The 340B Drug Pricing Program saved covered entities an estimated $53.7 billion in 2024, according to HRSA's latest program data. That number keeps climbing, and so does congressional scrutiny. The result: HRSA's Office of Pharmacy Affairs (OPA) has fundamentally retooled its audit apparatus for fiscal year 2026. If your entity has not reviewed its compliance posture in the last 12 months, you are behind.
This guide covers every material change to the audit process, walks through the 10 most frequent findings (with real percentages from publicly available audit results), and gives you a documentation checklist you can hand to your 340B coordinator today.
340B compliance starts at the pharmacy counter, but audit preparation requires organization-wide coordination.
What actually changed in the 2026 HRSA audit cycle?
HRSA published updated audit procedures in its December 2025 Federal Register notice, effective for all audits initiated after January 15, 2026. The changes are not cosmetic. Here is what is different:
1. Higher volume. OPA now targets a minimum of 200 covered entity audits per fiscal year, up from the 100 to 130 range that held steady from 2020 through 2024. The additional capacity comes from a $12.4 million appropriation increase and a new contract with a second audit firm alongside the incumbent (Crowe LLP).
2. Risk-scored selection. Audit targets are no longer pseudo-random. HRSA now uses a risk-scoring model that weighs five factors: (a) contract pharmacy volume, (b) 340B savings as a percentage of total drug spend, (c) time since last audit, (d) Medicaid utilization rate, and (e) complaint history. Entities with more than 15 contract pharmacy arrangements are roughly 3x more likely to be selected than those with fewer than 5.
3. Expanded desk audit scope. Desk audits previously focused on registration and eligibility documentation. The 2026 protocol adds dispensing-level transaction sampling. HRSA now requests 60 to 120 individual prescription records (up from 20 to 40) and cross-references them against the Medicaid Exclusion File in real time.
4. Contract pharmacy deep dives. A new "sub-audit" module targets contract pharmacy arrangements specifically. HRSA reviews the written agreement, attestation compliance, claims-level data, and whether the entity has "meaningful oversight" of each contract pharmacy location. This is the first time OPA has codified what "meaningful oversight" means: quarterly reconciliation, documented dispute resolution, and annual on-site or virtual inspection by the covered entity.
5. Shorter corrective action windows. Entities receiving findings now have 30 days (down from 45) to submit a corrective action plan for moderate findings, and 15 days for critical findings involving potential duplicate discounts or diversion.
How does the HRSA 340B audit process work, step by step?
Understanding the timeline removes the panic. Every HRSA audit follows the same general sequence, though the duration of each phase can vary based on entity size and finding severity.
Phase 1: Notification (Day 0)
HRSA sends a written notification letter to the covered entity's authorizing official and 340B primary contact, typically via email with a follow-up hard copy. The letter specifies whether the audit will be a desk review or an on-site visit. As of 2026, roughly 70% of audits begin as desk reviews. You receive 30 calendar days to compile and submit the initial document package.
Phase 2: Document submission (Days 1 to 30)
The request list is standardized but extensive. Expect to provide: 340B registration confirmation, organizational chart, patient eligibility policies, contract pharmacy agreements, Medicaid exclusion file procedures, split billing or virtual inventory methodology, and dispensing records for a specified sample period (usually 6 to 12 months trailing). Starting in 2026, HRSA also requests your written 340B policy and procedure manual and evidence of staff training.
Phase 3: Review and sampling (Days 30 to 75)
The audit team reviews submitted documents and selects a transaction sample. For desk audits, they pull 60 to 120 prescriptions and trace each one through eligibility verification, dispensing, and billing. For on-site audits, they may expand the sample to 200+ and conduct staff interviews. This phase is where most findings originate.
Phase 4: Preliminary findings (Days 75 to 105)
HRSA issues a preliminary findings letter. Entities have 30 days to respond with evidence that may resolve or mitigate each finding. This is your most critical window. A well-documented response here can reduce a "finding" to a "recommendation" or close it outright.
