340B Compliance: Frequently Asked Questions

What is the 340B Drug Pricing Program and who administers it?

The 340B Drug Pricing Program is a federal statute (Section 340B of the Public Health Service Act, 42 U.S.C. § 256b) requiring drug manufacturers participating in Medicaid to sell outpatient drugs at significantly discounted prices to eligible healthcare organizations — called covered entities.

The program is administered by the Health Resources and Services Administration (HRSA), specifically through its Office of Pharmacy Affairs (OPA). Audits are conducted by The Bizzell Group under HRSA contract.

In 2024, 340B covered entity purchases totaled $81.4 billion — a 23% increase from $66.3 billion in 2023 (HRSA Office of Pharmacy Affairs, 2025). The list-to-340B price gap — the gross financial benefit to covered entities from discounted pricing — was $66.4 billion in 2024 (Drug Channels Institute, 2025). The program has grown at a 23.5% CAGR from 2015 through 2024.

Which types of healthcare entities are eligible as 340B covered entities?

Eligible covered entity types are defined by statute. The major categories and their 2024 purchase volumes (per HRSA's 2024 Covered Entity Purchases Report):

• Disproportionate Share Hospitals (DSH): $64.13 billion — 78.7% of total program volume
• Federally Qualified Health Centers (FQHCs): $4.74 billion — 5.8%
• Children's Hospitals (PED): $2.37 billion — 2.9%
• Sexually Transmitted Disease Clinics: $2.26 billion — 2.8%
• Rural Referral Centers (RRC): $1.84 billion — 2.3%
• Ryan White HIV/AIDS Program (Part A): $1.58 billion — 1.9%
• Critical Access Hospitals (CAH): $1.19 billion — 1.5%
• Ryan White HIV/AIDS Program (Part C): $0.81 billion — 1.0%
• Free-standing Cancer Centers (CAN): $0.60 billion — 0.7%
• Sole Community Hospitals (SCH): $0.55 billion — 0.7%

Each entity type has different eligibility criteria and different compliance obligations. The GPO prohibition applies only to DSH, PED, and CAN. The orphan drug exclusion applies only to CAH, SCH, and RRC. These distinctions drive materially different audit risk profiles.

What is 340B OPAIS and why do OPAIS errors cause HRSA audit findings?

OPAIS — the Office of Pharmacy Affairs Information System — is HRSA's registration database for the 340B program. Every covered entity, child site, and contract pharmacy must be registered and maintained in OPAIS.

OPAIS errors are the single most common cause of adverse audit findings: 51% of FY2023 adverse findings involved incorrect OPAIS records (Kodiak Solutions FY23 HRSA 340B Audit Findings Summary, 2025).

Common OPAIS errors include:

• Duplicate registrations
• Incorrect or outdated shipping addresses
• Outdated Authorizing Official contact information
• Failure to terminate closed or non-operating contract pharmacies
• Failure to update Medicare Cost Report (MCR) filing dates in OPAIS — entities must keep MCR cost reporting periods synchronized with OPAIS records, or child site eligibility is technically invalidated

OPAIS maintenance requires ongoing attention through HRSA's quarterly 15-day registration windows (January 1–15, April 1–15, July 1–15, October 1–15).

What is the HRSA Medicaid Exclusion File and how does it work?

The HRSA Medicaid Exclusion File (MEF) is a required declaration in OPAIS specifying for each child site and contract pharmacy whether Medicaid patients are "carved in" to 340B or "carved out."

• Carve-in: The entity uses 340B pricing for Medicaid patients and excludes those claims from manufacturer rebate requests. The entity captures the 340B discount; manufacturers do not also provide a Medicaid rebate.
• Carve-out: Medicaid billing proceeds normally. 340B pricing is not used for Medicaid patients. Manufacturers provide the standard Medicaid rebate.

