.png)
HRSA audited 115 covered entities in 2025. Nearly half received adverse findings, meaning they faced repayment requirements, corrective action plans, or in some cases removal from the program. The most common reasons were not obscure edge cases. They were gaps in systems that covered entities manage every day: outdated records, inadequate documentation, internal controls that existed on paper but not in practice.
That is the reality of 340B compliance right now. But the top findings are also among the most preventable. This article breaks down what HRSA actually looks at, what keeps programs in good standing, and where things most often go wrong.
What HRSA is evaluating
The 340B statute itself is brief. It establishes which entities can participate, sets the ceiling prices manufacturers must offer, and imposes two explicit prohibitions on covered entities: no diversion of 340B drugs to ineligible patients, and no duplicate discounts on drugs billed to Medicaid.
Everything beyond those two prohibitions lives in HRSA guidance. This includes interpretation of the statute that covers how an eligible patient is defined, how registration and recertification work, what internal controls should look like, and what documentation is required to support all of it.
When HRSA audits a covered entity, they are checking all of it. Compliance with the statute and compliance with HRSA's interpretive guidance are both in scope.
The 340B Office of Pharmacy Affairs Information System, known as OPAIS, is the federal database where covered entities register their organization, outpatient child sites, and contract pharmacies. It is also, year after year, the leading source of adverse audit findings.
Inaccurate OPAIS records have been the most common finding HRSA identifies across multiple consecutive audit years.
The common mistakes are not complicated. Medicare Cost Report filing dates entered incorrectly. Terminated contract pharmacies left active in the system. Child sites dispensing 340B drugs before they are registered. Ship-to and bill-to addresses that no longer match the pharmacy service agreement on file.
OPAIS is not a one-time setup. Every time something changes in your program like a new site, a pharmacy termination, a contact update, a change in Medicaid billing status, OPAIS should be updated immediately. Waiting until the next recertification window is the pattern HRSA finds most often, and it is the pattern auditors are specifically looking for.
The statute prohibits dispensing 340B drugs to individuals who are not patients of the covered entity. The statute does not define what "patient" means. That definition lives in HRSA guidance, and it requires three things: an established care relationship with the covered entity, care from a provider employed by or under contract with the covered entity, and services consistent with the entity's grant or hospital status.
Patient definition compliance is tested during audits through transaction-level sampling. Auditors pull dispense records and verify that each one maps to an eligible encounter. For hospital covered entities, the most common diversion finding is a 340B drug dispensed to an inpatient. Where the inpatient carve-out applies and 340B pricing is not permitted.
If your dispensing systems are generating 340B claims without a grant-scope or eligibility check at the encounter level, that is where to look first.
A duplicate discount occurs when a manufacturer provides both a 340B discount and a Medicaid rebate on the same drug. Federal law prohibits it, and a finding of non-compliance can result in repayment to manufacturers, HRSA citations, and in some cases penalties from state Medicaid programs.
The first decision every covered entity must make is whether to carve in or carve out of Medicaid.
Carve-out means the covered entity does not use 340B drugs for Medicaid patients at all. Medicaid claims are filled with non-340B purchased drugs. Because no 340B discount is being taken on those claims, there is no risk of a duplicate discount on the FFS side. Carve-out is the simpler compliance posture, but it means forgoing 340B savings on Medicaid patients.
Carve-in means the covered entity uses 340B drugs for Medicaid patients and bills Medicaid at the standard reimbursement rate. The savings are available, but preventing duplicate discounts becomes an active compliance obligation.
For covered entities that carve in, the primary prevention mechanism for fee-for-service Medicaid is the Medicaid Exclusion File, known as the MEF. When a covered entity elects to carve in, it must register its NPI and Medicaid billing numbers in OPAIS for each state where it bills Medicaid for 340B drugs. That information populates the MEF, which tells state Medicaid programs which claims to exclude from manufacturer rebate invoices.
If you carve in and your NPI is not listed on the MEF for a state where you are billing, that protection does not exist for those claims. The rebate goes through. The duplicate discount occurs without the covered entity knowing it happened.
The MEF applies to fee-for-service Medicaid only. It does not apply to managed care.
For managed care claims, there is no equivalent centralized mechanism regardless of carve-in or carve-out status. Each state, and sometimes each plan, has its own requirements: billing modifiers, carve-out elections, plan-specific reporting processes. With most Medicaid beneficiaries now enrolled in MCO plans, this is where the real complexity lives for most covered entities today. A 340B drug dispensed to a Medicaid MCO patient without the right identifiers in place can result in a rebate request the covered entity never saw coming.
For a full breakdown of how MCO duplicate discount risk works and what to have in place, see our guide: Understanding Duplicate Discount Risk in Medicaid MCO Claims.
Diversion prevention
Diversion is dispensing a 340B drug to a patient who does not qualify. In practice, the most common trigger is an inpatient dispensation at a hospital covered entity, where 340B pricing applies only to outpatient drugs. Contract pharmacy transactions where the patient encounter does not support eligibility are a secondary source.
HRSA expects covered entities to have written policies describing how they define an eligible patient at each dispensing location, how that definition is applied in practice, and how they would detect and respond to a diversion event. Auditors review both the policies and the underlying transaction data. One without the other is not sufficient.
Records and internal controls
HRSA requires covered entities to maintain records sufficient to demonstrate compliance across every program requirement like purchasing records, patient encounter documentation, dispense-level data, Medicaid billing records, and written policies and procedures.
Beginning in FY2023, HRSA added a data request item requiring covered entities to provide documentation of an independent external audit of their contract pharmacy arrangements, including who conducted it, what it covered, and when. That requirement has remained in place. External review of your contract pharmacy program is not optional.
Self-disclosure
HRSA maintains a self-disclosure process that allows covered entities to report compliance issues before an audit identifies them. Self-disclosure does not eliminate consequences, but it generally produces a more structured resolution process than an audit finding does.
If your team identifies a potential compliance issue, the decision about whether and how to self-disclose should involve your compliance counsel or 340B consultant. It is not a decision to make alone or quickly.
Frequently asked questions
Does HRSA select entities for audit randomly? Mostly no. Approximately 90 percent of audits are risk-targeted, meaning HRSA uses data signals to select entities. Known risk factors include prior adverse findings, OPAIS anomalies visible in the database before an auditor arrives, and high contract pharmacy volume. Random selection accounts for a small portion.
What happens after an adverse finding? HRSA issues a finding and typically requires a corrective action plan. This can include repayment to one or more manufacturers. In cases involving knowing and intentional violations, interest on repayment amounts applies. Termination from the program is reserved for systemic, egregious violations.
Are manufacturer audits the same as HRSA audits? No. Manufacturers have their own statutory audit rights and can request HRSA approval to audit covered entities. Their focus is transaction-level: duplicate discounts and diversion at the NDC level. The documentation requirements overlap significantly with what HRSA asks for, so audit-ready records address both.
How often should we be reviewing our OPAIS record? At minimum, quarterly, to align with the quarterly registration windows. Any change to a registered site, pharmacy, or contact should trigger an immediate update. OPAIS anomalies are visible to HRSA before an auditor ever contacts you.
What is self-disclosure for? It allows a covered entity to proactively report a compliance issue to HRSA before an audit finds it. It signals good faith and typically results in a more cooperative resolution process. It is not an admission of intentional wrongdoing, but it should be handled carefully.
