Program Integrity

Audit Number
Only one audit of a covered entity will be permitted at any one time. When HRSA has received a request from a manufacturer to conduct an audit, HRSA will determine whether an audit should be performed by the Government or the manufacturer.

Audit Duration
Audits will be performed in the minimum time necessary with the minimum intrusion on the covered entity’s operation.

Audit Scope
HRSA’s 340B Program audits review covered entity compliance with respect to eligibility status, including compliance with the Group Purchasing Organization (GPO) prohibition as applicable (see 42 USC 256b(a)(4)(L)(iii)), duplicate discounts, and diversion as defined by42 USC 256b(a)(5)(A) and (B).

Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).

Pre-Audit

• Covered entities selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
• Auditors conduct an introductory teleconference with the entity to request and obtain specified documents, including policies, procedures, and internal controls.
• Auditors work with the entity to schedule an opening meeting with key covered entity management to discuss expectations for the onsite audit.

Onsite Audit

• Auditors obtain and review select 340B Program data and internal controls.
• Audit procedures include, at a minimum:
  • review of relevant policies and procedures and how they are operationalized;
  • verification of eligibility, including GPO and outpatient clinic eligibility;
  • verification of internal controls to prevent diversion and duplicate discounts, including how the covered entity defines whether a patient is considered inpatient or outpatient, HRSA Medicaid Exclusion File designations, and accuracy of covered entity’s 340B OPAIS record;
  • review of 340B Program compliance at covered entity, outpatient or associated facilities, and contract pharmacies; and
  • testing of 340B drug transaction records on a sample basis.
• Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the entity. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.

Desk Audits

Except for the on-site visit, normal 340B audit procedures are followed for a desk audit. In place of the on-site visit, the auditor communicates with the covered entity using Secure Workspaces, Secured Email, Adobe Connect, and teleconference.The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the covered entity before beginning the desk audit. Abode Connect is the preferred method to review sample items and patient records.  Secure Workspaces and Secured Email could be used in the case of scanning paper documents.

Post Audit

• Auditors forward a preliminary report to OPA for review.
• OPA reviews the preliminary report, drafts a Final Report and issues the report to the covered entity, with a request for a corrective action plan (CAP), if applicable.

Notice and Hearing

• After HRSA issues a Final Report, the covered entity has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA’s request for a CAP related to the findings noted.
• If a covered entity agrees with the Final Report, a covered entity must submit a CAP to HRSA within 60 calendar days for HRSA’s approval. If a covered entity is submitting disagreement with the audit findings, the covered entity should not submit a CAP until HRSA review of the disagreement is complete. When HRSA review of the disagreement is complete, HRSA will request a CAP at that time if one is still required.
• If a covered entity disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the covered entity’s disagreement.  OPA reviews the covered entity’s response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.  
• If an entity fails to submit a CAP, it may be removed from the 340B Program.
• Once an audit report is finalized by OPA, the findings and any associated corrective action will be summarized on the OPA public website.

Corrective Action Plan Implementation and Repayment

• Unless otherwise approved by HRSA, full CAP implementation and settlement with manufacturers, is expected to be complete within six months of the CAP approval date. Covered entities unable to meet this expectation may be subject to termination from the 340B Program.
• For audits beginning after October 1, 2015, covered entities will no longer be required to post a public letter to manufacturers on HRSA’s website. Instead, HRSA will post a notice on its website to alert manufacturers to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and entity contact information for manufacturers to utilize. Covered entities are responsible for identifying and contacting all affected manufacturers to notify them of 340B Program violations and to discuss a method for possible repayment. HRSA will close out the audit once the covered entity attests that all repayments have been resolved (if necessary), and that the CAP has been fully implemented.
• The covered entity may be required to submit additional documentation, as determined by HRSA, to demonstrate its CAP implementation, including any applicable repayment to manufacturers.
• HRSA may re-audit a covered entity to assess compliance with 340B Program requirements.
• Covered entities with a re-audit that identifies the same exact finding of non-compliance, may be subject to additional audits. A finding of non-compliance with the diversion prohibition in two or more audits, depending on the nature of the violation, may be considered systematic and egregious, as well as knowing and intentional, which may result in the covered entity being removed from the 340B Program in accordance with section 340B(d)(2)(B)(v) of the Public Health Service Act. Such a finding may also disqualify the covered entity from re-entry into the 340B Program for a reasonable period of time.