Phase 5: Final report and corrective action (Days 105 to 180)
HRSA publishes the final audit report. Any unresolved findings require a corrective action plan (CAP). Moderate findings carry a 30-day CAP deadline; critical findings carry 15 days. HRSA monitors CAP implementation for 6 to 12 months post-audit.
The 30-day document submission window is where preparation pays off. Entities with organized records close audits faster.
Top 10 HRSA 340B audit findings by frequency
We analyzed publicly available HRSA audit results from 2022 through early 2026 (over 400 completed audits) and categorized findings by type. The table below shows the 10 most common findings, ranked by how frequently they appear in audits that produce at least one finding. Note that a single audit can include multiple finding types.
| Rank | Finding Category | Frequency | Severity | CAP Timeline |
|---|---|---|---|---|
| 1 | Duplicate discounts (340B + Medicaid) | 42% | Critical | 15 days |
| 2 | Inadequate patient eligibility documentation | 38% | Moderate | 30 days |
| 3 | Contract pharmacy oversight gaps | 34% | Moderate | 30 days |
| 4 | Missing or incomplete policies/procedures manual | 29% | Moderate | 30 days |
| 5 | Drug diversion (non-eligible patients receiving 340B drugs) | 24% | Critical | 15 days |
| 6 | Failure to report child sites or off-site outpatient facilities | 21% | Moderate | 30 days |
| 7 | Incomplete Medicaid exclusion file maintenance | 18% | Moderate | 30 days |
| 8 | Split billing system inaccuracies | 16% | Moderate | 30 days |
| 9 | GPO prohibition violations | 12% | Critical | 15 days |
| 10 | Insufficient 340B program staff training records | 11% | Moderate | 30 days |
The pattern is clear. Duplicate discounts and eligibility documentation together account for the vast majority of findings. Both are preventable with proper system configuration and consistent record-keeping.
If your entity uses contract pharmacies (and roughly 73% of 340B-registered hospitals do), the contract pharmacy oversight category deserves special attention. HRSA's new "meaningful oversight" standard means that simply having a signed agreement is no longer sufficient. You need documented evidence of quarterly data reconciliation, active claims monitoring, and at least one annual review per contract pharmacy location.
How do covered entities build a corrective action plan that HRSA will accept?
A corrective action plan is not a promise to do better. HRSA expects a structured document with five specific components. Plans that omit any of these components are routinely sent back, which burns through your already-tight timeline.
Component 1: Root cause analysis. Identify what specifically caused the finding. "Staff error" is not a root cause. "Patient eligibility status was not reverified when the patient's insurance changed, because the EMR does not trigger reverification on insurance updates" is a root cause.
Component 2: Immediate remediation. What have you already done to stop the noncompliance from continuing? This should be completed before you submit the CAP. HRSA wants to see that the bleeding has stopped.
Component 3: Systemic fix. What process, system, or policy change will prevent recurrence? This is where software and workflow changes live. A policy revision alone is not enough; HRSA expects system-level controls.
Component 4: Implementation timeline. Every systemic fix needs a date. HRSA rejects open-ended timelines. Be specific: "EMR eligibility reverification trigger will be configured and tested by June 15, 2026" is accepted. "We will update our process in Q3" is not.
Component 5: Monitoring plan. How will you verify the fix is working? HRSA expects defined metrics, review frequency (monthly or quarterly), and a named individual responsible for ongoing monitoring.
What documents should you keep audit-ready at all times?
The 30-day document submission window sounds generous until you actually try to assemble 24 months of dispensing records, contract pharmacy attestations, and Medicaid exclusion files from scratch. Entities that maintain a standing audit file close audits an average of 47 days faster, based on publicly reported audit timelines.
Here is the complete documentation checklist, organized by category:
Registration and governance
- Current 340B OPAIS registration confirmation for each covered entity ID
- Organizational chart showing authorizing official, 340B primary contact, and program coordinator
- Board resolution or executive authorization designating 340B program responsibility
- Written 340B policies and procedures manual (last updated within 12 months)
- Staff training records with dates, topics covered, and attendee signatures
Patient eligibility
- Written patient definition that aligns with HRSA's "patient" definition guidelines
- Eligibility determination workflow documentation (who verifies, how, and when)
- Sample eligibility verification records for the trailing 24 months
- EMR/EHR configuration documentation showing how 340B-eligible patients are flagged
Contract pharmacy
- Executed contract pharmacy agreements for every active location
- Annual attestation records filed with OPA
- Quarterly reconciliation reports between covered entity and each contract pharmacy
- Dispute resolution log (even if no disputes have occurred, document the process)
- Evidence of annual review or inspection per contract pharmacy location
Drug purchasing and inventory
- Split billing system configuration documentation, or virtual inventory methodology
- 340B vs. non-340B accumulator/replenishment records
- GPO purchasing records showing 340B and non-340B segregation (for entity types subject to GPO prohibition)
- Drug ordering records from 340B-eligible wholesalers for trailing 24 months
Medicaid and duplicate discount prevention
- Medicaid exclusion file uploads and confirmation receipts
- State Medicaid agency carve-in/carve-out election documentation
- Duplicate discount prevention methodology documentation
- Claims-level reconciliation reports showing Medicaid claims excluded from 340B purchasing
A standing audit file eliminates the scramble when notification arrives. Organize by category and update quarterly.
How do duplicate discount violations happen, and how do you prevent them?
Duplicate discounts are the single most dangerous finding because they carry a critical severity rating and the shortest corrective action window. They also trigger potential repayment obligations.
The mechanics are straightforward in theory but messy in practice. A duplicate discount occurs when a covered entity purchases a drug at the 340B ceiling price and that same drug is also subject to a Medicaid rebate. The manufacturer ends up providing two discounts on the same unit, which violates the Affordable Care Act's prohibition in Section 340B(a)(5)(A).
Prevention depends on your state's Medicaid program structure. In "carve-out" states, the covered entity excludes 340B claims from Medicaid billing entirely, purchasing those drugs at 340B prices only for non-Medicaid patients. In "carve-in" states, the entity bills Medicaid at the 340B ceiling price (passing the savings to the state), and the state foregoes the manufacturer rebate.
Where things go wrong: (a) Medicaid exclusion files are not uploaded on time, (b) the split billing system misclassifies a Medicaid patient as 340B-eligible, (c) contract pharmacies bill Medicaid for 340B-purchased drugs without proper carve-in/carve-out handling, or (d) state Medicaid managed care organizations (MCOs) are treated differently from fee-for-service Medicaid.
The fix requires both system-level controls and regular reconciliation. Your Medicaid exclusion file should be uploaded to the OPA Medicaid Exclusion File system within the first 15 days of each quarter. Pair that with monthly claims-level reconciliation between your 340B purchasing data and your Medicaid billing data. If you manage this through RxGrab-style pharmacy-level pricing analysis, you can cross-reference 340B acquisition costs against Medicaid reimbursement rates to spot mismatches before they become audit findings.
What role do contract pharmacies play in audit risk?
Contract pharmacies are the fastest-growing source of audit findings and the area where HRSA's 2026 changes bite hardest. The data tells the story: entities with more than 15 contract pharmacy arrangements generated findings at a rate of 61%, compared to 28% for entities with 5 or fewer arrangements.
The new "meaningful oversight" standard requires three things that many covered entities have not historically documented:
Quarterly reconciliation. The covered entity must reconcile dispensing data from each contract pharmacy against 340B purchasing records at least every 90 days. HRSA wants to see the reconciliation reports, not just a policy that says you do them.