Inaccurate or incomplete MEF declarations were the second most common adverse finding in FY2023, accounting for 32% of adverse findings (Kodiak Solutions, 2025). MEF must be updated during the quarterly registration windows when carve-in/carve-out elections change.

How does HRSA select covered entities for 340B audits?

HRSA conducts approximately 200 audits per year through The Bizzell Group — roughly 0.33% annual coverage of the 60,000+ registered sites (ADVI, 2025).

Approximately 90% of audits are risk-targeted based on HRSA's proprietary selection criteria — not random selection. Known risk factors include:

• Tip submissions from manufacturers, former employees, or other stakeholders
• OPAIS data anomalies or gaps
• Complexity and volume of contract pharmacy arrangements
• Entity size, purchase volume, and entity type
• Prior adverse audit history — re-audit risk is significantly elevated

The re-audit failure rate is severe: 68% of covered entities re-audited after prior violations were found continually non-compliant — 46 of 68 re-audited entities (ADVI, 2025). Prior violations with incomplete remediation are among the strongest risk factors for re-selection.

What happens during a HRSA 340B audit?

HRSA audits conducted by The Bizzell Group follow a structured process:

1. Notification and Data Request List (DRL): HRSA notifies the entity (often with short notice) and issues a DRL specifying the documentation required — typically including OPAIS records, P&P manual, MEF declarations, TPA software configuration documentation, sample NDC-level dispensation data, prescriber credentials and employment documentation, and contract pharmacy audit reports.
2. Desktop review: Bizzell reviews submitted documentation against HRSA requirements before any on-site visit.
3. On-site or remote audit: Auditors trace randomly selected NDC transactions through the TPA software and EHR to verify eligible outpatient encounters with credentialed prescribers. OPAIS records, P&P, and MEF are reviewed in depth.
4. Preliminary findings: The entity receives a findings report and opportunity to respond.
5. Final findings and CAP: HRSA issues final audit findings. For adverse findings, the entity must develop and submit a Corrective Action Plan.

What happens if HRSA finds violations during a 340B audit?

Adverse findings trigger a formal corrective action process. For each finding, the entity must submit a Corrective Action Plan (CAP) to HRSA.

Financial repayment to affected manufacturers may be required for diversion or duplicate discount violations. HRSA publishes findings but not associated repayment amounts — those are negotiated case by case.

Escalating consequences for serious or unresolved noncompliance include:

• Mandatory quarterly reporting and increased oversight monitoring
• Suspension of 340B program participation
• Termination from the 340B program
• Referral to the HHS Office of Inspector General or Department of Justice in fraud cases

The 68% re-audit failure rate (ADVI, 2025) indicates that filing a CAP without genuine operational remediation does not resolve the underlying risk. Entities that submit CAPs without substantive process changes are re-selected and re-fail at high rates.

What is a 340B self-disclosure and when should a covered entity use it?

HRSA's OPA self-disclosure process allows covered entities to proactively report compliance violations, repay affected manufacturers, and remediate before HRSA audit selection.

Self-disclosure is generally appropriate when an internal review uncovers a systematic violation — particularly diversion or duplicate discounts — that is quantifiable, has been ongoing, and can be fully remediated with a CAP. Self-disclosure typically produces more favorable outcomes than HRSA discovering the same violation during an audit.

Self-disclosure requires careful preparation: a clear scope of the violation, a financial calculation of affected units and manufacturers, a credible remediation plan, and assessment of whether HRSA may have already flagged the entity for audit. IHS recommends conducting a confidential internal assessment before initiating the self-disclosure process.

What is the difference between a HRSA audit and an independent 340B compliance audit?

HRSA audit: Official government audit by The Bizzell Group. Adversarial. Produces binding findings requiring CAP submission, potential repayment, and potential program consequences. Short notice or unannounced.

Independent compliance audit (mock audit): Voluntary, conducted by a third-party consultant replicating the HRSA methodology. Findings are confidential to the entity. Purpose is to identify and remediate gaps before HRSA selection.

