In fiscal year 2025, HRSA audited 115 covered entities — and 49% received adverse findings. In other words, nearly one in two programs had a 340B compliance issue last year.
While this is an improvement from FY24, when 64% of audited entities had adverse findings, 2025 findings show that compliance remains a persistent issue. This is particularly relevant for hospital-based programs, which made up 84% of FY25 audits – including Disproportionate Share Hospitals, Critical Access Hospitals, and Rural Referral Centers – while the remaining 16% were grantees, including FQHCs, HRSA-funded health centers, Ryan White clinics, and STD clinics.
The top audit findings aren’t obscure or unpredictable. They are known, preventable, and detectable before HRSA ever shows up.
What HRSA Found in FY2025
The data reveals that the top audit finding continues to be incorrect OPAIS records. Among the 56 entities with adverse findings:
- 75% were found to have incorrect OPAIS records
- 50% were found to have duplicate discounts or Medicaid Exclusion file findings
- 25% were found to have 340B diversion
- 2% were found to have a GPO violation
The top three audit findings continue to be consistent over the years, and 340B covered entities can take concrete steps to avoid putting themselves at risk.
1. Incorrect OPAIS Records
What auditors look for: Complete, accurate, and current registration data for all sites, contract pharmacies, and child sites in OPAIS.
Incorrect OPAIS records remained the most common finding in FY2025, appearing in three quarters of covered entities with adverse findings. Common issues include:
- Contract pharmacy lifecycle gaps, such as terminated contract pharmacies not being removed, duplicate registrations, and pharmacies with no valid contract being listed.
- Missing eligible sites – including the omission of outpatient facilities or grant-associated sites
- Ineligible or incorrectly registered site
- Address and location errors
- Medicare Cost Report errors, such as incorrect filing dates, reporting periods or DSH percentages.
- Entity record issues including incorrect EIN, classification, or contact information.
These errors are typically administrative gaps but HRSA treats an inaccurate registry as a compliance failure. Yet, many programs still treat OPAIS as a one-time, annual task rather than an ongoing obligation. The impact goes beyond a single finding. Because HRSA relies on OPAIS to validate eligibility, inaccurate records can cause otherwise compliant transactions to appear improper — triggering additional findings like diversion.
How to avoid it: Treat OPAIS as living documentation. Confirm parent, child sites, and all contract pharmacies are correctly listed in OPAIS with accurate names and addresses — and update changes within days, not weeks. While this can be difficult to manually maintain, 340B compliance software can catch OPAIS errors and mismatches as they occur.
2. Duplicate Discounts
What auditors look for: Evidence that a 340B-priced drug was also billed to Medicaid.
Duplicate discounts are most often tied to issues with the Medicaid Exclusion File (MEF). An incomplete or inaccurate MEF exposes programs to violations — even when prescribing and dispensing are otherwise compliant. In fact, of the 28 entities that HRSA flagged Medicaid Exclusion File findings for, five were determined to have no actual duplicate discounts, meaning the error was administrative, not financial.
As more Medicaid beneficiaries are enrolled in managed care organizations (MCOs), duplicate discount risk grows. MCO claims can look like commercial transactions on the surface, making them easier to miss.
How to avoid it: Treat MEF management as continuous, regularly verify your carve-in or carve-out status by state and site, and cross reference every claim. Use a 100% self-audit tool to automatically detect transactions that are missing modifiers and identify where your EMR may have failed to flag a Medicaid Managed Care plan.
3. Diversion
What auditors look for: Evidence that 340B drugs were dispensed to ineligible patients.
Diversion remains one of the most scrutinized areas in every audit cycle. The most common diversion finding is 340B drugs dispensed at contract pharmacies or covered entities for prescriptions written at sites that were not registered as 340B locations.
Additional diversion risk factors include:
- Gaps in eligibility policies and procedures
- Missing or incomplete transaction documentation
- Reliance on sampling instead of full transaction auditing
When diversion is identified, repayment to manufacturers is required, which can be significant.
How to avoid it: Implement 100% transaction-level auditing, including confirming eligible patients, providers, and locations for each 340B transaction.
The Consequences of HRSA Findings
In FY2025, 64% of covered entities with adverse findings faced one or more sanctions, which had tangible operational and financial consequences:
- 50% were required to repay manufacturers. This is the most common sanction, and for programs running high volumes of 340B claims through contract pharmacies, repayment obligations can be significant. Repayment is calculated at the difference between the 340B price paid and the non-340B price — effectively eliminating the program’s savings on those transactions.
- 21% had site terminations. This includes registered sites that were determined to be ineligible for participation, as well as sites that had been closed in practice but never removed from OPAIS. Site terminations can affect program scope immediately and require administrative cleanup that distracts compliance teams from other priorities.
Beyond the direct financial and operational impact, adverse findings carry reputational weight. Health systems that are cited by HRSA — particularly for repeat findings — face increased scrutiny in future audit cycles and may find their contract pharmacy arrangements subject to additional manufacturer restrictions.
What Separates Programs That Pass from Programs That Don’t
The pattern behind FY2025’s findings show that adverse findings almost always trace back to gaps that continuous compliance practices would have caught. Programs that consistently demonstrate clean audit results share a few characteristics:
- OPAIS records are verified and updated continuously, not reviewed once a year before an audit.
- Transaction auditing covers 100% of 340B activity, not sampled spot-checks.
- Policies and procedures are current, documented, and accessible rather than buried in a shared drive folder from a prior compliance cycle.
- When HRSA announces an audit, the program can respond to requests quickly and confidently, because the documentation has been maintained all along.
In FY2025, among covered entities using 340BCheck, zero received adverse audit findings — compared to a 49% adverse finding rate across all audited entities. 340BCheck is specifically built around the compliance gaps that HRSA looks for and consistently cites and includes: daily OPAIS synchronization, contract pharmacy and pharmacy service agreement management, 100% transaction audit coverage, centralized policy and procedure management, and mock audit workflows designed to ensure your documentation holds up under scrutiny.
The goal is to run a program that is consistently HRSA audit-ready – in which HRSA can arrive on any day and find nothing to cite. To see how 340BCheck supports covered entities in building a continuously compliant program that will hold up against a HRSA audit, request a demo.