340B HRSA Audit Preparation Guide
Last updated: April 2026
63% of covered entities audited by HRSA in FY2023 received adverse findings. 68% of entities re-audited after prior violations were found continually non-compliant. This guide covers how HRSA selects entities, what The Bizzell Group audits, the 10 most common findings, and the preparation steps that change those outcomes.
340B Program Integrity: What Is at Stake
The 340B Drug Pricing Program generated $81.4 billion in covered entity purchases in 2024 — a 23% year-over-year increase from $66.3 billion in 2023 (HRSA Office of Pharmacy Affairs, 2025). The gap between WAC list prices and 340B discounted prices paid by covered entities was $66.4 billion in 2024 (Drug Channels Institute, 2025).
That scale of program benefit makes federal enforcement a standing priority. HRSA conducts approximately 200 audits per year through its contracted audit firm, The Bizzell Group, covering roughly 0.33% of the 60,000+ registered covered entity sites annually (ADVI, 2025). Approximately 90% of those audits are risk-targeted, not random.
The consequences of adverse findings range from corrective action plan requirements and financial repayment to manufacturer suspension of 340B access, program termination, and in cases involving fraud, OIG referral. The 68% re-audit failure rate (46 of 68 re-audited entities found continually non-compliant, ADVI, 2025) indicates that the standard response to findings — filing a CAP — is not sufficient without genuine operational remediation.
What Triggers a HRSA 340B Audit
Approximately 90% of HRSA 340B audits are risk-targeted — selected based on HRSA's proprietary risk criteria, not random assignment. Understanding the known risk factors is the first step in audit readiness.
Prior Adverse Audit History
Entities with prior adverse findings and incomplete remediation face substantially elevated re-audit risk. The 68% re-audit failure rate (ADVI, 2025) reflects both re-selection bias and inadequate CAP execution. A prior finding without substantive operational change is a near-certain re-audit trigger.
Stakeholder Tip Submissions
Approximately 10% of audits originate from stakeholder tip submissions — manufacturers, former employees, contract pharmacies, or Medicaid agencies. Manufacturer relationships are particularly active following the Loper Bright decision. A manufacturer that has restricted your contract pharmacy access may also be monitoring for compliance violations.
OPAIS Data Anomalies
HRSA has direct visibility into OPAIS registration data. Anomalies — terminated child sites still appearing active, contract pharmacies without updated termination dates, MCR alignment gaps — are visible to HRSA before an auditor arrives. Keeping OPAIS accurate is not just compliance; it is audit risk management.
Large Contract Pharmacy Networks
Entities with large numbers of registered contract pharmacies face proportionally higher audit scrutiny. The patient definition compliance challenge scales with contract pharmacy volume — more pharmacies means more opportunities for dispensation to ineligible patients and more required independent oversight audits.
Entity Type Risk Factors
DSH hospitals — which represent 78.7% of 340B purchase volume ($64.13 billion in 2024, HRSA) — are subject to the GPO prohibition and face the most complex contract pharmacy arrangements. FQHCs with satellite and mobile service delivery present patient definition complexity. CAHs and SCHs face orphan drug exclusion requirements that are frequently misconfigured in TPA software.
Significant Operational Changes
Mergers, acquisitions, new clinic openings, contract pharmacy additions or removals, billing system changes, and carve-in/carve-out election changes are all periods of elevated compliance risk. Operational change requires synchronized OPAIS updates, MEF revisions, P&P updates, and TPA reconfiguration — failing to complete all four creates compounding gaps.
The HRSA 340B Audit Process: Phase by Phase
HRSA audits are conducted by The Bizzell Group under HRSA contract. The process follows a structured sequence — understanding each phase enables targeted preparation.
Notification and Data Request List (DRL)
HRSA notifies the entity of audit selection — typically with a short notification window of 2 to 4 weeks before the audit begins. Simultaneously, HRSA issues a Data Request List specifying the documents required for the desktop review phase.
Typical DRL contents:
- Current OPAIS registration printouts for all child sites and contract pharmacies (active and terminated within the audit period)
- Complete Policies and Procedures manual
- Current HRSA Medicaid Exclusion File declarations
- TPA software configuration documentation: NDC crosswalks, accumulation multipliers, patient definition parameters
- Sample 340B dispensation data — typically 12 months of transaction-level data
- Prescriber credentialing and employment/contract documentation for providers in the dispensation sample
- Contract pharmacy agreements for all registered locations
- Independent annual external audit reports for all contract pharmacies
- Medicare Cost Report documentation
Desktop Review
Bizzell Group auditors conduct a document review of all submitted DRL materials before any on-site engagement. The desktop review phase typically spans 4 to 6 weeks.
