340B Audit Readiness: Why the 340B Program Sees So Many HRSA Audit Problems

Roughly half of the covered entities that HRSA audited in fiscal year 2025 walked away with an adverse finding, and most of those problems were preventable. The 340B program lets eligible hospitals and clinics buy outpatient drugs at steep discounts, but participation in the 340B program carries strict compliance obligations that the Health Resources and Services Administration enforces through annual audits. If your organization participates, audit readiness is no longer optional: it is the difference between keeping your savings and repaying manufacturers.

Quick answer: In FY2025, HRSA audited 115 covered entities and 49% received adverse findings, an improvement over FY2024’s 64% but still nearly one in two. Most findings were administrative rather than fraudulent, led by incorrect records in HRSA’s Office of Pharmacy Affairs Information System (OPAIS), which appeared in about 75% of entities with adverse findings, followed by Medicaid duplicate-discount issues and drug diversion. Entities that maintain clean registry data, a defensible patient-definition policy, and a tested Medicaid billing process avoid the overwhelming majority of these problems.

How does HRSA audit 340B covered entities?

HRSA’s Office of Pharmacy Affairs audits a sample of covered entities each year to confirm they meet the requirements of Section 340B of the Public Health Service Act. The agency selects entities through a risk-based methodology and also conducts targeted audits prompted by manufacturer referrals or self-disclosures. You can review the program’s enforcement posture directly on the HRSA Program Integrity page.

The audit examines whether the entity is eligible, whether it prevents diversion of 340B drugs to ineligible patients, and whether it prevents duplicate discounts when drugs are billed to Medicaid. Auditors review OPAIS registration records, the entity’s patient-definition policy, contract pharmacy arrangements, and a sample of dispensing records traced back to eligible providers and locations. Each of these areas maps to a specific statutory duty, so an auditor is not applying subjective judgment so much as confirming that documented controls exist and function.

In FY2025, hospital-based programs made up 84% of audits, including Disproportionate Share Hospitals, Critical Access Hospitals, and Rural Referral Centers, while grantees such as federally qualified health centers, Ryan White clinics, and STD clinics made up the remaining 16%. The statutory framework, including the duties to prevent diversion and duplicate discounts, is set out in 42 U.S.C. 256b. Understanding the scope tells you where to focus your readiness work, because the audit weights hospital programs heavily and concentrates on the same handful of control areas every cycle.

Selection is not random in the way that word implies. Risk-based targeting means that entities with complex contract pharmacy networks, recent registration changes, or prior findings are more likely to be reviewed, and a manufacturer referral can move an organization to the front of the line regardless of its size. Treating selection as inevitable rather than improbable is the correct posture, since the controls that survive an audit are the same ones that protect program savings day to day.

What 340B adverse-finding patterns must you prepare for?

The single most common finding in FY2025 was incorrect OPAIS records, present in roughly three-quarters of entities with adverse findings. These are usually inadvertent: a contract pharmacy with a lapsed agreement still listed as active, an eligible child site that was never added, a Medicare cost report reference that no longer matches, or an authorizing official whose contact information is stale. HRSA treats an inaccurate registry as a compliance failure even when no drugs were misallocated, because the agency relies on OPAIS to validate every transaction.

That last point deserves emphasis. The registry is the system of record the auditor uses to confirm eligibility for every purchase, so a gap between what OPAIS shows and what the entity actually operates is a finding by definition. An organization can run a clean pharmacy operation and still fail simply because its self-reported data drifted out of date, which is why registry accuracy is the highest-leverage discipline in the entire program.

The second pattern involves duplicate discounts and the Medicaid Exclusion File (MEF). A duplicate discount occurs when a manufacturer provides a 340B discount on a drug that is also subject to a Medicaid rebate, and HRSA flags it primarily through MEF errors. Notably, of the 28 entities flagged for MEF issues in FY2025, five were determined to have no actual duplicate discounts, meaning the error was purely administrative. That detail matters: a registry or carve-in versus carve-out misstatement can generate a finding even when your billing was clean.

The third pattern is diversion, meaning 340B drugs dispensed to individuals who do not meet the patient definition, or prescriptions written at sites not registered as 340B locations. Diversion is the most scrutinized category in every cycle because it goes to the heart of program eligibility. The financial stakes are real: 64% of entities with adverse findings faced one or more sanctions, 50% were required to repay manufacturers, and 21% had at least one site terminated.

Read together, these three patterns tell a consistent story. The program does not primarily catch bad actors; it catches good organizations whose documentation lags their operations. The two administrative categories, OPAIS accuracy and MEF correctness, account for the bulk of findings, and both are fixable through routine reconciliation rather than clinical change.

How do you build a 340B audit-readiness checklist?

Build your readiness program around the failure modes HRSA actually finds, not generic best practices. Each item below maps to a documented FY2025 finding category, so the checklist functions as a self-audit you can run quarterly.