Required independent contract pharmacy audit: Separate from mock audits — HRSA requires covered entities to conduct an independent annual external audit of every registered contract pharmacy. This is a mandatory compliance obligation, not optional preparation. Failure to conduct it is itself an adverse finding.

All independent audit functions require a conflict-free auditor. A TPA software vendor or drug distributor cannot credibly serve this role.

What is diversion in 340B and how does it happen inadvertently?

Diversion occurs when a covered entity dispenses 340B-priced drugs to patients who are not eligible under the statutory 340B patient definition. The definition requires three elements: (1) the individual receives healthcare from a provider employed by or under contract with the covered entity; (2) the covered entity maintains the patient's health records; (3) the prescription addresses a condition for which the entity provided treatment.

Common inadvertent diversion scenarios:

• Unregistered off-site locations: Dispensing to patients seen at a clinic location not registered as a child site in OPAIS
• Inpatient/outpatient boundary: Dispensing to patients whose hospital status crossed from outpatient to inpatient or observation-to-inpatient — inpatient drugs are not covered by 340B
• Provider ineligibility: Prescriptions from providers not employed or properly contracted with the entity, or who lack a qualifying relationship under the patient definition
• Contract pharmacy patient leakage: Contract pharmacy dispensations for patients whose primary healthcare records are maintained at a different health system

What is a duplicate discount in 340B and how does it differ from diversion?

A duplicate discount occurs when an entity receives both the 340B discounted purchase price and a Medicaid rebate from the manufacturer on the same drug unit dispensed to a Medicaid patient. Manufacturers are not required to provide both benefits for the same unit.

Diversion involves dispensing to an ineligible patient — the issue is patient eligibility.

A duplicate discount involves billing Medicaid for a drug purchased at 340B prices when the entity declared carve-out status on the MEF — the issue is billing/pricing consistency. Inaccurate MEF declarations — where the entity's actual billing practice doesn't match its declared carve-in/carve-out status — accounted for 32% of FY2023 adverse findings (Kodiak Solutions, 2025).

How do contract pharmacy arrangements create 340B compliance risk?

Contract pharmacies now number approximately 32,000 locations — nearly 60% of the entire U.S. retail pharmacy industry (Drug Channels Institute, 2025). Each arrangement creates compliance risk across three dimensions:

• Patient definition compliance: Verifying that every prescription dispensed at a contract pharmacy meets the eligible patient criteria is operationally complex, particularly for large health systems with geographically dispersed care delivery
• Required independent audits: HRSA requires covered entities to conduct independent annual external audits of all registered contract pharmacies. Failure is itself an adverse finding.
• Manufacturer restrictions: Post-Loper Bright (2024), manufacturers have stronger legal standing to restrict contract pharmacy access. Over 20 states have enacted or introduced protection laws, but the federal landscape is actively contested.

What is the GPO prohibition and which entity types does it apply to?

The GPO prohibition prevents certain covered entity types from purchasing covered outpatient drugs through a Group Purchasing Organization (GPO) and simultaneously using 340B pricing for those same drugs.

Applies to: Disproportionate Share Hospitals (DSH), Children's Hospitals (PED), and Free-standing Cancer Centers (CAN).

Does not apply to: FQHCs, CAHs, SCHs, RRCs, Ryan White clinics, or STD clinics.

GPO prohibition violations are a documented HRSA audit finding category. Large health systems that include both DSH and non-DSH facilities must maintain carefully separated purchasing processes.

What is the orphan drug exclusion and which entity types does it apply to?

The orphan drug exclusion prohibits certain entity types from purchasing FDA-designated orphan drugs at 340B prices.

Applies to: Critical Access Hospitals (CAH), Sole Community Hospitals (SCH), and Rural Referral Centers (RRC).

This exclusion is frequently missed as specialty drug volume has expanded — 61.5% ($50.1 billion) of 340B purchases in 2024 were specialty/high-cost drugs (HRSA, 2025), many of which carry orphan drug designations. Entities subject to this exclusion must configure TPA software to exclude FDA-designated orphan drugs from 340B accumulation and maintain NDC-level exclusion documentation.

What does the Loper Bright Supreme Court decision mean for 340B covered entities?

The Supreme Court's 2024 Loper Bright Enterprises v. Raimondo decision overturned Chevron deference — courts no longer automatically defer to federal agencies' interpretations of ambiguous statutes.

For 340B covered entities, the immediate impact is on manufacturer contract pharmacy restrictions. Manufacturers that have restricted contract pharmacy access (AbbVie, AstraZeneca, Eli Lilly, and others) now have stronger legal footing, since courts no longer defer to HRSA's position that manufacturers must permit unlimited contract pharmacy arrangements. Over 20 states have enacted or introduced laws protecting covered entities, but federal enforcement authority is weakened.

The broader implication: HRSA's interpretive guidance carries less judicial weight across all 340B compliance issues. This creates uncertainty requiring more robust documentation of compliance intent — entities cannot rely on the interpretation that "HRSA would approve this" as adequate defense.

What is the 340B Rebate Model Pilot and what is its current status?

HRSA proposed a 340B Rebate Model Pilot that would shift the discount mechanism from upfront point-of-sale discounts to retrospective rebates for certain high-cost drugs under the Inflation Reduction Act.

On December 29, 2025, a federal district court (Judge Lance Walker, U.S. District Court of Maine) issued a preliminary injunction halting the pilot nationwide. HRSA appealed. An HRSA Request for Information is open until April 20, 2026.

If implemented, the rebate model would significantly impact covered entity cash flow — entities would pay WAC list prices upfront and receive rebates after the fact. Litigation is ongoing as of 2026.

What are the new 2026 compliance requirements affecting 340B covered entities?

Two major new requirements took effect January 1, 2026:

• CMS CY 2026 OPPS Drug Acquisition Cost Survey: OPPS hospitals (primarily DSH entities) must submit NDC-level pricing data to CMS distinguishing 340B and non-340B acquisitions. Failure to maintain this granularity risks loss of drug packaging reimbursements. This is a new operational and reporting function most entities are not yet fully configured for.
• Medicare Part D Inflation Rebate Exclusion: 340B units must be explicitly excluded from Medicare Part D inflation rebate calculations, requiring end-to-end unit traceability that many TPA configurations do not currently support natively.

Additionally, at least 10 states now have statutorily mandated 340B reporting requirements, with more expected in 2026. Minnesota was the first (2023); Colorado, Indiana, Maryland, Ohio, and others have followed.

Does 340B TPA software guarantee compliance?

No. TPA software (Sentry, Macro Helix, CaptureRx, Verity Solutions, 340Best InfoPoint) automates the identification and accumulation of 340B-eligible transactions — but the 63% adverse findings rate in FY2023 and 70% non-compliance rate in FY2022 occurred at entities that all had TPA software in place.

Software cannot maintain your OPAIS registration, update your MEF, write or revise your P&P manual, verify that patient eligibility logic matches operational reality, or conduct required independent contract pharmacy audits. TPA configuration errors — incorrect NDC crosswalks, misconfigured accumulation multipliers, wrong patient definition parameters — are a source of compliance risk requiring independent review.

Software is a necessary compliance tool. Compliance is an organizational function requiring human expertise.

How much does 340B compliance consulting cost?

Based on market data from active RFP processes and published firm positioning:

• Mock audits (project-based): $50,000–$150,000 per engagement, scaling with number of child sites and registered contract pharmacies
• Monthly retainers (strategic advisory and continuous maintenance): Up to $25,000/month for premium full-service firms
• Hourly/time-and-materials: Used for ad-hoc advisory, emergency audit response, or staff augmentation

These costs should be weighed against the program value at stake — the average DSH hospital receives tens of millions in annual 340B program benefit, and program suspension or termination would eliminate that entirely.