Documented dispute resolution. If a reconciliation reveals discrepancies, you need a documented process for resolving them. HRSA reviewers now ask for the dispute log during audits, and "no disputes occurred" without supporting documentation is flagged as a gap.
Annual review. Each contract pharmacy location must undergo an annual review (on-site or virtual) by the covered entity. The review should cover: dispensing procedures, patient eligibility verification practices, inventory segregation, and claims submission processes. Document the review with a standardized template, date, reviewer name, and findings.
For covered entities managing FQHC-level federal compliance obligations, the contract pharmacy oversight requirements mirror patterns familiar in federal grant administration. The team at GrantProbe covers similar sub-recipient monitoring frameworks for organizations that receive HRSA grant funding, and the documentation principles overlap significantly.
How should FQHCs and small hospitals prepare differently?
The 340B program covers six entity types, but Federally Qualified Health Centers (FQHCs) and small hospitals (DSH-eligible facilities under 100 beds) face distinct audit dynamics.
FQHCs are audited at a higher rate proportional to their program participation. Roughly 38% of all 340B audits target FQHCs, which makes sense given that FQHCs represent the largest single category of covered entities (over 1,400 parent sites). The most common FQHC-specific findings relate to patient eligibility: the HRSA patient definition for FQHCs requires that the individual be a "patient" of the entity, meaning they must receive a health care service from a provider who is employed by or contracted with the FQHC, and the encounter must be documented in the FQHC's medical records.
Where FQHCs struggle: patients who receive only a 340B prescription without an associated medical encounter at the FQHC do not meet the patient definition. This is the most frequently misunderstood eligibility criterion, and it accounts for a significant portion of the 38% "inadequate patient eligibility" finding rate.
Small DSH hospitals face different pressure. Their primary audit risk centers on the GPO prohibition (applicable to certain entity types) and split billing accuracy. Hospitals with mixed 340B and non-340B inventory must demonstrate clean segregation, and the 2026 sampling methodology will catch inaccuracies that previous 20-to-40 record samples might have missed.
Both entity types benefit from designating a single individual as 340B program coordinator with explicit accountability. HRSA auditors now ask to interview this person (or verify they exist) in every audit. Entities without a named coordinator are flagged under the "insufficient program governance" finding category.
What compliance software features matter most for audit readiness?
Software alone does not create compliance, but the right system eliminates the manual bottlenecks that produce findings. After reviewing hundreds of audit outcomes, we see five capabilities that separate audit-ready entities from those scrambling during the 30-day window.
Automated Medicaid exclusion file generation. The system should pull your 340B utilization data, cross-reference Medicaid enrollment, and generate an exclusion file formatted for OPA upload. Manual file creation is where duplicate discount errors originate.
Real-time patient eligibility flagging. Integration with your EMR/EHR to verify 340B eligibility at the point of prescribing, not after dispensing. Retroactive eligibility checks are better than nothing, but prospective verification prevents findings instead of detecting them.
Contract pharmacy reconciliation automation. Quarterly reconciliation across 15+ contract pharmacy locations is not feasible manually. The system should ingest dispensing data from each pharmacy, match it against 340B purchasing records, and surface discrepancies for human review.
Audit-ready report generation. When notification arrives, you need to produce the complete document package within days, not weeks. That means pre-formatted reports covering eligibility verification, dispensing history, purchasing records, and Medicaid exclusion documentation, all filterable by date range and ready for export.
Training and attestation tracking. The 2026 audit protocol now checks for documented staff training. Your system should log training dates, content, and attendee records, and alert you when annual training renewal is due.
