Most hospital pharmacy teams treat procurement and 340B compliance as separate workflows. Purchasing manages the orders. Compliance manages the audits. The assumption is that one feeds the other cleanly, in sequence, without friction.
That assumption is where violations begin.
An estimated 18% of audits required repayment to manufacturers, and incorrect Office of Pharmacy Affairs Information System (OPAIS) records accounted for 62% of all audit findings. Neither of those failure modes originates in a compliance department. Both trace back to gaps in procurement data, documentation, and system integration.
Health systems that haven’t structured their operations around that reality are carrying more audit risk than they know.
The Purchase Is the First Compliance Decision
The 340B Drug Pricing Program requires that every drug purchased at a discounted price be dispensed to an eligible patient. That eligibility determination doesn’t happen at dispense. It begins the moment an order is placed.
Covered entities that purchase some drugs under 340B pricing and others at wholesale acquisition cost (WAC) must track which inventory is which from the point of purchase forward. A mislabeled order, a missed inventory segregation step, or a system that can’t distinguish between the two introduces a diversion risk before a single pill is dispensed.
The Health Resources and Services Administration’s (HRSA) diversion prohibition applies to the full transaction record from purchase to dispense. When documentation gaps exist in that chain, auditors find them. Those gaps almost always start in procurement, not in the pharmacy.
The Government Accountability Office’s (GAO) review of HRSA’s 340B oversight found that noncompliance tied to recordkeeping discrepancies, including patient eligibility and diversion, has been a persistent finding across multiple audit cycles.
Why Manual Procurement Workflows Create 340B Compliance Risk
Manual procurement processes introduce two compounding problems:
- Fragmented data. Without system integration, transaction records from wholesalers, EHRs, TPAs, and dispensing cabinets never form a single auditable chain.
- Incomplete transaction review. Sample-based auditing leaves most transactions unvalidated, which is exactly the gap HRSA exploits when it arrives.
Each creates its own audit exposure. Together, they make continuous 340B compliance nearly impossible at scale.
When Systems Are Disconnected, So Is Your Data
A typical covered entity generates 340B-relevant data across at least four systems:
- Wholesaler order records
- Electronic health records (EHR)
- Third-party administrator (TPA) claims
- Dispensing cabinet outputs
In most hospitals, those systems don’t communicate automatically. Staff reconciles them manually, usually on a periodic basis, and usually by sampling rather than reviewing every transaction.
When procurement data doesn’t feed compliance tracking in real time, the audit trail HRSA expects to see doesn’t exist as a continuous record. It exists as a patchwork of exports, spreadsheets, and manual entries that don’t hold up under scrutiny. Health systems frequently assume their documentation is complete, only to discover hidden gaps during HRSA audits or manufacturer inquiries.
Incorrect OPAIS records account for 62% of FY2024 audit findings, with filing date mistakes in Medicare Cost Reports leading the category. Those errors don’t necessarily surface in a compliance review. They surface in a purchasing workflow that no one has connected to OPAIS verification.
Sample Auditing Is No Longer Sufficient
Covered entities that rely on internal sample audits to validate their 340B eligibility are reviewing a fraction of transactions while HRSA reviews all of them. During a 340B compliance audit, HRSA tests 340B drug transaction records across the full scope of the program.
Findings in a sample extrapolate to the broader program, and organizations that have only validated their sampled transactions internally encounter findings in the transactions they never reviewed.
76% of 340B compliance managers expect regulatory oversight to increase over the next two to three years, yet half report auditing claims only monthly. That gap between expectation and practice is precisely where audit risk accumulates.
The shift toward continuous, automated monitoring reflects the realities of a program that now touches nearly every outpatient drug purchase a covered entity makes. Spot checks and monthly reviews leave too much of the transaction record unexamined.
The Compliance Stakes Have Risen
The risk profile around 340B compliance has changed significantly in the past two years. The consequences of non-compliance now extend further and arrive faster than they did when HRSA was the sole enforcement mechanism.
| Risk Factor | What It Means Operationally |
| HRSA audit findings | Financial repayment to manufacturers required within six months of corrective action plan approval |
| Manufacturer-initiated audits | The April 2024 dispute resolution update gives manufacturers a formal mechanism to file non-compliance claims against covered entities |
| OPAIS errors | 62% of FY2024 audit findings; the most common single source of repayment exposure |
| Program removal | Entities that fail to submit corrective action plans or meet implementation timelines face termination from the 340B program |
| Reputational exposure | HRSA posts audit outcomes publicly, including findings and associated sanctions |
In fiscal year 2025 alone, HRSA audited 115 covered entities, and nearly half received adverse findings. Incorrect OPAIS records appeared in 75% of those entities. At the same time, manufacturer restrictions on contract pharmacy participation continue to compress program margins.
