Best Practices to Prepare for a 340B Audit

November 2020 - Vol.17 No. 11 - Page #8
Category: 340B Software

Q&A with Gerald Offei-Nkansah, PharmD, MBA, MS; Robert M. Rose, PharmD, MS; Samuel M. Eberwein, PharmD, MS, BCPS, BCSCP; Mark Lyons, RPh, MS; Mara Pickard, BS; and Roya Tran, PharmD, MS, ACE


Established in November 1992 by the Veterans Health Care Act and codified as Section 340B, the 340B Drug Pricing Program allows federally qualified organizations, known as covered entities supporting the most vulnerable patients, to purchase outpatient medications at a discounted rate from manufacturers in order to stretch scarce federal resources.1 Since its inception, the 340B program has been instrumental in improving the access and quality of care to vulnerable patient populations in the United States.2 To participate in the 340B program, covered entities and manufacturers must follow complex regulations outlined by the Veterans Health Care Act of 1992.3

The Health Resources and Services Administration (HRSA) is the federal agency that administers the 340B program. In 2011, The US Government Accountability Office (GAO) published guidance requesting HRSA increase program surveillance, citing the recent growth in the number of covered entities and the lack of governmental audits. The GAO recommended that HRSA initiate audits of covered entities to deter potential diversion and misuse of the program. In direct response to the GAO recommendation, HRSA began conducting audits of covered entities and manufacturers in 2012.4 Audits have now become a routine part of HRSA’s 340B governance strategy.

UNC Hospitals, a state-sponsored academic medical center, meets the criteria for disproportionate share hospitals and participates in the 340B drug pricing program to stretch scarce resources and provide care for vulnerable populations across the state of North Carolina.

PP&P: What should a covered entity expect prior to a 340B audit?

University of North Carolina Hospitals: HRSA informs covered entities they have been selected for a 340B audit by emailing an engagement letter. As the covered entity’s Authorizing Official (AO) and Primary Contact (PC) will receive this email, it is imperative that the AO and PC maintain accurate and up-to-date contact information in the Office of Pharmacy Affairs Information System (OPAIS), and regularly monitor their email. The engagement letter outlines what the covered entity can expect throughout the audit process. Before the on-site audit, HRSA or its contracted designee will request a conference call to detail expectations and next steps. Conference call attendees should include pharmacy department leadership, one or more members of the institution’s 340B compliance team, pharmacy purchasing staff, and a member of the organization’s risk or legal team. Generally, HRSA expects to be in contact with the covered entity within 24 hours of initial notification to schedule a conference call at a future date.

Following the initial contact, HRSA or their contracted auditors will send a data request list prior to their visit. This list itemizes what data needs to be provided prior to the audit and is typically due 1 month after the initial contact.5

HRSA designs an audit to be “The minimum time necessary with the minimum intrusion on the covered entity’s operation.”6 However, the audit duration may vary. In addition to any requested 340B program information, covered entities should provide the following accommodations while the auditors are onsite:

  • An enclosed, lockable working space
  • Internet access
  • Access to a telephone, fax machine, and photocopier
  • Parking

In response to the COVID-19 pandemic, HRSA has conducted virtual audits in 2020. It is unclear how long virtual audits will continue at this time.

PP&P: How regularly does HRSA conduct audits on covered entities?

UNC: There is no clear guidance from HRSA on how often they conduct audits on covered entities. However, a review of HRSA’s publicly posted aggregate audit results for program integrity (available on their website) reveals that HRSA completes roughly 200 audits per year (see TABLE 1). Regardless of the likelihood of an immediate audit, covered entities should maintain an audit-ready state at all times.7,8

PP&P: What are the key areas of documentation to focus on?

UNC: Proper documentation of 340B compliance is an expectation of program participation. Covered entities should ensure that there is a process to create, document, maintain, and review internal policies and procedures. Apexus, a company contracted with HRSA to provide 340B education to covered entities, has published a useful tool, the HRSA 340B Audit Data Request for Covered Entities, which outlines the core documentation and policies that are typically requested prior to a HRSA audit. Covered entities may utilize this document when assessing standard documentation practices and program compliance.5 Trends in audit findings are also an excellent metric to identify key focus areas. The most common Office of Pharmacy Affairs (OPA) audit findings in 2019 were6:

  • Incorrect information on the 340B OPAIS record
  • Duplicate discounts
  • 340B drug diversion
  • Inaccurate or incomplete information on the Medicaid exclusion file

PP&P: How can covered entities prepare for an audit?

