HRSA's Program Integrity guiding principles are to maximize oversight reach and manage compliance risks. HRSA's efforts to follow these principles include audits of covered entities and manufacturers to enforce requirements for these stakeholders. Other efforts include annual recertification in order to give covered entities an opportunity to review their 340B Drug Pricing Program (340B Program) responsibilities and re-attest to being currently in full compliance. Questionnaires are evaluated through HRSA grantee site-visits to serve as an initial screening tool for assessing compliance. Also, OPA's self-disclosure process allows covered entities to evaluate and correct aspects of their 340B Program through self-reporting.
Audits of Covered Entities
340B Drug Pricing Program covered entities must ensure program integrity and maintain accurate records documenting compliance with all 340B Program requirements.
HRSA has the authority to audit covered entities for compliance with 340B Drug Pricing Program (340B Program) requirements (42 USC 256b(a)(5)(C)):
Covered entities are subject to audit by the manufacturer or the federal government. Failure to comply may make the 340B covered entity liable to manufacturers for refunds of discounts or cause the covered entity to be removed from the 340B Program.
Audit Number, Duration & Scope
Only one audit of a covered entity will be permitted at any one time. When HRSA has received a request from a manufacturer to conduct an audit, HRSA will determine whether an audit should be performed by the Government or the manufacturer.
Audits will be performed in the minimum time necessary with the minimum intrusion on the covered entity’s operation.
HRSA’s 340B Program audits review covered entity compliance with respect to eligibility status, including compliance with the Group Purchasing Organization (GPO) prohibition as applicable (see 42 USC 256b(a)(4)(L)(iii)), duplicate discounts, and diversion as defined by42 USC 256b(a)(5)(A) and (B).
Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).
- Covered entities selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
- Auditors conduct an introductory teleconference with the entity to request and obtain specified documents, including policies, procedures, and internal controls.
- Auditors work with the entity to schedule an opening meeting with key covered entity management to discuss expectations for the onsite audit.
- Auditors obtain and review select 340B Program data and internal controls.
- Audit procedures include, at a minimum:
- review of relevant policies and procedures and how they are operationalized;
- verification of eligibility, including GPO and outpatient clinic eligibility;
- verification of internal controls to prevent diversion and duplicate discounts, including how the covered entity defines whether a patient is considered inpatient or outpatient, HRSA Medicaid Exclusion File designations, and accuracy of covered entity’s 340B database record;
- review of 340B Program compliance at covered entity, outpatient or associated facilities, and contract pharmacies; and
- testing of 340B drug transaction records on a sample basis.
- Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the entity. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.
Except for the on-site visit, normal 340B audit procedures are followed for a desk audit. In place of the on-site visit, the auditor communicates with the covered entity using Secure Workspaces, Secured Email, Adobe Connect, and teleconference.The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the covered entity before beginning the desk audit. Abode Connect is the preferred method to review sample items and patient records. Secure Workspaces and Secured Email could be used in the case of scanning paper documents.
- Auditors forward a preliminary report to OPA for review.
- OPA reviews the preliminary report, drafts a Final Report and issues the report to the covered entity, with a request for a corrective action plan (CAP), if applicable.
Notice and Hearing
- After HRSA issues a Final Report, the covered entity has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA’s request for a CAP related to the findings noted.
- If a covered entity agrees with the Final Report, a covered entity must submit a CAP to HRSA within 60 calendar days for HRSA’s approval.
- If a covered entity disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the covered entity’s disagreement. OPA reviews the covered entity’s response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.
- If an entity fails to submit a CAP, it may be removed from the 340B Program.
- Once an audit report is finalized by OPA, the findings and any associated corrective action will be summarized on the OPA public website.
CAP Implementation and Repayment
- For audits performed in Fiscal Years 2015 and earlier, once HRSA reviews and approves a CAP, the covered entity will be required to provide HRSA a public letter that outlines the findings requiring possible repayment, states that repayment may be necessary, and provides entity contact information for manufacturers to utilize. This letter will be posted on the HRSA website under the CAP column in the audit findings table. For audits performed in Fiscal Years 2016 and later, covered entities will no longer be required to post on HRSA’s website a public letter to manufacturers. However, HRSA will post a public notice in order to publicly alert manufacturers to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and entity contact information for manufacturers to utilize. Covered entities are ultimately responsible for identifying all affected manufacturers and for contacting each to notify them of program violations and to begin a dialogue on a method for possible repayment. HRSA closes out the audit once the covered entity attests that all repayment is resolved (if necessary) and that the CAP has been fully implemented.
- Covered entities whose findings involve repayment will be subject to audit in a year.
HRSA has developed a program-specific audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process. Unlike other statutorily authorized programs, the 340B statute does not require HRSA to use Generally Accepted Government Auditing Standards (GAGAS) for 340B Program audits.
Audits of Manufacturers
Under section 340B(a)(1) of the Public Health Service Act, manufacturers of covered outpatient drugs that participate in the 340B Drug Pricing Program (340B Program) must offer all covered outpatient drugs at no more than the 340B ceiling price to a covered entity listed on HRSA’s public 340B database if such drug is made available to any other purchaser at any price. Manufacturers are subject to auditing by HRSA to ensure compliance with the 340B Program, pursuant to section 340B(d)(1)(B)(v) of the PHSA. Failure to comply with 340B pricing requirements may make the manufacturer liable to covered entities for refunds of overpriced 340B drugs.