340B Program Compliance Checklist: What HRSA Auditors Actually Look For (2026)
By Vincent Couey, OmniRx founder. Source-cited from FDA, openFDA FAERS, DailyMed, NIH National Library of Medicine, and CMS data. Updated .
HRSA conducted over 200 audits of 340B covered entities in fiscal year 2025, and findings were issued in roughly 40% of completed reviews. The most common problems are not exotic -- they are basic documentation gaps, inconsistent eligibility checks, and sloppy split-billing logic. We reviewed public audit letters, OIG reports, and HRSA guidance documents to build the compliance checklist that your 340B coordinator should be working from right now.
The 340B Drug Pricing Program, established under Section 340B of the Public Health Service Act (42 USC 256b), allows eligible covered entities to purchase outpatient drugs from manufacturers at significantly reduced prices. In practice, savings range from 25% to 50% off average wholesale price. For a community health center filling 10,000 prescriptions per year, that translates to hundreds of thousands of dollars reinvested in patient care.
But the program comes with strings. HRSA's Office of Pharmacy Affairs (OPA) enforces compliance through audits, and the consequences of non-compliance are real: corrective action plans, manufacturer repayment, or removal from the program entirely. The entities that survive audits cleanly are not necessarily the ones with the largest budgets. They are the ones with disciplined processes and documentation.
This checklist is organized by the categories HRSA auditors evaluate. For each category, we cover what auditors look for, what constitutes a finding, and what you should have in place before you get the notification letter.
1. Patient Eligibility Verification
This is the area where HRSA issues more findings than any other. The core rule: a 340B-priced drug can only be dispensed to a patient of the covered entity. That definition, per HRSA guidelines published in the Federal Register (61 FR 55156), requires three conditions to be met simultaneously.
- The individual receives healthcare services from a covered entity provider. The patient must have a relationship with the entity that goes beyond a single prescription. They must receive a "health care service" -- defined as a service consistent with the entity's scope of grant, project, or contract.
- The individual receives a service that triggers 340B eligibility. Not every encounter qualifies. A patient who visits the entity's dental clinic may not be eligible for 340B-priced medications prescribed by an outside specialist.
- The covered entity maintains records of the relationship. Auditors will pull patient records and cross-reference them against 340B claims. If you cannot demonstrate that the patient was an active patient of your entity at the time of the 340B purchase, the claim is a finding.
Eligibility Red Flags
- Patients with 340B claims but no encounter in your EHR within the past year
- Patients seen only by a referred specialist who is not a covered entity provider
- 340B claims for patients registered at a child site that is not listed on your HRSA OPAIS profile
- No written patient definition policy, or a policy that has not been updated since registration
2. Split Billing and Inventory Management
Covered entities must prevent 340B drugs from being used for non-340B-eligible patients and must prevent non-340B drugs from being billed as 340B. This is the split-billing requirement, and it is where operational complexity becomes a compliance hazard.
There are two accepted models for managing 340B inventory:
Physical Inventory (Separate Stock)
The entity maintains physically separated 340B and non-340B drug inventories. Each inventory has its own purchasing, storage, and dispensing records. This model is straightforward to audit but operationally expensive, especially for entities with limited pharmacy space.
Virtual Inventory (Replenishment Model)
The entity maintains a single physical inventory and uses software to retrospectively determine which prescriptions qualify for 340B pricing. Qualifying claims trigger a replenishment purchase at 340B prices from the wholesaler. This is the model most FQHCs and small hospitals use, and it is the model HRSA scrutinizes most carefully.
Under the virtual model, auditors will examine your replenishment logic in detail. They want to see that every 340B replenishment purchase corresponds to a verified eligible prescription, that replenishment quantities match dispensed quantities, and that timing between dispensing and replenishment is reasonable (typically within the same billing cycle).
Common Split-Billing Findings
| Finding Category | What Auditors Flag | How to Prevent |
|---|---|---|
| Over-accumulation | 340B replenishment purchases exceed actual eligible dispensing volume | Monthly reconciliation of dispensed-to-purchased ratios by NDC |
| Misclassification | Non-eligible prescriptions tagged as 340B in the pharmacy system | Automated eligibility check at point of dispensing, not retroactively |
| Manual overrides | Staff manually changing claim status without documented justification | Audit trail on all status changes with supervisor review for overrides |
| No written policy | Entity cannot produce a documented split-billing procedure | Written SOP reviewed and signed annually by 340B coordinator |
| Stale inventory data | Replenishment reports do not match wholesaler purchase records | Weekly reconciliation between pharmacy system and wholesaler account |
3. Duplicate Discount Prevention (Medicaid)
Under 42 USC 256b(a)(5)(A), a covered entity cannot purchase a drug at the 340B price and also receive a Medicaid rebate on that same drug. This is the "duplicate discount" prohibition, and violating it means either the manufacturer or the state Medicaid program absorbs a discount they were not supposed to provide.
