Menu
Industry Insights Logo

Top HRSA Audit Findings in FY2025

Sponsored Content 340B Report Views
And How to Avoid Them in the Future

SPONSORED CONTENT

In fiscal year 2025, the Health Resources and Services Administration (HRSA) audited 115 covered entities — and 49% received adverse findings. In other words, nearly one in two programs had a 340B compliance issue last year.

While this is an improvement from FY24, when 64% of audited entities had adverse findings, 2025 findings show that compliance remains a persistent issue despite the best efforts of hard working 340B providers.

Fortunately. the top audit findings aren’t obscure or unpredictable. They are known, preventable, and detectable before HRSA ever shows up.

What HRSA Found in FY25

The data reveal that the top audit finding continues to be incorrect Office of Pharmacy Affairs Information System (OPAIS) records. Among the 56 entities with adverse findings:

  • 75% were found to have incorrect OPAIS records
  • 50% were found to have duplicate discounts or Medicaid Exclusion File (MEF) findings
  • 25% were found to have 340B diversion
  • 2% were found to have a Group Purchasing Organization (GPO) violation

The top three audit findings are consistent year-to-year, and 340B covered entities (CEs) can take concrete steps to avoid putting themselves at risk.

1. Incorrect OPAIS Records

What auditors look for: Complete, accurate, and current registration data for all sites, contract pharmacies, and child sites in OPAIS.

Incorrect OPAIS records remained the most common finding in FY25, appearing in three quarters of CEs with adverse findings. Common issues include:

  • Contract pharmacy lifecycle gaps, such as terminated contract pharmacies not being removed, duplicate registrations, and pharmacies with no valid contract being listed.
  • Missing eligible sites, including the omission of outpatient facilities or grant-associated sites
  • Ineligible or incorrectly registered site, often stemming from inaccurate Medicare cost report data, outdated child site listings, or incorrect contract pharmacy entries
  • Address and location errors, often stemming from manual data entry, outdated information, or inconsistencies between HRSA records and other databases
  • Medicare Cost Report errors, such as incorrect filing dates, reporting periods or DSH percentages.
  • Entity record issues, including incorrect Employee Information Numbers (EIN), classification, or contact information.

These errors are typically inadvertent administrative gaps, but HRSA treats an inaccurate registry as a compliance failure. Because HRSA relies on OPAIS to validate eligibility, inaccurate records can cause otherwise compliant transactions to appear improper — triggering additional findings like diversion.

How to avoid it: Treat OPAIS as living documentation. Confirm parent, child sites, and all contract pharmacies are correctly listed in OPAIS with accurate names and addresses — and update changes within days, not weeks. While this can be difficult to manually maintain, 340B compliance software can catch OPAIS errors and mismatches as they occur.

2. Duplicate Discounts

What auditors look for: Evidence that a 340B-priced drug was also billed to Medicaid.

Duplicate discounts are most often tied to issues with the MEF. An incomplete or inaccurate MEF exposes programs to violations — even when prescribing and dispensing are otherwise compliant. In fact, of the 28 entities for which HRSA flagged MEF findings, five were determined to have no actual duplicate discounts, meaning the error was administrative, not financial.

As more Medicaid beneficiaries are enrolled in managed care organizations (MCOs), duplicate discount risk grows. MCO claims can look like commercial transactions on the surface, making them easier to miss.

How to avoid it: Treat MEF management as continuous, regularly verify your carve-in or carve-out status by state and site, and cross-reference every claim. Use a 100% self-audit tool to automatically detect transactions that are missing modifiers and identify where your EMR may have failed to flag a Medicaid Managed Care plan.

3. Diversion

What auditors look for: Evidence that 340B drugs were dispensed to ineligible patients.

Diversion remains one of the most scrutinized areas in every audit cycle. The most common diversion finding is 340B drugs dispensed at contract pharmacies or CEs for prescriptions written at sites that were not registered as 340B locations.

Additional diversion risk factors include:

  • Gaps in eligibility policies and procedures
  • Missing or incomplete transaction documentation
  • Reliance on sampling instead of full transaction auditing

When diversion is identified, repayment to manufacturers is required, which can be significant.

How to avoid it: Implement 100% transaction-level auditing, including confirming eligible patients, providers, and locations for each 340B transaction.

The Consequences of HRSA Findings

In FY25, 64% of CEs with adverse findings faced one or more sanctions, which had tangible operational and financial consequences:

  • 50% were required to repay manufacturers. This is the most common sanction, and for programs running high volumes of 340B claims through contract pharmacies, repayment obligations can be significant.
  • 21% had site terminations. This includes registered sites that were determined to be ineligible for participation, as well as sites that had been closed in practice but never removed from OPAIS.

Beyond the direct financial and operational impact, adverse findings can impact reputation. Health systems that are cited by HRSA — particularly for repeat findings — face increased scrutiny in future audit cycles and may find their contract pharmacy arrangements subject to additional manufacturer restrictions.

What Separates Programs That Pass from Programs That Don’t

The pattern behind FY25’s data shows that adverse findings almost always trace back to gaps that continuous compliance practices would have caught. Programs that consistently demonstrate clean audit results share a few characteristics:

  • OPAIS records are verified and updated continuously, not reviewed once before an audit.
  • Transaction auditing covers 100% of 340B activity, not sampled spot-checks.
  • Policies and procedures are current, documented, and accessible rather than buried in a shared folder from a prior compliance cycle.
  • When HRSA announces an audit, the program can respond quickly and confidently because the documentation has been maintained all along.

In FY25, among CEs using 340BCheck, zero received adverse audit findings — compared to a 49% adverse finding rate across all audited entities. 340BCheck is specifically built around the compliance gaps that HRSA looks for: daily OPAIS synchronization, pharmacy service agreement management, 100% transaction audit coverage, centralized policy and procedure management, and mock audit workflows designed to ensure your documentation holds up under scrutiny.

The goal is to run a program that is consistently HRSA audit-ready – in which HRSA can arrive on any day and find nothing to cite. To see how 340BCheck supports CEs in building a continuously compliant program that will hold up against a HRSA audit, request a demo.

Sean Gilman is Director of Clinical Strategy at Bluesight. He can be reached at sean.gilman@bluesight.com.

Website |  + posts

Read more 340B Expert Tips

Post Navigation

PhRMA Again Targets 340B ‘Markups’ in New Seven-Figure Ad Campaign 

COA Board Member Calls for 340B Reform, Cassidy Largely Quiet on Program at Senate HELP Field Hearing

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Site Footer Live