Get reimbursed for COVID-19 testing and treatment of uninsured individuals.     Learn more »

Program Integrity

HRSA's Program Integrity guiding principles are to maximize oversight reach and manage compliance risks. Efforts to follow these principles include audits of covered entities and manufacturers to enforce requirements for these stakeholders.

Other efforts include annual recertification to give covered entities an opportunity to review their 340B Drug Pricing Program (340B Program) responsibilities and re-attest to being currently in full compliance.

HRSA performs program integrity checks regarding eligibility requirements and documentation necessary to demonstrate compliance. Also, OPA's self-disclosure process allows covered entities to evaluate and correct aspects of their 340B Program through self-reporting.

Audits of Covered Entities

340B Drug Pricing Program covered entities must ensure program integrity and maintain accurate records documenting compliance with all 340B Program requirements.

HRSA has the authority to audit covered entities for compliance with 340B Drug Pricing Program (340B Program) requirements (42 USC 256b(a)(5)(C)):

Covered entities are subject to audit by the manufacturer or the federal government. Failure to comply may make the 340B covered entity liable to manufacturers for refunds of discounts or cause the covered entity to be removed from the 340B Program.

Covered Entity Audit Number, Duration, and Scope

Audit Number
Only one audit of a covered entity will be permitted at any one time. When HRSA has received a request from a manufacturer to conduct an audit, HRSA will determine whether an audit should be performed by the Government or the manufacturer.

Audit Duration
Audits will be performed in the minimum time necessary with the minimum intrusion on the covered entity’s operation.

Audit Scope
HRSA’s 340B Program audits review covered entity compliance with respect to eligibility status, including compliance with the Group Purchasing Organization (GPO) prohibition as applicable (see 42 USC 256b(a)(4)(L)(iii)), duplicate discounts, and diversion as defined by42 USC 256b(a)(5)(A) and (B).

Covered Entity Audit Process

Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).

Pre-Audit

  • Covered entities selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
  • Auditors conduct an introductory teleconference with the entity to request and obtain specified documents, including policies, procedures, and internal controls.
  • Auditors work with the entity to schedule an opening meeting with key covered entity management to discuss expectations for the onsite audit.

Onsite Audit

  • Auditors obtain and review select 340B Program data and internal controls.
  • Audit procedures include, at a minimum:
    • review of relevant policies and procedures and how they are operationalized;
    • verification of eligibility, including GPO and outpatient clinic eligibility;
    • verification of internal controls to prevent diversion and duplicate discounts, including how the covered entity defines whether a patient is considered inpatient or outpatient, HRSA Medicaid Exclusion File designations, and accuracy of covered entity’s 340B OPAIS record;
    • review of 340B Program compliance at covered entity, outpatient or associated facilities, and contract pharmacies; and
    • testing of 340B drug transaction records on a sample basis.
  • Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the entity. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.

Desk Audits

Except for the on-site visit, normal 340B audit procedures are followed for a desk audit. In place of the on-site visit, the auditor communicates with the covered entity using Secure Workspaces, Secured Email, Adobe Connect, and teleconference.The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the covered entity before beginning the desk audit. Abode Connect is the preferred method to review sample items and patient records.  Secure Workspaces and Secured Email could be used in the case of scanning paper documents.

Post Audit

  • Auditors forward a preliminary report to OPA for review.
  • OPA reviews the preliminary report, drafts a Final Report and issues the report to the covered entity, with a request for a corrective action plan (CAP), if applicable.

Notice and Hearing

  • After HRSA issues a Final Report, the covered entity has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA’s request for a CAP related to the findings noted.
  • If a covered entity agrees with the Final Report, a covered entity must submit a CAP to HRSA within 60 calendar days for HRSA’s approval. If a covered entity is submitting disagreement with the audit findings, the covered entity should not submit a CAP until HRSA review of the disagreement is complete. When HRSA review of the disagreement is complete, HRSA will request a CAP at that time if one is still required.
  • If a covered entity disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the covered entity’s disagreement.  OPA reviews the covered entity’s response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.  
  • If an entity fails to submit a CAP, it may be removed from the 340B Program.
  • Once an audit report is finalized by OPA, the findings and any associated corrective action will be summarized on the OPA public website.

Corrective Action Plan Implementation and Repayment

  • Unless otherwise approved by HRSA, full CAP implementation and settlement with manufacturers, is expected to be complete within six months of the CAP approval date. Covered entities unable to meet this expectation may be subject to termination from the 340B Program.
  • For audits beginning after October 1, 2015, covered entities will no longer be required to post a public letter to manufacturers on HRSA’s website. Instead, HRSA will post a notice on its website to alert manufacturers to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and entity contact information for manufacturers to utilize. Covered entities are responsible for identifying and contacting all affected manufacturers to notify them of 340B Program violations and to discuss a method for possible repayment. HRSA will close out the audit once the covered entity attests that all repayments have been resolved (if necessary), and that the CAP has been fully implemented.
  • The covered entity may be required to submit additional documentation, as determined by HRSA, to demonstrate its CAP implementation, including any applicable repayment to manufacturers.
  • HRSA may re-audit a covered entity to assess compliance with 340B Program requirements.
  • Covered entities with a re-audit that identifies the same exact finding of non-compliance, may be subject to additional audits. A finding of non-compliance with the diversion prohibition in two or more audits, depending on the nature of the violation, may be considered systematic and egregious, as well as knowing and intentional, which may result in the covered entity being removed from the 340B Program in accordance with section 340B(d)(2)(B)(v) of the Public Health Service Act. Such a finding may also disqualify the covered entity from re-entry into the 340B Program for a reasonable period of time.