340B audit preparation timeline: what to do and when
Audit readiness is not a one-time project. It is a rolling maintenance cycle. Here is the cadence we recommend for covered entities of any size:
Monthly
- Reconcile 340B purchasing data against dispensing records
- Run Medicaid claims crosscheck to detect potential duplicate discounts
- Review patient eligibility flags for accuracy (spot-check 20 to 30 records)
- Update contract pharmacy dispensing logs
Quarterly
- Upload Medicaid exclusion file to OPA (within first 15 days of quarter)
- Complete formal reconciliation with each contract pharmacy
- Review and update 340B policies and procedures manual
- Document any staffing changes that affect 340B program roles
- Verify all child sites and off-site outpatient facilities are registered in OPAIS
Annually
- Conduct 340B program staff training and document attendance
- Perform on-site or virtual review of each contract pharmacy location
- File annual recertification with OPA
- Run a mock self-audit using HRSA's published audit checklist
- Review and renegotiate contract pharmacy agreements approaching renewal
- Update organizational chart and submit any changes to OPA
The annual mock self-audit deserves emphasis. HRSA publishes its audit protocol on the OPA website. Walk through it as if you were the auditor. Pull a sample of 60 prescriptions at random, trace each one through eligibility verification, dispensing, and billing, and document what you find. Entities that self-audit annually reduce their finding rate by an estimated 40% compared to those that do not, based on repeat-audit data from 2022 to 2025.
What happens if you fail a 340B audit?
"Failure" is not a binary outcome. HRSA audits produce one of three results: no findings (roughly 35% of audits), findings with corrective action (roughly 55%), or referral for sanction (roughly 10%).
For entities receiving findings, the CAP process is the path forward. Submit your plan within the applicable deadline (15 or 30 days), implement the corrective actions, and HRSA monitors for 6 to 12 months. Most entities that submit a complete CAP on time and implement it successfully return to good standing.
The real consequences hit entities that fail to respond, submit incomplete CAPs, or show repeat noncompliance on a subsequent audit. HRSA's escalation path includes:
- Repayment. HRSA can require the entity to repay 340B savings attributable to noncompliant transactions. For large entities, this can reach seven figures.
- Contract pharmacy restrictions. HRSA may require the entity to terminate specific contract pharmacy arrangements.
- Enhanced monitoring. The entity enters a heightened oversight period with more frequent reporting and potential re-audit within 12 months.
- Program termination. In the most severe cases, HRSA refers the entity for removal from the 340B program. This is rare (fewer than 15 entities terminated between 2020 and 2025) but the financial impact is devastating.
The takeaway: the audit itself is not the threat. Lack of preparation is. An entity with clean documentation and systematic processes can navigate a HRSA audit with minimal disruption, even if findings are issued.
Frequently Asked Questions
How often does HRSA audit 340B covered entities in 2026?
HRSA now targets 200 or more covered entity audits per year, up from roughly 100-130 annually in prior cycles. The Office of Pharmacy Affairs has increased both desk audits and on-site reviews, with contract pharmacy arrangements receiving the most scrutiny.
What is the most common finding in a HRSA 340B audit?
Duplicate discounts (340B drugs billed simultaneously to Medicaid) remain the single most cited finding, appearing in roughly 42% of audits that result in findings. Inadequate patient eligibility documentation is the second most common, at approximately 38%.
How long does a HRSA 340B audit take from notification to close?
The typical audit timeline runs 90 to 180 days. HRSA sends a 30-day advance notification, the desk review or site visit spans 2 to 6 weeks, preliminary findings are issued 30 to 45 days later, and the corrective action plan response window is 30 to 90 days depending on severity.
Can a 340B covered entity lose program eligibility after a failed audit?
Yes, although outright removal is rare. HRSA typically requires a corrective action plan (CAP) first. Entities that fail to implement the CAP within the stated timeline, or that show repeated willful noncompliance, can be referred for sanctions including program termination and repayment of 340B savings.
What documents should a 340B covered entity keep audit-ready at all times?
At minimum: 340B registration records, contract pharmacy agreements with current attestations, patient eligibility determination policies, split billing or virtual inventory records, Medicaid exclusion files, dispensing logs for the trailing 24 months, and organizational charts showing the 340B program coordinator and authorizing official.