Legal and Regulatory Compliance

340B Program success depends on the quality of self-auditing

December 22, 2020 4:36 pm

It is imperative that healthcare organizations participating in the 340B Drug Pricing Program perform self-auditing of their compliance with the program if it is to continue to deliver important benefits.

The 340B Drug Pricing Program plays a critical role in U.S. healthcare by helping to improve quality of healthcare services in rural communities and communities serving a disproportionate share of indigent patients. It does so by giving participating organizations access to essential pharmaceuticals at a reduced price. This benefit helps them stretch financial resources in an environment of constant pressure from rising expenses and decreasing payment. 

However, the 340B Program has become a target of some lawmakers due to a lack of transparency around savings and variability in the application of program rules. This scrutiny from lawmakers, coupled with actions of pharmaceutical companies to challenge the program, makes it imperative that health systems and other 340B Program participants act now to ensure they have a robust 340B compliance program in place, with effective self-auditing capabilities.

340B Program challenges

Pharmaceutical manufacturers, including Merck, Sanofi, Novartis and AstraZeneca, recently entered the fray by taking increasingly aggressive positions against core 340B Program elements, including limiting access to the program’s pricing on certain drugs and contract pharmacy locations. Although some lawmakers and the U.S. Department of Health and Human Services have released statements condemning the manufacturers for these actions, the near-term outcome will likely be increased scrutiny around the compliance aspects of the 340B Program, including diversion and duplicate discounts. 

It therefore is more important than ever that 340B covered entities use their resources wisely, including not only the savings generated by 340B, but also the time and human capital resources that they devote to ensuring 340B Program compliance. Spending time initially by planning and assessing 340B compliance risk can set the stage for more effective and efficient self-audits, which are imperative for ensuring program compliance. The value of these audits can be considerably enhanced by implementing a targeted approach in transaction audits that focuses on transactions with specific attributes.

340B self-audits: purpose and methods

To satisfy program requirements for 340B participation, a covered entity must maintain auditable records documenting compliance with 340B Program requirements. In 2019, The American Hospital Association (AHA) called upon 340B hospitals to sign a “Commitment to Good Stewardship Principles,” which included a commitment to continuing rigorous internal oversight of the program. This oversight was to include conducting internal reviews to ensure that the hospital’s 340B Program meets the rules and guidance set forth by the Health Resources and Services Administration (HRSA). 

Overall, the 340B compliance audit plan should focus on four broad areas:

  1. Eligibility to participate in the program, including adherence to the group purchasing organization (GPO) prohibition for disproportionate share hospitals 
  2. Accuracy of information listed on the Office of Pharmacy Affairs Information System records
  3. Diversion (i.e., ensuring that 340B drugs are not provided to ineligible patients)
  4. Duplicate discounts (i.e., manufacturer providing both a 340B discount and a Medicaid drug rebate for the same drug), which the hospital can prevent by accurately reporting to Medicaid how it is billing the program for 340B drugs

Transaction testing. The most frequent method of 340B auditing is transaction testing, which also requires the bulk of time. Transaction testing is designed to address the risk of diversion. Its overall purpose is to ensure that patients receiving medications under 340B meet HRSA’s patient definition of eligible recipients and that the covered entity maintains auditable records to support the patients’ eligibility.

HRSA published guidance in the Federal Register in 1996 clarifying the criteria of what constitutes a patient for purposes of the 340B program.a These criteria include the following:

  • The patient is an outpatient.
  • The covered entity maintains records of the patient’s healthcare.
  • The patient receives healthcare from healthcare professionals employed or contracted by the covered entity (i.e., responsibility of care remains with covered entity).
  • The patient receives healthcare services beyond simply the dispensation of a drug. 

The order or prescription also must originate in a 340B-eligible location (within the four walls of the covered entity or in a registered child site). 

Random sampling. Although self-auditing by covered entities can vary in amount and frequency, the methods tend to be the same: Most 340B-covered entities select a random sample of a certain number of 340B dispensations within a particular date range (i.e., quarter, month, week) to confirm that the dispensation meets the foregoing criteria.

Although random sampling is needed to address risk in an entire population, covered entities face a challenge in performing enough testing relative to the total number of dispensations to adequately address the risk of noncompliance. For example, if a health system audits 25 records per month out of a total population of 25,000 eligible dispensations (0.1%), random sampling provides little value.

Targeted sampling. When assessing risk in a large population, targeting specific transactions with certain attributes provides a greater assurance that errors will be detected.

Implementing a targeted audit approach requires assessing risk of various subgroups of the organization’s dispensations. These subgroups could include specific drugs, specific locations and specific physicians. A targeted, risk-based audit approach ensures the organization spends time more meaningfully, and is not simply auditing to satisfy a requirement.

For instance, if a hospital has a clean-site outpatient infusion center (i.e., all patients receiving care meet the patient definition), the risk of diversion is low. In such a location, each patient receiving care meets all aspects of the 340B patient definition. The only inventory carried by the outpatient infusion center would be 340B inventory, with the exception of crash-cart medications that would be purchased at the wholesale acquisition cost (WAC). With risk being low, there is no need to spend a significant amount of time on this area for self-audits.

This conclusion assumes, however, that the 340B processes have been evaluated and are fully understood at the infusion center. If processes in place were inadequate or inconsistent, risk may be elevated and more testing may need to be performed.

