularly review Medicaid and managed care claims.

Finding #4: Contract Pharmacy Oversight Failures

What HRSA Is Finding

Contract pharmacy findings include:

  • Lack of oversight and monitoring
  • Incomplete documentation of claims
  • Ineligible prescriptions being captured
  • Failure to validate prescriber eligibility

HRSA expects covered entities to maintain full control over contract pharmacy compliance.

Why This Happens

  • Overreliance on vendors
  • Lack of internal monitoring processes
  • High claim volume without sufficient review

How to Prevent It

Establish Clear Oversight Structures

Define responsibility for:

  • Claim validation
  • Performance monitoring
  • Issue resolution

Review Contract Pharmacy Claims Regularly

Sample claims to confirm:

  • Patient eligibility
  • Prescriber mapping
  • Documentation completeness

Maintain Strong Agreements

Ensure contracts clearly define roles, responsibilities, and compliance expectations.

Finding #5: Inadequate Internal Controls and Auditing

What HRSA Is Finding

HRSA frequently identifies:

  • Lack of routine internal audits
  • Incomplete corrective action processes
  • Poor documentation of oversight activities
  • Reactive rather than proactive compliance

Organizations must demonstrate continuous monitoring—not just policy existence.

Why This Happens

  • Limited resources
  • Lack of structured audit programs
  • Inconsistent governance

How to Prevent It

Implement a Formal Audit Program

Include:

  • Scheduled internal audits
  • Defined audit scope and methodology
  • Documented findings and resolutions

Track and Resolve Issues

Maintain logs for:

  • Identified issues
  • Root cause analysis
  • Corrective actions
  • Follow-up validation

Report to Leadership

Ensure oversight committees review audit results regularly.

Emerging Trends Across All Findings

Documentation Is the Primary Defense

Every finding ultimately ties back to documentation. If it is not documented, it is not defensible.

Data Consistency Is Critical

Misalignment between systems creates risk—even when care is appropriate.

High-Value Claims Receive More Scrutiny

Specialty drugs and referral-based claims are more likely to be audited.

Building an Audit-Resilient 340B Program

Focus on High-Risk Areas

Prioritize:

  • Patient definition
  • Referral capture
  • Contract pharmacy
  • Medicaid billing

Invest in Continuous Monitoring

Move from periodic audits to ongoing oversight.

Validate Systems and Vendors

Ensure all systems reflect policy and operate as intended.

Strengthen Governance

Establish clear accountability and regular oversight.

👉 Cooper Strategy helps organizations identify audit risks, strengthen controls, and build defensible 340B programs.
Contact us: https://cooperstrategy.com/contact-us/

Conclusion

The top HRSA audit findings from 2024–2025 reinforce a consistent message: compliance must be proven, not assumed. Covered entities must demonstrate accurate eligibility, strong documentation, consistent data, and active oversight across every aspect of their 340B programs.

Organizations that proactively address these common findings are not only better prepared for audits—they are also better positioned to protect savings and sustain long-term program success.

Frequently Asked Questions About HRSA Audit Findings

Why does patient definition continue to be the most common audit finding?

Patient definition is complex and highly dependent on documentation. Many organizations believe they are compliant because care was provided, but they cannot produce the documentation needed to prove responsibility for care. Referral-based claims and specialty prescriptions add additional complexity, increasing the likelihood of errors. Because every eligible claim depends on patient definition, even small gaps can lead to widespread findings.

How can organizations reduce the risk of diversion findings?

Reducing diversion risk requires accurate site registration, consistent system mapping, and strong encounter classification. Organizations should regularly validate that all outpatient sites are registered and that system data aligns with HRSA records. Mixed-use areas should be audited frequently, and staff should be trained on correct classification of inpatient and outpatient encounters.

What makes duplicate discount prevention so difficult?

Duplicate discount prevention is challenging because it requires alignment across multiple systems and stakeholders. Managed Medicaid adds complexity, as payer identification is not always straightforward. Organizations must ensure that billing practices, TPA logic, and HRSA filings are fully aligned and continuously monitored to prevent errors.

Why are contract pharmacies a frequent source of findings?

Contract pharmacies increase both volume and complexity. Covered entities must manage large numbers of claims across multiple locations, often involving external prescribers and referral-based eligibility. Without strong oversight, documentation gaps and eligibility errors can occur. HRSA expects covered entities to maintain full responsibility for these arrangements.

How can Cooper Strategy help prevent HRSA audit findings?

Cooper Strategy helps organizations identify high-risk areas, validate compliance processes, and implement structured monitoring programs. We conduct mock audits, review eligibility logic, strengthen documentation standards, and build governance frameworks that support continuous compliance and audit readiness. Contact Cooper Strategy today!