UNC: It is recommended that the covered entity, and any pharmacies engaging in a contractual relationship with the covered entity, have documented protocols that outline key policies and procedures for 340B compliance. These policies and procedures should provide clear guidelines outlining the expected processes for executing core functions impacting 340B drug inventory, purchasing, and billing. The policies and procedures should be reviewed routinely and prior to an audit to ensure the documents are accurate and up-to-date. During an audit, covered entities should expect these documents will be requested by the auditors.

Performing internal audits is a key method for maintaining audit preparedness. Internal audits can identify and correct 340B compliance gaps and inform better procedures for ongoing compliance. It is important for covered entities to conduct these on a routine basis, auditing as many areas as possible to ensure a constant state of compliance. Auditors may regard internal audits as a core part of the covered entity’s duty to maintain compliance and even ask about internal audit procedures and their frequency. Internal audits should encompass a variety of areas, including:

  • Verify that the registration for the entity’s and any child sites is up-to-date and listed correctly in the OPAIS database
  • Perform transaction eligibility testing for mixed-use and contract pharmacy settings:
    • Evaluate the documentation of a prescription or medication order with an associated date of service in the medical record
    • Review evidence that the order or prescription was written by a qualifying provider
    • Confirm that the dispense occurred in an eligible location
    • Verify that the dispense occurred for a patient with outpatient status
  • Review policies and procedures for each process impacting the 340B program, such as:
    • Contracting and procurement
    • Inventory management
    • Accumulation and charge processes
    • Contract pharmacy oversight
    • Prevention of duplicate discounts
    • Billing according to any 340B specific procedures (eg, Medicaid)
  • Reconcile inventory and purchases made under each purchasing account
  • Ensure the process for recertification is clearly outlined
  • Review the most recently filed Medicare cost report (covered entities only)

Sufficient resources should be dedicated to 340B program compliance to make comprehensive internal audits possible on a regular basis. Fortunately, tools to support internal audits for each of these core areas are available through Apexus for various types of covered entities.7 In addition, a third-party auditor can be hired to assist in conducting an internal audit that aligns with HRSA compliance expectations. Third-party auditors provide resources and expertise that can help covered entities close compliance gaps. Institutions without the resources to support a third-party auditor may consider partnering with a local covered entity of similar size to audit each other’s programs. An external perspective can be key to ensuring no areas of program compliance are overlooked.

In preparation for the audit, a significant amount of data will be requested by the auditors. Covered entities should ensure this data is accessible if requested. The electronic health record, split billing software, and billing systems needed for compliance should have reporting mechanisms or a content expert available that can quickly retrieve relevant data as needed. Custom reports may be necessary to satisfy data requests; several vendors offer optional services, up to and including provision of an on-site representative during a HRSA audit. Establishing a mutual relationship with key vendors, especially those who have experience with HRSA audits, can be beneficial for developing these custom reports. Additionally, it is essential to confirm that internal data systems can provide appropriate support for the covered entity and all contract pharmacies. Contract arrangements may include language that stipulates a certain number of days’ advance notice is needed before data can be provided. Covered entities should be familiar with the time frames required for contract pharmacies to complete data requests.

PP&P: What can the covered entity expect during the audit?

UNC: When the auditors first arrive at your institution, conducting a short opening conference with all relevant stakeholders present is recommended. This is the covered entity’s opportunity to articulate an overview of the 340B policies and procedures to the auditor. It can also serve to identify the specific expectations and goals of the auditors, allowing the covered entity to coordinate efforts and provide any information the auditor may request while onsite. Conference attendees should include the covered entity’s AO, individuals who provide Medicare cost support, staff with electronic health record expertise, a representative from the third-party auditor, and a representative from the split billing vendor. The majority of information needed to conduct the audit will be provided via the initial data request. Apexus offers a mock data request that provides a sample of the data needed prior to and on the day of the audit.8

During the audit, the auditors may ask clarifying questions or raise concerns based on their review of the initial data request and the covered entity’s policies and procedures. Any identified gaps in policies may be addressed if supporting material is provided on the day of the audit. Covered entities can prepare for these requests by creating a central repository of policy documents and familiarizing themselves with how to quickly locate documents for each group that interacts with the program.

