Estefani Ruiz headshot

Four Best Practices for Running Mock Audits


With new leadership in Congress, the drumbeat for greater scrutiny of 340B will grow. To date, news outlets from The New York Times to The Wall Street Journal have quoted former government officials and pundits who’ve called for more oversight of the 340B program.  It is not just former government officials that are raising concerns, leading lawmakers from both parties are calling on 340B providers to be more transparent and ensure that they are being good stewards of the program.

Regardless of the amount and kind of attention channeled toward the 340B program, it’s always right (and a best practice) for 340B executives and managers to be meticulous. Mock audits are one way for covered entities to closely watch over their 340B program activities. These rehearsals can help program managers, staff, and healthcare employees ensure compliance and pass an audit by the U.S. Department of Health and Human Services’ Health Resources and Services Administration. The more seriously you treat a mock audit the more likely your HRSA audit will happen efficiently and uneventfully.

Own the process

The following best practices can help a 340B program manager and staff ensure they’re ready for an HRSA audit and pass without issues.

First, although there’s no HRSA requirement to conduct mock audits, the agency says managers should audit their program annually. Carrying out a mock audit each quarter and hiring outside auditors to look at your program once per year will spot trouble early and ensure a continual level of readiness.

Most covered entities also audit 340B claims data every 30 days. These self-audits stand apart from mock audits because the latter relate to preparation for an HRSA auditor’s visit. By self-auditing claims once per month, a 340B team has fewer transactions to review and stays better organized. Most importantly, frequent self-auditing also minimizes the fiscal impact for the covered entity by catching potential diversion or duplicate discount issues sooner, thereby minimizing future claim reversals and inventory swell.

Some covered entities audit claims data even more frequently than once a month to catch issues even sooner. What often keeps program managers from undertaking more self-audits more often is a lack of staff or resources. This challenge can be overcome by automating self-audits using commercially available software solutions that make it easy to analyze claims data with greater frequency.

Second, build out your 340B audit committee by tapping a 340B compliance coordinator and adding someone from the billing department, an expert from HR, and a representative who handles your TPAs and providers, too. The team should be led by the authorizing official or primary contact listed with OPAIS. The coordinator should rally people to the cause by briefly meeting with department heads and underscoring the importance of the mock audit. Another option for kickstarting mock audits would be enlisting the covered entity’s CEO or CFO to meet with (or email) the people and departments the mock auditors will call on; C-level interest spurs people to action.

Third, with your team in place, establish criteria to identify the documents and data to be reviewed, particularly high-risk claims. For instance, set a sample period you’ll look at with your audit. Ask for data by department the way HRSA would look for information and then put everything your team receives under a microscope.

When an HRSA auditor asks for third-party information, they want a sample of claims within a date range, perhaps a three-month look-back. They’ll also look for:

•          the patient’s eligibility for 340B medications,

•          what kind of service the patient received (e.g., outpatient),

•          the provider’s relationship with the hospital or other covered entity,

•          an indication that a prescription is a 340B drug and dispensed by the correct contract or in-house pharmacy.

Be sure to review your policies and procedures to ensure your audit functions mirror what you present to HRSA. Everyone must have written policies and procedures for their 340B program. While anyone can write and file policies and procedures, your mock auditors should vet whether people are truly following these guidelines.

Fourth, decide whom the mock or actual auditors will contact in departments such as contracting, in-house or retail pharmacy, and billing, which is especially important for analyzing how the 340B program handles Medicaid claims. Mock auditors should contact TPAs for claims data during the specified sample period. Auditors should also call on staff who know your providers and the ins-and-outs of the credentialing process and how these providers are associated with the covered entity.

The committee can mirror this kind of request by telling pharmacy staff that the mock auditors will come on a scheduled day and time to meet the pharmacy director. Once on site, they can watch the pharmacists dispense drugs and the system for tracking that work.

Parting thoughts

Increased external scrutiny will likely result in mock audits taking even more time and resources. They can be made more efficient by adopting a few best practices, starting with increasing the frequency of claims audits to find and correct issues between mock audits. A multi-disciplinary team with access to required documents, data, audit criteria, and department personnel should be able to answer audit questions quickly and easily. Adopt a disciplined approach to be your own best auditor.

SectyrHub 340B helps maintain continuous program compliance. It’s like having another assistant working 7 days a week, 24 hours a day to reduce the risks of non-compliance before, during and after an audit.

Estefani Ruiz is Solution Consultant at Sectyr. She can be reached at

Website | + posts