340B Program Integrity & Audit Readiness

The 340B Compliance Problem Is Administrative, Not Clinical

The 340B Drug Pricing Program generated $81.4 billion in covered entity purchases in 2024 — a 23% year-over-year increase from $66.3 billion in 2023. That volume, and the $66.4 billion gap between WAC list prices and 340B discounted prices, makes program integrity enforcement a federal priority.

HRSA conducts approximately 200 audits per year through its contracted audit firm, The Bizzell Group. Of those, roughly 90% are risk-targeted based on proprietary HRSA criteria — meaning selection is not random. Entities with contract pharmacy arrangements, recent OPAIS changes, or specific entity types face elevated risk.

The good news: the two most common adverse findings are administrative. According to Kodiak Solutions' FY2023 analysis, 51% of adverse findings involved incorrect OPAIS records and 32% involved inaccurate Medicaid Exclusion File (MEF) declarations. Both are correctable through systematic review — if you have the internal capacity and expertise to conduct it.

The bad news: 68% of covered entities that were re-audited after prior violations were found continually non-compliant (ADVI, 2025). One-time fixes do not hold. 340B compliance is a continuous maintenance function, not a project.

What IHS Does for 340B Covered Entities

IHS provides end-to-end 340B program integrity services structured as a four-phase initial engagement followed by ongoing compliance maintenance.

Phase 1 — Gap Assessment & OPAIS Forensic Review (Weeks 1–4)

We begin with a forensic review of your OPAIS registration: every child site, every contract pharmacy, and every Medicare Cost Report cross-reference. We verify that your Authorizing Official contact information is current, that terminated contract pharmacies have been properly closed, and that your MCR filing dates align with OPAIS records. We also pull a large sample of recent 340B dispensations and trace them against EHR records to identify systemic diversion or eligibility gaps.

Phase 2 — Policy & Procedure Development (Weeks 5–8)

We conduct a full overhaul of your written Policies and Procedures manual. HRSA auditors expect your P&P to accurately reflect actual workflows — a gap between written policy and operational practice is itself an adverse finding. We update or draft from scratch policies covering: patient eligibility logic, Medicaid carve-in/carve-out workflows, contract pharmacy oversight protocols, inventory management (virtual replenishment vs. physical separation), GPO prohibition compliance (DSH, PED, CAN entities), and orphan drug exclusion rules (CAH, SCH, RRC entities).

Phase 3 — Operational Remediation (Weeks 9–12)

We work with your TPA software vendor to correct NDC crosswalk configurations and accumulation multipliers. We update your HRSA Medicaid Exclusion File with current carve-in/carve-out declarations. We formally terminate any non-compliant or closed contract pharmacies from OPAIS. Where EHR charting practices are creating inadvertent diversion risk — particularly at the inpatient/outpatient admission boundary — we provide structured remediation protocols for clinical staff.

Phase 4 — Mock HRSA Audit (Weeks 13–16)

We conduct a simulated HRSA audit using the Bizzell Group's documented methodology. This includes random NDC sampling traced through your TPA software and EHR to verify eligible outpatient encounters with credentialed prescribers, OPAIS record verification, P&P compliance assessment, and MEF accuracy review. You receive a written findings report structured identically to what HRSA would produce — including adverse finding designations where warranted — so you can remediate before a real audit occurs.

Phase 5 — Corrective Action & Continuous Maintenance (Ongoing)

Where mock audit findings require corrective action, we develop and execute the CAP. Following initial engagement completion, IHS offers retainer-based continuous maintenance: monthly prescription sampling, quarterly OPAIS reconciliation, support for HRSA's 15-day quarterly registration windows, annual recertification preparation, and immediate-response support if HRSA selects your entity for audit.

Entity-Type Differences Matter

340B compliance is not uniform. The rules that apply to a Disproportionate Share Hospital are materially different from those governing a Federally Qualified Health Center, a Critical Access Hospital, or a Ryan White HIV/AIDS clinic. IHS structures every engagement around your entity type.

• DSH Hospitals: GPO prohibition applies to covered outpatient drugs. Highest volume entity type ($64.13 billion, 78.7% of 2024 program purchases). Most complex contract pharmacy arrangements. State transparency mandate reporting requirements where applicable.
• FQHCs: No GPO prohibition. Patient definition challenges with mobile and satellite service delivery locations. Annual independent contract pharmacy audit requirement. $4.74 billion in 2024 purchases (5.8% of total).
• Critical Access Hospitals / SCH / RRC: Orphan drug exclusion applies — these entity types cannot purchase designated orphan drugs at 340B prices. This is a frequently missed compliance point.
• Ryan White Clinics: Patient definition is particularly strict — the prescriber-entity relationship and medical record maintenance requirements require careful operational protocols.

The 2025–2026 Regulatory Environment Increases Risk

Three regulatory developments are directly increasing 340B compliance complexity in 2025–2026:

1. CMS CY 2026 OPPS Drug Acquisition Cost Survey: Beginning January 1, 2026, OPPS hospitals must submit NDC-level pricing data distinguishing 340B and non-340B acquisitions. Failure to maintain this granularity risks loss of drug packaging reimbursements.
2. Medicare Part D Inflation Rebate Exclusion: Starting January 1, 2026, 340B units must be explicitly excluded from inflation rebate calculations — forcing end-to-end unit traceability that many TPA configurations do not currently support.
3. Post-Loper Bright Manufacturer Restrictions: The Supreme Court's 2024 Loper Bright decision overturned Chevron deference, weakening HRSA's authority to compel manufacturer participation in contract pharmacy arrangements. Over 20 states have enacted or introduced laws protecting covered entities, but the federal enforcement landscape is actively contested. Covered entities need compliance strategies that account for manufacturer restriction risk.