Auditors review: OPAIS registration accuracy and completeness, P&P alignment with HRSA statutory and guidance requirements, MEF accuracy relative to billing records, TPA software configuration logic, and contract pharmacy agreement terms against HRSA oversight requirements.
The desktop review generates a preliminary findings list that is used to focus the on-site or remote audit procedures.
On-Site or Remote Audit Procedures
On-site audit procedures typically take 2 to 5 business days of active auditor engagement. Remote audits (conducted via secure document sharing and video) have become more common since 2020 and follow the same substantive scope.
The core audit procedure is NDC-level transaction tracing: auditors randomly select dispensations from the submitted transaction sample and trace each one through the TPA software and EHR to verify:
- The dispensation involved an eligible outpatient encounter
- The prescribing provider was employed by or under a qualifying contract with the covered entity
- The covered entity maintained the patient's healthcare records
- The prescription addressed a condition for which the covered entity provided care
- The patient was not an inpatient or observation-to-inpatient at the time of drug administration
Auditors also conduct interviews with entity staff responsible for 340B program administration — the 340B Director, Authorizing Official, pharmacy leadership, and billing staff. Interview responses are evaluated for consistency with written P&P and operational records.
Preliminary Findings and Entity Response
Following audit procedures, The Bizzell Group issues preliminary findings to the entity. The entity has an opportunity to submit a written response — typically 30 days — addressing each preliminary finding with documentation or context that may affect the final designation.
The preliminary response period is not an opportunity to retroactively fix compliance gaps — it is an opportunity to provide documentation that was not in the original DRL submission or to clarify auditor misinterpretations of operational practices. Entities that attempt to submit retroactive OPAIS corrections or P&P revisions during the response period are typically unsuccessful.
Final Findings and Corrective Action Plan
HRSA issues final audit findings. For each adverse finding, the entity must develop and submit a Corrective Action Plan within HRSA's specified timeframe. HRSA reviews and approves CAPs, and may conduct follow-up monitoring or re-audit to verify implementation.
Adverse findings may also require financial repayment to affected manufacturers for diversion or duplicate discount violations. HRSA facilitates the repayment process but does not publish the associated dollar amounts.
The 10 Most Common HRSA 340B Audit Findings
Based on Kodiak Solutions' FY2023 HRSA 340B Audit Findings Summary (2025) and HRSA's FY2022 audit results, these are the documented finding categories in order of prevalence.
Incorrect 340B OPAIS Records
The most common finding. Includes: duplicate registrations, incorrect shipping addresses, outdated Authorizing Official contact information, failure to terminate closed contract pharmacies, and failure to synchronize Medicare Cost Report filing dates/cost reporting periods in OPAIS. OPAIS accuracy requires active maintenance through each quarterly 15-day registration window.
Prevention: Designate a specific individual responsible for quarterly OPAIS reconciliation. Build a calendar trigger for all four registration windows. Maintain a running log of operational changes that require OPAIS updates.
Inaccurate or Incomplete Medicaid Exclusion File (MEF)
MEF declarations in OPAIS do not match actual Medicaid billing practices. This typically occurs when billing operations change (new contract pharmacy arrangements, billing system migrations, carve-in/carve-out election changes) without a corresponding MEF update in the next quarterly window. The result is duplicate discount liability for the period of inaccuracy.
Prevention: Any operational change affecting Medicaid billing should trigger an automatic MEF review. Do not allow a quarterly window to pass without verifying that MEF declarations match current billing practices at every child site and contract pharmacy location.
Diversion: Dispensing to Ineligible Off-Site Locations
340B drugs dispensed at contract pharmacies for prescriptions written at off-site clinic locations that are not registered as child sites in OPAIS. Common when entities expand clinical operations faster than they update their OPAIS child site registrations. New clinics, acquired practices, and telehealth expansion are high-risk scenarios.
Prevention: No clinical service location should generate 340B-eligible prescriptions until it is registered as a child site. Build a formal process for evaluating new service locations against OPAIS registration requirements before operations begin.
Diversion: Inpatient Dispensing
340B drugs dispensed to patients whose EHR status at the time of drug administration was inpatient or observation crossing into inpatient admission. The 340B program covers covered outpatient drugs only — inpatient admissions are not eligible. The inpatient/outpatient boundary is particularly complex when outpatient chemotherapy or specialty drug administration sessions overlap with hospital admission decisions.
Prevention: TPA software must be configured to cross-reference patient admission status at the time of drug administration, not just at the time of prescription. EHR charting protocols must clearly document outpatient status. Clinical staff need specific training on the compliance implications of observation-to-inpatient status changes.
Diversion: Provider Ineligibility
Prescriptions written by providers who are not employed by or under a qualifying contract with the covered entity — or where the entity does not maintain the patient's underlying healthcare records. Common in health system settings where community providers with hospital privileges write prescriptions that are accumulated as 340B without meeting the patient definition's prescriber-entity relationship requirement.
Prevention: Maintain a current credentialing roster of all providers whose prescriptions are eligible for 340B accumulation, synchronized with the TPA software's approved prescriber list. Annual reconciliation of the approved prescriber list against employment and contractor records is a minimum requirement.
GPO Prohibition Violations
Applies to DSH hospitals, Children's Hospitals (PED), and Free-standing Cancer Centers (CAN) only. These entity types are cited for illegally purchasing covered outpatient drugs through a Group Purchasing Organization while also using 340B pricing for those same drugs. The violation typically involves inadequate separation of GPO and non-GPO purchasing accounts at the NDC level.
Prevention: Maintain strictly separated purchasing accounts with clear documentation of which NDCs are purchased through which channel. TPA software configuration must enforce GPO/340B account separation. Written P&P must specifically address GPO prohibition compliance with operational procedures — not just a statement that the prohibition applies.
Orphan Drug Exclusion Violations
Applies to CAH, SCH, and RRC entities only. These entity types are cited for improperly purchasing FDA-designated orphan drugs at 340B prices. As specialty drug volume has grown — 61.5% ($50.1 billion) of 2024 340B purchases were specialty/high-cost drugs (HRSA, 2025) — the probability that an affected entity is inadvertently purchasing orphan drugs at 340B prices has increased.
Prevention: TPA software NDC crosswalks must be configured to exclude FDA orphan drug designations for affected entity types. Designate a responsible party for quarterly review of FDA orphan drug designation updates and TPA crosswalk maintenance.
Failure of Contract Pharmacy Oversight
HRSA requires covered entities to conduct independent annual external audits of all registered contract pharmacies. Failure to conduct these audits — or conducting them with a non-independent party (such as the contract pharmacy itself or the TPA software vendor) — is an adverse finding. With approximately 32,000 contract pharmacy locations registered nationally (Drug Channels Institute, 2025), this is a significant ongoing compliance obligation for entities with large contract pharmacy networks.
Prevention: Build an annual audit calendar for all contract pharmacy locations. Engage an independent auditor — not the pharmacy, not the TPA vendor. Document audit scope, methodology, findings, and any corrective actions taken. Maintain audit reports in a centralized location included in your DRL documentation package.
Inadequate or Outdated Policies and Procedures Manual
Written P&P that does not accurately reflect actual operational workflows for patient definition, Medicaid billing, and inventory management. HRSA auditors compare written policies against operational practice — a P&P that describes processes the entity no longer uses, or that omits current practices, is itself an adverse finding. Particularly common when entities update operations but not documentation.
Prevention: Treat the P&P manual as a living document with a defined revision cycle. Any operational change — new TPA configuration, new contract pharmacy arrangement, billing practice change — should trigger a P&P review within 90 days. Annual full review and Authorizing Official attestation is a minimum standard.
Incorrect Medicare Cost Report Alignment
Failure to update MCR filing dates and cost reporting periods in OPAIS. Child site eligibility is technically tied to the covered entity's DSH percentage as documented in its Medicare Cost Report. When MCR filing periods change and OPAIS is not updated to reflect the current cost reporting period, child site eligibility is technically invalidated — even if the entity's DSH percentage remains qualifying. This is an administrative compliance point that requires a specific synchronization process between finance/MCR filing and OPAIS maintenance responsibilities.
Prevention: Assign explicit cross-functional ownership: the finance team or MCR consultant must notify the 340B Director at every MCR filing, and the 340B Director must update OPAIS in the next quarterly window. This is a two-department handoff that fails when there is no defined process.
340B Audit Preparation Checklist
This checklist covers the core preparation areas for HRSA audit readiness. It is organized by domain and reflects the HRSA Data Request List categories and audit methodology. Entities should be able to answer "yes" to every item — not when audit notification arrives, but at all times.
OPAIS Registration
- All active child sites are registered in OPAIS with current shipping addresses and contact information
- All closed, relocated, or deactivated child sites have been formally terminated in OPAIS as of their actual closure date
- All active contract pharmacies are registered in OPAIS with current information
- All closed or de-activated contract pharmacy arrangements have been formally terminated in OPAIS
- Authorizing Official contact information is current in OPAIS (name, title, phone, email)
- Medicare Cost Report filing dates and cost reporting periods in OPAIS match the most recently filed MCR
- A specific individual is assigned responsibility for OPAIS reconciliation at each quarterly registration window
- A log is maintained of operational changes that require future OPAIS updates
Medicaid Exclusion File (MEF)
- Carve-in/carve-out declarations in OPAIS match actual Medicaid billing practices at every child site and contract pharmacy
- MEF has been reviewed and verified within the current calendar quarter
- Any changes to carve-in/carve-out elections have been submitted during the appropriate quarterly registration window
- A defined process exists for triggering MEF review when billing practices change
Policies and Procedures Manual
- P&P manual has been reviewed and updated within the last 12 months
- P&P accurately reflects current patient eligibility criteria as configured in TPA software — definitions are aligned, not contradictory
- P&P covers Medicaid carve-in/carve-out workflows and MEF update procedures
- P&P covers inventory management (virtual replenishment vs. physical separation) as actually practiced
- P&P covers contract pharmacy oversight requirements including annual independent audit obligations
- P&P includes noncompliance and material breach definitions with self-disclosure procedures
- P&P includes program education and staff competency requirements with documentation protocols
- For DSH, PED, CAN: P&P includes GPO prohibition compliance with operational account separation procedures
- For CAH, SCH, RRC: P&P addresses orphan drug exclusion with NDC-level compliance protocols
- Authorizing Official has reviewed and attested the current P&P
Patient Eligibility and Diversion Prevention
- TPA software approved prescriber list is current and reconciled against employment and contractor records within the last 6 months
- Every clinical service location generating 340B-eligible prescriptions is registered as a child site in OPAIS
- TPA software cross-references patient admission status at time of drug administration (not just at prescription time) to prevent inpatient diversion
- EHR charting protocols for observation-to-inpatient status changes have been reviewed with clinical staff
- Contract pharmacy dispensation parameters include patient eligibility verification against covered entity healthcare records
TPA Software Configuration
- NDC crosswalks have been reviewed and verified within the last 12 months
- Accumulation multipliers are set correctly for each inventory model in use
- Patient definition parameters in TPA software match written P&P definitions
- For CAH, SCH, RRC: TPA software is configured to exclude FDA-designated orphan drugs from 340B accumulation
- TPA software configuration documentation (NDC crosswalk files, parameter documentation) is current and retrievable for DRL response
Contract Pharmacy Oversight
- Independent annual external audit has been completed for every registered contract pharmacy within the past 12 months
- Audit reports are filed and retrievable for DRL response
- Contract pharmacy agreements are current and on file for all active locations
- A calendar is maintained for the next round of required independent contract pharmacy audits
Documentation Readiness (DRL Response)
- A designated DRL response package can be assembled within 48 hours of audit notification
- 12 months of NDC-level dispensation data is exportable from TPA software in auditor-readable format
- Prescriber credentialing and employment/contractor documentation is centralized and indexed by prescriber NPI
- All required documentation is stored in a location accessible to the 340B program administrator and compliance team
Preparation Timeline: When to Act
Audit readiness is a continuous state, not a pre-audit sprint. The following timeline reflects the realistic lead times required for each preparation activity.
Always (Continuous)
- Maintain OPAIS registration accuracy — update at each quarterly window
- Maintain MEF accuracy — review at each quarterly window and after any billing practice change
- Maintain approved prescriber list in TPA software — reconcile at least semi-annually
- Document all operational changes that require OPAIS, MEF, or P&P updates
Annually
- Conduct independent annual external audit of all registered contract pharmacies
- Complete full P&P manual review and Authorizing Official attestation
- Complete annual recertification in OPAIS
- Review TPA software NDC crosswalks and patient definition parameters
- Conduct staff training and competency documentation
Every 1–2 Years (Proactive)
- Engage an independent consultant for a full gap assessment and mock audit using Bizzell Group methodology
- Pull a dispensation sample and trace against EHR records for patient eligibility verification
- Review and update your DRL response package so it reflects current operations
- Assess state transparency mandate reporting obligations if operating in Minnesota, Colorado, Indiana, Maryland, Ohio, or other mandate states
Immediately After Audit Notification
- Engage outside counsel and compliance consultants immediately — do not respond to DRL without expert review
- Assemble DRL response package — 48-hour retrieval target
- Brief Authorizing Official and compliance leadership on audit scope and timeline
- Do not attempt retroactive OPAIS corrections or P&P revisions after notification — auditors evaluate compliance as of the audit period, and post-notification changes cannot cure pre-notification violations
- Identify and brief staff who will be interviewed by auditors
How IHS Prepares Covered Entities for HRSA Audit
IHS provides conflict-free 340B audit preparation — we are not a drug distributor and we do not sell TPA software. Our preparation engagements are structured in four phases designed to replicate what HRSA will do, before HRSA does it.