At the end of the audit, the auditors will not present a formal summary of findings. HRSA will provide these results to the covered entity at a later date. Nevertheless, it is important that any gaps uncovered during the audit be corrected immediately.

PP&P: If adverse findings are uncovered during an audit, how should the covered entity respond?

UNC: Covered entities have 30 calendar days from the receipt of the HRSA Final Report to review the findings. If the entity disagrees with the findings, a disagreement report with supporting documentation must be filed with HRSA within the first 30 days. Conversely, if the entity agrees with the findings, they must submit a corrective action plan (CAP) within 60 calendar days for HRSA approval. Upon acceptance of the CAP by HRSA, the covered entity has 6 months from the date of HRSA approval to implement the CAP. The 6-month deadline includes a full implementation of the CAP and payment of any potential settlements to manufacturers.

Ultimately, maintaining a continuous state of audit preparedness should be the goal of each covered entity. Since 340B program compliance is an institutional endeavor, leaders from various areas of the institution should understand the compliance risks in areas under their supervision. It is important to engage hospital, clinic, pharmacy purchasing/supply chain, information systems, and finance leaders early and often to ensure program and audit success. Internal governance and self-auditing of the 340B program are critical to identify and correct any areas of noncompliance and remain the most impactful tools of audit readiness.


      1. Eggers G. 340B Drug Pricing Program: Interpreting Regulations and Exploring Opportunities. Hosp Pharm. 2011;46(5):368-373.
      2. Gerlach J, McSweeney S, Swearingen A, et al. Examining the Benefits of the 340b Drug Discount Program. Health Care Manager. 2018;37(3):225-231.
      3. Health Resources and Services Administration website. Public Health Service Act, §340B, 42 USC. Accessed September 21, 2020.
      4. Manufacturer Discounts in the 340B Program Offer Benefits, but Federal Oversight Needs Improvement (GAO-11-836). Washington, DC: US Government Accounting Office; 2011.
      5. Sample HRSA 340B Audit Data Request for Covered Entities. Accessed September 21, 2020.
      6. Program Integrity. Official web site of the U.S. Health Resources & Services Administration. Published April 21, 2017. Accessed September 21, 2020.
      7. HRSA 340B Audit Overview Resource. Accessed September 21, 2020.
      8. Apexus 340B Tools. Accessed September 21, 2020.

Gerald Offei-Nkansah, PharmD, MBA, MS, is a PGY2 Health-System Pharmacy Administration and Leadership resident at the University of North Carolina (UNC) Medical Center. He earned his Doctor of Pharmacy Degree from the University of Tennessee Health Science Center while also completing an MBA from the University of Memphis. Subsequently, Gerald completed an MS with an emphasis in health-system pharmacy administration through the UNC Eshelman School of Pharmacy.

Robert M. Rose, PharmD, MS, is a PGY2 Health-System Pharmacy Administration and Leadership resident at the UNC Medical Center. He earned his Doctor of Pharmacy Degree from Ohio Northern University and his MS with an emphasis in health-system pharmacy administration from the UNC Eshelman School of Pharmacy.

Samuel M. Eberwein, PharmD, MS, BCPS, BCSCP, is the clinical manager of pharmacy for the sterile products area, perioperative services, and special formulations at the UNC Medical Center. He earned his Doctor of Pharmacy from Campbell University and his MS with an emphasis in health-system pharmacy administration from the UNC Eshelman School of Pharmacy while completing his 2-year health-system pharmacy administration residency at UNC Hospitals.

Mark Lyons, RPh, MS, is the interim system vice president, pharmacy services, for UNC Health. He received his BS in Pharmacy from Wayne State University and his MS from Central Michigan University.

Mara Pickard is a 340B compliance analyst for UNC Hospitals. She earned her BS from the North Carolina State University.

Roya Tran, PharmD, MS, is a 340B pharmacist coordinator for UNC Hospitals. She earned her Doctor of Pharmacy from the University of Florida and her MS with an emphasis in health-system pharmacy administration from the University of Houston while completing a 2-year health-system pharmacy administration residency at Houston Methodist Hospital.


Like what you've read? Please log in or create a free account to enjoy more of what has to offer.

Current Issue