Audit Standards
HRSA has developed a program-specific audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process. Unlike other statutorily authorized programs, the 340B statute does not require HRSA to use Generally Accepted Government Auditing Standards (GAGAS) for 340B Program audits.

Audit Duration
Audits will be performed in the minimum time necessary with the minimum intrusion on the manufacturer’s operation.

Audit Scope
HRSA’s 340B Program audits review manufacturer compliance with respect to eligibility status, including compliance with 340B Program requirements and the determination that the manufacturer provided 340B drugs at or below the 340B ceiling price to participating covered entities.

Auditors conduct 340B Program audit field work for the HRSA Office of Pharmacy Affairs (OPA).

Pre-Audit

• Manufacturers selected for audit receive an engagement letter explaining what to expect and how to appropriately prepare.
• Auditors conduct an introductory teleconference with the manufacturer to request and obtain specified documents, including policies, procedures, and internal controls.
• Auditors work with the manufacturer to schedule an opening meeting with key management to discuss expectations for the audit.

Onsite Audit

• Auditors obtain and review select 340B Program data and internal controls.
• Audit procedures include, at a minimum:
  • review of relevant policies and procedures and how they are operationalized;
  • verification of internal controls to determine if the manufacturer is abiding by the terms of the 340B statute (section 340B of the Public Health Service Act (‘‘PHS Act’’)), including offering registered covered entities access to covered outpatient drugs at statutorily required pricing and;
  • testing of 340B sales transaction records on a sample basis.
• Auditors collect the facts throughout the audit but are not authorized to summarize any findings to the manufacturer. Their report to OPA will contain the facts as they understand it and must undergo OPA review. Additionally, any auditor statements made during the audit are not considered final and are subject to change.

Desk Audits

Except for the on-site visit, normal 340B audit procedures are followed for a desk audit. In place of the on-site visit, the auditor communicates with the manufacturer using Secure Workspaces, Secured Email, Adobe Connect, and teleconference. The auditor will ensure appropriate communications are encrypted and secure, and test those communications with the manufacturer before beginning the desk audit. Abode Connect is the preferred method to review sample items and policies and procedures. Secure Workspaces and Secured Email could be used in the case of scanning paper documents

Post Audit

• Auditors forward a preliminary report to OPA for review.
• OPA reviews the preliminary report, drafts a Final Report and issues the report to the manufacturer, with a request for a corrective action plan (CAP), if applicable.

Notice and Hearing

• After HRSA issues a Final Report, the manufacturer has 30 calendar days from the date of the HRSA Final Report to review findings noted in the HRSA Final Report, and to review HRSA's request for a CAP related to any findings noted. If no adverse findings are cited, a letter will be sent to the manufacturer stating such and the audit is considered closed at that point.
• If a manufacturer agrees with the Final Report, a manufacturer must submit a CAP to HRSA within 60 calendar days for HRSA’s approval.
• If a manufacturer disagrees with the Final Report, it shall notify HRSA in writing within 30 calendar days with appropriate supporting documentation of the manufacturer's disagreement. OPA reviews the response and, if appropriate, may reissue the Final Report if changes are made based on documentation submitted.
• Once an audit report is finalized by OPA, the findings and any associated corrective action will be summarized on the OPA public website.

CAP Implementation and Repayment

• HRSA will post a public notice in order to publicly alert covered entities to the extent that violations have occurred. This notice will include findings of the 340B Program audit requiring repayment and manufacturer contact information for covered entities to utilize. Manufacturers are ultimately responsible for identifying all affected covered entities and for contacting each to notify them of program violations and to begin a dialogue on a method for possible repayment. HRSA closes out the audit once the manufacturer attests that all repayment is resolved (if necessary) and that the CAP has been fully implemented.

Audit Standards
HRSA has developed a program-speciic audit process for its 340B compliance audits. 340B compliance audits are conducted by highly trained auditors in accordance with this process.