Phase 1 — Gap Assessment & OPAIS Forensic Review (Weeks 1–4)
We conduct a full forensic review of OPAIS registration accuracy, MCR cross-references, MEF declarations, and a dispensation sample review. Every finding is documented with the specific HRSA audit finding category it would generate — so you understand your risk in terms of actual audit outcomes, not abstract compliance concepts.
Phase 2 — Policy & Procedure Development (Weeks 5–8)
We fully revise or develop from scratch your P&P manual, ensuring written policies align to TPA software configuration and reflect actual operational workflows. We verify that entity-type-specific requirements (GPO prohibition, orphan drug exclusion) are specifically addressed with operational procedures, not just policy statements.
Phase 3 — Operational Remediation (Weeks 9–12)
We work with your TPA software vendor to correct NDC crosswalk and configuration gaps. We prepare and submit OPAIS corrections and MEF updates at the next quarterly window. We provide structured remediation protocols for EHR charting practices that create diversion risk at the inpatient/outpatient boundary.
Phase 4 — Mock HRSA Audit (Weeks 13–16)
We conduct a simulated HRSA audit using The Bizzell Group's documented methodology. We produce a written findings report structured identically to the format HRSA uses — including adverse finding designations where warranted. You receive a defensible record of your compliance review and the opportunity to remediate before HRSA selection.
Why Conflict-Free Independence Matters
A mock audit conducted by your TPA software vendor, your drug distributor, or any party with an economic interest in your 340B operations cannot credibly replicate HRSA's adversarial posture. The value of a mock audit depends entirely on the independence of the auditor. IHS has no interest in your outcome other than your readiness — we will designate adverse findings in a mock audit when warranted, even when the entity does not want to hear it.
Audit Preparation FAQ
How long does a HRSA 340B audit take?
A HRSA 340B audit conducted by The Bizzell Group typically spans 8 to 16 weeks from initial notification to final findings. The desktop review phase typically takes 4 to 6 weeks. On-site or remote audit procedures take 2 to 5 business days of active auditor engagement. Preliminary findings review and entity response typically take 2 to 4 additional weeks. Final findings and CAP submission follow.
What documents does HRSA request during a 340B audit?
The HRSA Data Request List (DRL) typically includes: OPAIS registration printouts, the P&P manual, current MEF declarations, TPA software configuration documentation, 12 months of dispensation data, prescriber credentialing and employment documentation, contract pharmacy agreements, independent contract pharmacy audit reports, and Medicare Cost Report documentation. Every item on this list should be current and retrievable in under 48 hours — at all times.
Can a covered entity be audited by both HRSA and a drug manufacturer?
Yes. HRSA audits covered entities for overall 340B program compliance. Separately, drug manufacturers have statutory audit rights to verify that 340B drugs are not diverted or subject to duplicate discounts. Manufacturer audits have increased following the 2024 Loper Bright decision, which weakened HRSA's authority to restrict manufacturer audit scope. The methodology differs — manufacturers focus on transaction-level verification at the NDC level — but the documentation requirements overlap significantly with HRSA DRL requirements.
What is the HRSA 340B self-disclosure process?
HRSA's OPA self-disclosure process allows covered entities to voluntarily report compliance violations before audit selection. It involves submitting a disclosure package describing the violation, its scope, affected manufacturers, financial impact, and corrective action plan. HRSA reviews and works with the entity and manufacturers on repayment. Self-disclosure generally produces more favorable outcomes than HRSA discovering the violation during an audit — but the decision to self-disclose requires careful legal and compliance analysis of scope, financial exposure, and audit risk. IHS recommends a confidential internal assessment before initiating self-disclosure.
What is a corrective action plan in the 340B context?
A CAP is a formal document submitted to HRSA following adverse findings, specifying the root cause, operational changes being implemented, responsible parties, and implementation timeline. HRSA reviews and approves CAPs. The 68% re-audit failure rate (ADVI, 2025) — 46 of 68 re-audited entities found continually non-compliant — reflects that most CAPs are filed but not effectively executed. A CAP that does not change the underlying operational process will produce the same finding in the next audit.
Ready to Prepare Before HRSA Selects Your Entity?
IHS provides conflict-free mock audits using The Bizzell Group methodology. Most compliance gaps are correctable before audit selection — not after. A gap assessment identifies your exposure in four weeks.
Request a 340B Gap Assessment