Compliance depends on where you operate and what model you use:
- Fee-for-service (FFS) Medicaid states: Covered entities must "carve in" Medicaid patients (use 340B drugs and bill Medicaid at 340B acquisition cost) or "carve out" (exclude Medicaid patients from 340B entirely so the manufacturer rebate applies). You cannot do both for the same drug.
- Managed care Medicaid: Different rules apply depending on state implementation. Entities must verify their Medicaid Exclusion File uploads via the HRSA Medicaid Exclusion File database and ensure their 340B claims system correctly identifies Medicaid managed care claims.
Tools like OmniRx automate eligibility tracking and generate audit-ready reports, reducing manual compliance burden for small covered entities. Automated systems flag Medicaid-enrolled patients in real time, preventing the claim from entering the 340B queue before the duplicate discount occurs.
4. Contract Pharmacy Compliance
Contract pharmacies remain the most contested area of 340B policy. Since 2020, multiple manufacturers have imposed restrictions on contract pharmacy arrangements, and HRSA's enforcement posture has shifted in response to litigation (see AstraZeneca v. Becerra, Novartis, and Sanofi cases working through federal courts).
For compliance purposes, here is what HRSA audits evaluate for each contract pharmacy arrangement:
- Registration: Every contract pharmacy must be registered on the 340B OPAIS before it begins dispensing 340B drugs. Retroactive registration does not cure prior non-compliance.
- Written agreement: A signed contract pharmacy agreement must be on file, specifying the responsibilities of both parties, data sharing requirements, and compliance obligations.
- Claims data access: The covered entity must have access to all dispensing data from the contract pharmacy to verify eligibility and prevent diversion.
- Oversight evidence: HRSA wants to see that the covered entity actively oversees the contract pharmacy relationship -- not just that the agreement exists on paper. Evidence includes regular audits of contract pharmacy claims, reconciliation reports, and documented corrective actions when issues are found.
Manufacturer Restrictions
As of early 2026, at least 30 manufacturers have implemented some form of contract pharmacy restriction. The most common models include:
- Single contract pharmacy designation: The manufacturer will honor 340B pricing at only one contract pharmacy per covered entity (Eli Lilly, Sanofi, AstraZeneca).
- Claims data submission requirement: The manufacturer requires covered entities to submit claims-level data through a third-party platform like 340B ESP before honoring contract pharmacy pricing (Johnson and Johnson, Novartis).
- No restrictions: Some manufacturers continue to honor all registered contract pharmacy arrangements without conditions.
Your 340B coordinator needs a current tracking document showing each manufacturer's restriction status and your entity's response. HRSA does not enforce manufacturer restrictions directly, but auditors will note if your entity is purchasing 340B-priced drugs through a contract pharmacy arrangement that the manufacturer has formally restricted. For current drug pricing data across retail and contract pharmacies, resources like RxGrab provide comparison tools that help entities verify they are receiving the correct 340B discount.
5. Drug Diversion Prevention
Diversion occurs when a 340B drug is provided to someone other than an eligible patient of the covered entity. This is the core prohibition of the program, and HRSA's audit protocol dedicates significant attention to it.
Diversion risk is highest in these scenarios:
- Walk-in prescriptions: Patients who present a prescription to the covered entity's pharmacy but have no patient relationship with the entity.
- Employee prescriptions: Staff members who fill prescriptions at the entity's pharmacy but are not patients of the entity's clinical services.
- Contract pharmacy leakage: Prescriptions filled at a contract pharmacy for patients who do not meet the covered entity's patient definition.
Diversion Prevention Controls
HRSA expects covered entities to maintain written policies and active systems that prevent diversion. At minimum, your entity should have:
- A written patient definition policy that specifies who qualifies as a "patient" of the entity
- An eligibility check at the point of dispensing (not just at registration)
- Regular audits of 340B claims to identify patients who no longer meet the definition
- A process for removing ineligible patients from the 340B queue
- Staff training records documenting annual 340B compliance training
6. HRSA OPAIS Registration and Recertification
Your entity's profile on the 340B Office of Pharmacy Affairs Information System (OPAIS) must be accurate and current. HRSA auditors will compare your OPAIS profile against your actual operations, and discrepancies generate findings. The annual recertification deadline (typically in the spring) is not optional -- failure to recertify results in automatic removal from the program.
