The 340B patient definition is one of the most audited areas of the program — and one of the most misunderstood.

Most covered entities know the definition exists. Fewer have built the internal systems to apply it correctly at the transaction level, across every site, for every prescription. That gap is where audit exposure lives.

This article covers what the definition actually requires, where programs most commonly fail, and what it looks like to get it right.

‍

Three Patient Definition requirements

1. An established relationship, with documentation

The covered entity must have an established relationship with the individual, such that the entity maintains records of that individual's health care. A prescription alone does not establish a relationship. Records of the encounter, the evaluation, and the care provided must exist and must be accessible.

2. Responsibility of care

The individual must receive health care services from a provider who is either employed by the covered entity or provides care under contractual or other arrangements, such as a referral, where responsibility for the care remains with the covered entity.

This is where referral prescriptions create complexity. A patient referred to a specialist can still qualify as a 340B patient, but only when the covered entity can document that it initiated the referral, maintains responsibility for the patient's care, and has the records to support that relationship.

3. Grant scope alignment, for grantees

For federal grantees, there is a third requirement that hospitals do not face: the health care services provided must be consistent with the scope of services for which the entity receives federal grant funding. A prescription originating from an encounter outside the approved grant scope does not qualify, even if the patient otherwise meets the other two criteria.

One clear exclusion applies across all entity types. An individual whose only interaction with the covered entity is receiving a drug for self-administration at home is not considered a patient. Dispensing alone does not create a patient relationship.

Where programs most often go wrong with patient definition

Referral prescriptions without documented responsibility

Referral capture is one of the most valuable and highest-risk areas of patient definition compliance. When a covered entity refers a patient to an outside specialist and the specialist writes a prescription, that prescription can qualify for 340B pricing. But only when the covered entity can show documented responsibility for the patient's ongoing care and medical records that support the referral/specialist relationship. When any of those elements are missing, the claim fails.

Provider mapping errors

A 340B claim is only as valid as the provider attributed to it. If a prescriber is not employed by or under contract with the covered entity, prescriptions attributed to them do not qualify, even when the patient does. Covered entities with large or frequently changing provider rosters need an active process for keeping provider files current. Outdated provider attribution is a leading cause of eligibility failures that look compliant on the surface.

Encounter-level gaps

Patient eligibility cannot be assumed from a general care relationship. It has to be demonstrated at the encounter level, meaning that for each prescription, there must be a documented visit or referral that produced it. Programs that rely on a patient's history with the covered entity rather than the specific encounter connected to the prescription are carrying audit risk they may not see until HRSA does.

Grant scope creep, for grantees

For FQHCs and other federal grantees, applying 340B to prescriptions that originate from visits outside the grant's approved scope of care is among the most common compliance failures. A patient who is established at the health center but receives services in a clinical area outside the grant scope, and gets a prescription from that visit, does not produce a qualifying 340B claim. This is a nuance that hospitals do not face and that grantee programs frequently underestimate.

What good patient definition documentation looks like

Covered entities with strong patient definition compliance have two things that others often do not: written policies that define eligibility in terms of their specific entity type and grant scope, and systems configured to apply that definition at the prescription level rather than the patient level.

In practice that means:

• Encounter-level eligibility logic in the TPA or split-billing system, not just patient-level flags
• A current provider file that reflects who is employed or contracted, reviewed and updated on a defined schedule
• Referral documentation processes that capture the the specialist relationship and the covered entity's ongoing responsibility for care
• For grantees, a documented map of which encounter types fall within the grant's scope, with training for clinical and front-desk staff that reflects it

HRSA auditors sample dispense records and trace each one back to an eligible encounter. The documentation either supports the claim or it does not. Systems that generate 340B-eligible flags based on a patient's general relationship with the entity rather than the specific encounter that produced the prescription will not hold up under that review.

How RxTrail works with covered entities on this

Patient definition compliance is operational, not just policy. We work with covered entities to make sure eligibility logic is built into their systems correctly and reflects how their program actually works today, not how it was configured when their TPA was first set up.

That includes provider file reviews to confirm that prescriber attribution reflects current employment and contract relationships, TPA configuration checks to verify that eligibility logic is running at the encounter level, referral documentation process reviews, and grant scope mapping for grantees. We work with both hospitals and federal grantees, and the compliance picture looks different for each.

When HRSA audits for patient definition compliance, they sample transactions and trace them back to the encounter. We make sure those transactions are defensible before the auditor asks.

Do referral prescriptions qualify for 340B?

They can, but only with the right documentation in place. The covered entity must maintain responsibility for the patient's care and have records supporting the specialist relationship. Referral capture is one of the highest-risk areas of patient definition compliance and one of the most valuable when managed correctly.

What if a patient has been coming to our health center for years? Does that establish eligibility?

A long-standing patient relationship matters, but eligibility is determined at the prescription level, not the patient level. The specific encounter that produced the prescription must be documented and must tie back to an eligible provider and, for grantees, a service within the grant's approved scope.

Our TPA handles eligibility logic. Does that mean we are covered?

Your TPA's configuration reflects the eligibility rules as they were set up. If the logic was built incorrectly, or has not been updated as your provider roster or grant scope has changed, the system will generate ineligible claims without flagging them. The covered entity bears responsibility for compliance regardless of what the TPA produces.

What is the dispensing-only exclusion?

An individual whose only interaction with the covered entity is receiving a drug for self-administration at home is not a 340B-eligible patient. A qualifying care relationship requires more than a dispensing transaction.

‍