Covered Entity Audit Standards

Audit Standards
HRSA has developed a program-specific audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process. Unlike other statutorily authorized programs, the 340B statute does not require HRSA to use Generally Accepted Government Auditing Standards (GAGAS) for 340B Program audits.

Audits of Manufacturers

Under section 340B(a)(1) of the Public Health Service Act, manufacturers of covered outpatient drugs that participate in the 340B Drug Pricing Program (340B Program) must offer all covered outpatient drugs at no more than the 340B ceiling price to a covered entity listed on HRSA’s public 340B database if such drug is made available to any other purchaser at any price.

Manufacturers are subject to auditing by HRSA to ensure compliance with the 340B Program, pursuant to section 340B(d)(1)(B)(v) of the PHSA. Failure to comply with 340B pricing requirements may make the manufacturer liable to covered entities for refunds of overpriced 340B drugs.

Manufacturer Audit Duration and Scope

Audit Duration
Audits will be performed in the minimum time necessary with the minimum intrusion on the manufacturer’s operation.

Audit Scope
HRSA’s 340B Program audits review manufacturer compliance with respect to eligibility status, including compliance with 340B Program requirements and the determination that the manufacturer provided 340B drugs at or below the 340B ceiling price to participating covered entities.

Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).

Manufacturer Audit Process

Pre-Audit

  • Manufacturers selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
  • Auditors conduct an introductory teleconference with the manufacturer to request and obtain specified documents, including policies, procedures, and internal controls.
  • Auditors work with the manufacturer to schedule an opening meeting with key management to discuss expectations for the audit.

Onsite Audit

  • Auditors obtain and review select 340B Program data and internal controls.
  • Audit procedures include, at a minimum:
    • review of relevant policies and procedures and how they are operationalized;
    • verification of internal controls to determine if the manufacturer is abiding by the terms of the 340B statute (section 340B of the Public Health Service Act (‘‘PHS Act’’)), including offering registered covered entities access to covered outpatient drugs at statutorily required pricing and;
    • testing of 340B sales transaction records on a sample basis.
  • Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the manufacturer. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.

Desk Audits

Except for the on-site visit, normal 340B audit procedures are followed for a desk audit. In place of the on-site visit, the auditor communicates with the manufacturer using Secure Workspaces, Secured Email, Adobe Connect, and teleconference. The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the manufacturer before beginning the desk audit. Abode Connect is the preferred method to review sample items and policies and procedures. Secure Workspaces and Secured Email could be used in the case of scanning paper documents

Post Audit

  • Auditors forward a preliminary report to OPA for review.
  • OPA reviews the preliminary report, drafts a Final Report and issues the report to the manufacturer, with a request for a corrective action plan (CAP), if applicable.

Notice and Hearing

  • After HRSA issues a Final Report, the manufacturer has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA's request for a CAP related to any findings noted. If no adverse findings are cited, a letter will be sent to the manufacturer stating such and the audit is considered closed at that point.
  • If a manufacturer agrees with the Final Report, a manufacturer must submit a CAP to HRSA within 60 calendar days for HRSA’s approval.
  • If a manufacturer disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the manufacturer's disagreement. OPA reviews the response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.
  • Once an audit report is finalized by OPA, the findings and any associated corrective action will be summarized on the OPA public website.

CAP Implementation and Repayment

  • HRSA will post a public notice in order to publicly alert covered entities to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and manufacturer contact information for covered entities to utilize. Manufacturers are ultimately responsible for identifying all affected covered entities and for contacting each to notify them of program violations and to begin a dialogue on a method for possible repayment. HRSA closes out the audit once the manufacturer attests that all repayment is resolved (if necessary) and that the CAP has been fully implemented.

Manufacturer Audit Standards

Audit Standards
HRSA has developed a program-speciic audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process.

HRSA Correspondence to Stakeholders 2021

Date Last Reviewed:  October 2021


Audits of Covered Entity Results

FY 2021 Audit Results
(updated 11/24/21)

FY 2020 Audit Results
(updated 11/24/21)

FY 2019 Audit Results
(updated 7/16/21)

FY 2018 Audit Results
(updated 12/3/20)

FY 2017 Audit Results
(updated 1/15/21)

FY 2016 Audit Results
(updated 2/20/19)

FY 2015 Audit Results
(updated 2/25/20)

FY 2014 Audit Results
(updated 2/20/19)

FY 2013 Audit Results
(updated 5/30/18)

FY 2012 Audit Results
(updated 7/14/17)

Audits of Manufacturers Results

FY 2021 Mftr Audit Results (updated 11/24/21)

FY 2020 Mftr Audit Results (updated 9/22/21)

FY 2019 Mftr Audit Results (updated 3/19/21)

FY 2018 Mftr Audit Results (updated 5/23/19)

FY 2017 Mftr Audit Results (updated 9/11/18)

FY 2016 Mftr Audit Results (updated 9/11/18)

FY 2015 Mftr Audit Results (updated 9/11/18)