Several of the largest drug manufacturers have unilaterally stopped providing discounts on 340B drugs dispensed through contract pharmacies, threatening the savings on which covered entities depend. In that environment, audit repayments represent a compounding financial hit on an already-pressured program.
The April 2024 update to HRSA’s administrative dispute resolution process deserves particular attention. Before manufacturers can file a non-compliance claim against a covered entity for alleged duplicate discounts or diversion, they must first conduct an audit of the covered entity.
Covered entities are no longer only accountable to HRSA. They are accountable to manufacturers who have both the incentive and the formal process to scrutinize 340B transaction records independently.
What Integrated Procurement and 340B Compliance Looks Like in Practice
Closing the gap between procurement and compliance doesn’t require restructuring a pharmacy organization. It requires connecting the data systems that those two functions already use and automating the validation steps that currently happen manually, late, or not at all.
In practice, an integrated model does the following:
- Unifies data sources. Wholesaler order records, TPA claims, EHR data, and dispensing cabinet outputs flow into a single system rather than being reconciled across exports.
- Validates eligibility continuously. Every transaction is checked against patient eligibility criteria and OPAIS registration data as it occurs, not after a reporting period closes.
- Matches OPAIS records daily. Discrepancies between registered program data and actual purchasing and dispensing activity are flagged before they accumulate into audit findings.
- Supports 100% transaction auditing. Internal audit coverage matches the methodology HRSA uses during a 340B compliance audit, so there are no unreviewed transactions when an auditor arrives.
- Distributes accountability. Procurement staff have visibility into the compliance implications of purchasing decisions. Compliance staff have real-time access to purchasing data. The organizational divide between those functions stops being a documentation gap.
95% of hospital pharmacy respondents identified streamlining purchasing as important or very important in Bluesight’s Hospital Pharmacy Operations Report, and 75% reported purchasing from four to nine different sources.
Every additional source is another data feed that has to be reconciled against 340B eligibility requirements, and hospitals that haven’t connected those feeds are leaving themselves exposed to the same reimbursement gaps that show up as audit findings.
How 340B Management Software Bridges the Gap
340B management software addresses the structural problem that manual workflows can’t solve: it connects procurement data to compliance validation in real time, across every transaction, without relying on periodic manual reconciliation.
Bluesight’s 340BCheck performs 100% transaction auditing across disparate data sources, including TPA and EHR, and automates the audit workflows that compliance teams currently manage by hand. Every transaction is validated against patient eligibility and OPAIS data. Discrepancies surface immediately rather than at quarter-end or during an audit engagement.
All program documentation, including TPA claims, audit reports, and pharmacy service agreements, is stored in a centralized location so covered entities are HRSA audit-ready at any point, not just when an engagement letter arrives.
Internal teams typically audit targeted or random samples to maintain compliance. 340BCheck audits 100% of claims, verifying every transaction rather than a representative slice. That eliminates the risk inherent in sampling, reduces manual workload, and means there are no unreviewed transactions for an auditor to find.
The platform also handles the operational side of accountability. Task assignment, follow-up deadlines, and internal compliance communications are managed within the same system, so procurement and compliance teams work from shared data rather than siloed reports.
Bluesight connects 340BCheck to CostCheck, its purchasing optimization platform, to close the loop between procurement and settlement. 340BCheck validates which claims should be submitted for rebates. CostCheck confirms receipt.
The result is end-to-end visibility from purchase through rebate settlement in one connected workflow, the kind of documentation chain that holds up under both HRSA and manufacturer-initiated audit scrutiny.
Procurement and Compliance Are One Workflow
The regulatory environment around 340B is tightening from multiple directions:
- HRSA has increased audit intensity, with nearly half of all audited entities receiving adverse findings in FY2025.
- Manufacturers now have a formal dispute resolution process that gives them independent audit rights over covered entities.
- State-level legislative patchworks continue to shift the contract pharmacy landscape, adding compliance complexity at every renewal cycle.
Every one of these pressures converges on the same operational requirement: documentation that is complete, continuous, and traceable from the point of purchase.
Covered entities that continue treating procurement and compliance as parallel, disconnected functions will find the gap between them in an audit finding. The question isn’t whether that gap creates risk. It does. The question is whether the systems are in place to close it before HRSA or a manufacturer does it for them. See how 340BCheck works or schedule a demo to see how Bluesight connects procurement and compliance into a single auditable workflow.