Registry and OPAIS hygiene. Reconcile every OPAIS field against source documents at least quarterly: authorizing official, primary contact, Medicare cost report period, and the complete list of child sites and contract pharmacies. Remove pharmacies whose agreements have lapsed and add new sites before they begin purchasing 340B drugs. Because OPAIS errors drove three-quarters of adverse findings, this single discipline addresses the largest risk you face.

Medicaid duplicate-discount controls. Confirm that your MEF entries accurately reflect your carve-in versus carve-out decision for each NPI and billing arrangement, including managed Medicaid where state policy requires it. Test a sample of Medicaid claims against your stated policy and document the reconciliation. Keep written evidence that fee-for-service and managed care are handled separately when your state treats them differently, because the FY2025 data showed that several MEF findings reflected paperwork rather than actual duplicate discounts.

Diversion prevention and patient definition. Maintain a written patient-definition policy and verify that each 340B prescription traces to an eligible provider acting on the entity’s behalf at a registered location. Audit a statistically meaningful sample of contract pharmacy claims monthly, because diversion findings cluster in claims dispensed against prescriptions written at unregistered sites. Document the prescriber-to-site linkage you relied on for each sampled claim, since that linkage is exactly what an auditor reconstructs.

Policies, oversight, and self-audit cadence. Keep current written policies and procedures, evidence of oversight by a designated 340B coordinator, and a log of internal audits with corrective steps taken. Entities that maintain disciplined internal review and clean master data are dramatically less likely to receive adverse findings. The CPAs who advise behavioral health organizations and other safety-net providers consistently see that documentation, not intent, determines audit outcomes.

Run this checklist on a fixed calendar rather than in response to an engagement letter. A quarterly cadence keeps OPAIS current between purchases, surfaces MEF drift before it compounds across a reporting period, and produces the dated internal-audit log that demonstrates oversight to HRSA. The work is repetitive by design, and that repetition is precisely what converts a stressful audit into a confirmation of what you already knew.

What happens when HRSA finds a problem?

An adverse finding is not the end of participation, but it starts a clock. HRSA typically requires the covered entity to submit a corrective action plan (CAP) within a defined window after the audit report is issued, and failure to submit a CAP can result in removal from the program. The CAP must document the specific action for each finding, the implementation timeline, and the controls that will prevent recurrence.

When a finding requires repayment, the covered entity is responsible for identifying and contacting every affected manufacturer to arrange repayment, while HRSA posts a notice alerting manufacturers to the violations. Full CAP implementation and settlement with manufacturers is generally expected within six months of CAP approval unless HRSA approves otherwise, and entities that cannot meet that expectation may be subject to termination. HRSA closes the audit only after the CAP is fully implemented and any repayment is confirmed resolved.

This is where a credentialed advisor earns the engagement. Quantifying repayment exposure, building the financial reconciliation behind the CAP, and structuring controls that survive the next audit require both accounting rigor and program-specific knowledge. Pease Bell CPAs works with healthcare and safety-net providers, including behavioral health entities, to translate an audit finding into a defensible, documented response rather than a recurring liability.

The reconciliation work is often the hardest part of a CAP. Identifying which transactions were affected, calculating the dollar exposure to each manufacturer, and showing that the new controls would have prevented the error all demand the same evidence trail that good readiness produces in the first place. An organization that kept disciplined records will assemble its CAP in weeks; one that did not may spend much of the six-month window simply reconstructing what happened.

Why does preparation pay off?

The FY2025 data carries an encouraging message: the adverse-finding rate fell from 64% to 49% year over year, and the leading causes were administrative errors that disciplined data governance eliminates. Entities that treat OPAIS accuracy, Medicaid controls, and patient-definition documentation as ongoing operational tasks, rather than annual scrambles, consistently clear audits without sanctions. The 340B program rewards entities that build the evidence trail before HRSA asks for it.

Treat your next internal review as a dress rehearsal for HRSA. Run the checklist above, fix the registry and MEF gaps you find, and keep the documentation that proves each transaction was compliant. The cost of readiness is a fraction of the cost of repaying manufacturers and rebuilding a terminated site.

Frequently Asked Questions

How many 340B covered entities did HRSA audit in FY2025, and how many had findings?

HRSA audited 115 covered entities in fiscal year 2025, and 49% received adverse findings. That is down from 64% in FY2024, but it still means nearly half of audited entities had at least one compliance issue, most of them administrative.

What is the most common 340B audit finding?

Incorrect OPAIS registry records are the most common finding, appearing in roughly 75% of entities with adverse findings in FY2025. Typical errors include lapsed or unlisted contract pharmacies, missing child sites, and outdated Medicare cost report or contact information.

What sanctions can result from a failed 340B audit?

In FY2025, 64% of entities with adverse findings faced one or more sanctions. The most common was repaying affected manufacturers, required of 50% of those entities, while 21% had at least one site terminated from the program.

How quickly must a covered entity respond to an adverse finding?

HRSA requires a corrective action plan within a defined window after the audit report, and failing to submit one can lead to removal from the program. Full implementation and manufacturer repayment are generally expected within six months of CAP approval unless HRSA approves otherwise, after which HRSA closes the audit.

Let’s talk about your business.