Only one audit of a covered entity will be permitted at any one time. When HRSA has received a request from a manufacturer to conduct an audit, HRSA will determine whether an audit should be performed by the Government or the manufacturer.
Audits will be performed in the minimum time necessary with the minimum intrusion on the covered entity’s operation.
HRSA’s 340B Program audits review covered entity compliance with respect to eligibility status, including compliance with the Group Purchasing Organization (GPO) prohibition as applicable (see 42 USC 256b(a)(4)(L)(iii)), duplicate discounts, and diversion as defined by42 USC 256b(a)(5)(A) and (B).
Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).
- HRSA conducts both onsite and remote audits
- Covered entities selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
- Auditors conduct an introductory teleconference with the entity to request and obtain specified documents, including policies, procedures, and internal controls.
- Auditors work with the entity to schedule an opening meeting with key covered entity management to discuss expectations for the onsite audit.
Onsite or Remote Audit
- HRSA conducts both onsite and remote audits
- Auditors obtain and review select 340B Program data and internal controls.
- Audit procedures include, at a minimum:
- review of relevant policies and procedures and how they are operationalized;
- verification of eligibility, including the GPO prohibition, maintaining auditable records, and outpatient clinic eligibility;
- verification of internal controls to prevent diversion and duplicate discounts, including how the covered entity defines whether a patient is considered inpatient or outpatient, HRSA Medicaid Exclusion File designations, and accuracy of covered entity’s 340B OPAIS record;
- review of 340B Program compliance at covered entity, outpatient or associated facilities, and contract pharmacies; and
- testing of 340B drug transaction records on a sample or judgmental basis.
For remote audits, the same audit procedures are used, except the auditor communicates with the covered entity using Secure Workspaces, Secured Email, and Zoom platform. The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the covered entity before beginning the remote audit. Zoom is the preferred method to review sample items and patient records. Secure Workspaces and Secured Email can be used in the case of scanning paper documents.
Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the entity. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.
- Auditors forward a preliminary report to OPA for review.
- OPA reviews the preliminary report, drafts a Final Report and issues the report to the covered entity, with a request for a corrective action plan (CAP), if applicable.
Notice and Hearing
- After HRSA issues a Final Report, the covered entity has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA’s request for a CAP related to the findings noted.
- If a covered entity agrees with the Final Report, a covered entity must submit a CAP to HRSA within 60 calendar days for HRSA’s approval. If a covered entity is submitting disagreement with the audit findings, the covered entity should not submit a CAP until HRSA review of the disagreement is complete. When HRSA review of the disagreement is complete, HRSA will request a CAP at that time if one is still required.
- If a covered entity disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the covered entity’s disagreement. OPA reviews the covered entity’s response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.
- If an entity fails to submit a CAP, it may be removed from the 340B Program.
- Once an audit report is finalized by OPA, the findings and any associated sanctions will be summarized on the OPA public website.
Corrective Action Plan Implementation and Repayment
- Unless otherwise approved by HRSA, full CAP implementation and settlement with manufacturers, is expected to be complete within six months of the CAP approval date. Covered entities unable to meet this expectation may be subject to termination from the 340B Program.
- HRSA will post a notice on its website to alert manufacturers to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and entity contact information for manufacturers to utilize. Covered entities are responsible for identifying and contacting all affected manufacturers to notify them of 340B Program violations and to discuss a method for possible repayment. HRSA will close out the audit once the covered entity attests that all repayments have been resolved (if necessary), and that the CAP has been fully implemented.
- The covered entity may be required to submit additional documentation, as determined by HRSA, to demonstrate its CAP implementation, including any applicable repayment to manufacturers.
- HRSA may re-audit a covered entity to assess compliance with 340B Program requirements.
- Covered entities with a re-audit that identifies the same exact finding of non-compliance, may be subject to additional audits. A finding of non-compliance with the diversion prohibition in two or more audits, depending on the nature of the violation, may be considered systematic and egregious, as well as knowing and intentional, which may result in the covered entity being removed from the 340B Program in accordance with section 340B(d)(2)(B)(v) of the Public Health Service Act. Such a finding may also disqualify the covered entity from re-entry into the 340B Program for a reasonable period of time.
HRSA has developed a program-specific audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process. Unlike other statutorily authorized programs, the 340B statute does not require HRSA to use Generally Accepted Government Auditing Standards (GAGAS) for 340B Program audits.