OPAIS Accuracy Checklist
- All active pharmacy locations (in-house and contract) are registered
- Terminated pharmacy relationships have been removed
- Entity type and grant number are current
- Authorized official and primary contact information are up to date
- Child sites and associated sites are accurately listed
- Medicaid exclusion file designation (carve-in or carve-out) matches actual practice
7. Documentation and Record Retention
Documentation is the infrastructure that holds every other compliance area together. Without it, you cannot demonstrate compliance even if your processes are sound. HRSA does not specify a universal retention period in the 340B statute, but the agency expects entities to retain records for a minimum of 3 to 5 years, consistent with general federal grant record retention requirements under 45 CFR 75.361.
Required Documentation
| Document Type | Retention Period | Audit Purpose |
|---|---|---|
| Written patient definition policy | Current + 3 years prior versions | Demonstrates how entity defines eligible patients |
| Split-billing methodology SOP | Current + 3 years prior versions | Proves entity has a system to prevent diversion |
| Contract pharmacy agreements | Duration of agreement + 3 years | Verifies legal basis for contract pharmacy use |
| Medicaid exclusion file documentation | 5 years | Proves duplicate discount prevention |
| 340B purchase records (by NDC) | 5 years | Matches purchases to eligible dispensing |
| Staff training records | Duration of employment + 2 years | Shows ongoing compliance education |
| Internal audit reports | 5 years | Demonstrates proactive compliance monitoring |
| Corrective action documentation | 5 years | Shows response to identified issues |
8. The Full HRSA Audit Category Summary
Below is a consolidated view of the major audit categories, their typical finding rates based on publicly available HRSA audit letters, and the severity level HRSA assigns.
| Audit Category | Finding Rate | Severity | Most Common Finding |
|---|---|---|---|
| Patient eligibility | ~35% | High | No documented patient definition; patients with no qualifying encounter |
| Duplicate discounts | ~25% | High | Failure to carve in/out Medicaid consistently; stale exclusion files |
| Drug diversion | ~20% | Critical | 340B drugs dispensed to non-patients; no eligibility check at dispensing |
| Contract pharmacy oversight | ~20% | High | No oversight documentation; unregistered pharmacy locations |
| OPAIS accuracy | ~15% | Medium | Outdated contact info; child sites not listed; terminated pharmacies still active |
| Split billing | ~15% | High | No written methodology; replenishment mismatch with dispensing data |
| GPO prohibition (hospitals) | ~10% | High | Purchasing 340B drugs through a GPO for covered outpatient drugs |
Hospitals face an additional compliance layer that FQHCs do not: the GPO prohibition. Under 42 USC 256b(a)(4)(L), DSH hospitals, children's hospitals, and free-standing cancer hospitals are prohibited from purchasing covered outpatient drugs through a group purchasing organization (GPO) at 340B-eligible sites. If your entity is a hospital, your compliance program must include GPO exclusion monitoring and documentation. For broader context on how drug pricing programs affect patients, Health Britannica covers patient health programs and public health initiatives that intersect with 340B eligibility.
Building a Sustainable Compliance Program
An audit-ready entity is not one that scrambles when the notification letter arrives. It is one that operates as if the audit is already in progress. Here is a practical framework for maintaining ongoing compliance at a small covered entity:
Monthly
- Reconcile 340B purchases against dispensing records by NDC
- Review contract pharmacy claims data for eligibility outliers
- Verify Medicaid exclusion file status (if using carve-out)
Quarterly
- Conduct a sample audit of 25-50 340B claims for patient eligibility
- Review and update the patient definition policy if clinical services have changed
- Audit contract pharmacy compliance (if applicable)
- Run a split-billing reconciliation report and investigate discrepancies
Annually
- Complete OPAIS recertification before the deadline
- Conduct a full internal 340B compliance audit across all categories
- Update all written policies and SOPs
- Deliver staff training on 340B compliance requirements
- Review manufacturer restriction changes and update contract pharmacy strategy
- Document everything. File it where your compliance officer can find it in 30 seconds.
Small entities often lack the staff to run this program manually. A 340B coordinator at an FQHC typically wears three or four other hats, and compliance tasks compete with patient care for time and attention. This is where automation becomes a practical necessity rather than a luxury. Platforms designed for 340B compliance can run eligibility checks at the point of dispensing, reconcile purchases automatically, and generate the documentation packages that HRSA auditors request -- without requiring a dedicated compliance team.