It is here that random sampling can provide some valuable information, despite its general limitations. If the random samples over a certain period generate findings in certain procedural areas of the hospital or certain child sites, that information can be used to inform targeted risk assessments of those locations. 

The same concept applies for evaluations of specific drugs and of specific physicians who write prescriptions not only within the hospital but also in their private practice down the street.

How to assess 340B compliance risk

Assessing risk for 340B noncompliance should be based on two elements:

  • The magnitude (or materiality) of a potential compliance issue
  • The likelihood of a potential compliance issue

The first step is to perform risk assessment to determine which specific populations you will target. Although the specific areas of focus will vary among health systems, your assessment should consider the following key populations or areas.

Top drugs by savings. You should identify which drugs are driving the bulk of your 340B savings and assess the magnitude and likelihood of potential compliance issues for these drugs.

Locations by risk. If you are performing self-audits frequently on a random basis, you will likely find that certain departments, procedural areas and child sites are more prone to potential compliance issues. These locations tend to be relatively more complicated areas, such as outpatient surgery, hospital areas that operate on different systems (e.g., paper versus electronic charting) and hospital areas where patients are not charged on administration.

Specific physicians by risk. In a contract pharmacy- or entity-owned pharmacy environment, a significant risk exists around filling prescriptions at 340B that were written in an ineligible location. This situation arises when a physician may be on the credentialed provider list for your hospital but also operates and sees patients in a separate private clinic. If the physician discharges a patient from your hospital and then sees the patient in their private practice and writes a prescription for that patient, filling that prescription at 340B may expose you to noncompliance risk.

Testing volume and frequency

Once you have developed a list of targeted areas for auditing, you should determine the amount of records to test and the frequency with which you will test the population.  You should consider this with the overall schedule and resource time you have available over a 12-month period (or whatever period is specified in your audit plan). Leave room in the schedule to perform audits on other populations that present themselves during the year as having elevated risk. The exhibit below provides a sample one-month schedule.

Sample 340B self-audit targeted audits scheduled for one month



Sample Size

Week 1

Outpatient infusion location


Week 2

Top drug by savings


Week 3

Physician No. 1 (w/private practice)


Week 4

Open – to be determined based on risk


Source: Brian Matney, CPA, CHFP, 2020

It also is important to maintain an element of random sampling to address the remaining risk in the rest of the population, and judgment is required to determine the amount and frequency of the random sampling. The following is an overall schedule for a covered entity performing weekly transaction audits, both random and targeted.

Sample 340B self-audit schedule for overall sampling, targeted and random, for one month


Targeted Sample

Random Sample

Week 1



Week 2



Week 3



Week 4



Monthly Total



Source: Brian Matney, CPA, CHFP, 2020.

The benefits to employing this audit approach go beyond clarifying priorities and spending time in areas with higher risk. Among additional benefits, this approach can enable you to:

  • More easily identify systemic issues causing 340B compliance concerns
  • Aggregate more meaningful feedback to be shared with department managers and leaders
  • Identify clinical documentation issues or inconsistencies that may exist only in one department or for one particular drug
  • Provide information useful for educating providers about drug diversion risk
  • Identify billing inconsistencies


By implementing a targeted self-audit approach, you can ensure your organization is focusing on what matters with respect to 340B compliance. There are many added benefits to implementing targeted auditing, including driving accountability and efficient deployment of resources.  Designing a targeted audit plan for your organization requires an initial time commitment, but the efficiency and effectiveness gained from that time spent is well worth the investment.


a. HRSA, “Notice regarding Section 602 of the Veterans Health Care Act of 1992 Patient end entity eligibility,” Federal Register, Oct. 24, 1996.

5 key 340B self-audit questions and considerations

Following are key questions 340B covered entities should address when implementing a targeted 340B audit approach:

  1. What populations of dispensations should I target (top drugs, locations, physicians)?
  2. How often should I perform transaction testing (quarterly, monthly, weekly)? It is important to remember that your answer to this question should drive the date range of dispensations in your sample. With weekly auditing, the sample should be from the previous week’s dispensations, and with monthly or quarterly auditing, it should be from past month’s or quarter’s dispensations, respectively.
  3. What sample size should I use for targeted audits? The size will depend upon the organization and the resources available to devote to self-audits. It also may depend on the organization’s level of comfort with adequate documentation and number of findings in self-audits.
  4. What sample size should I use for random audits? Risk still exists in the remaining population of dispensations, and covered entities should address that risk through random sampling. However, most of your sample should be targeted to specific risk.
  5. Who else should be involved throughout the organization? Whether or not you have a 340B analyst performing audits in your organization, members of health system leadership and pharmacy employees should be involved in follow-up with department managers to help drive accountability.


Automating 340B compliance

A 340B-covered entity can potentially gain huge benefits from incorporating audit automation into its 340B Compliance Program. The vast numbers of records in 340B audit populations call for some level of audit automation and validation of computer-generated reports to effectively address risk in the population. Covered entities also can use automation to enhance their approach to targeted auditing. Adopting computer-assisted auditing techniques or designing simple matching of specific attributes from different data sets can help to validate 340B dispensations and can allow the audit team to spend their time on records with a higher likelihood of an issue.



googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );