When ESP Data Decides Whether You Get Drug Access
In early 2026, a large FQHC in Ohio found out the hard way that a single missing ESP submission date on three drugs, Humira, Jardiance, and Ozempic, can shut down its entire network overnight. AmerisourceBergen’s 340B feed went dark, wholesalers flagged “manufacturer dispute,” and suddenly sliding-fee patients were looking at full list prices. When the compliance manager called 340B ESP support, she got the familiar script: “Please resubmit your claims and wait for manufacturer processing.” It wasn’t an isolated case. ESP submission timing now effectively determines whether you have drug access, and one missed file can cost tens of thousands in lost margin before anyone even notices.
Since HRSA’s 2025 guidance reaffirming manufacturer restoration obligations, the balance of power shifted, but not cleanly. Novo Nordisk, AstraZeneca, and Eli Lilly have restored access only after “data validation” through ESP, while other entities still see inconsistent reinstatement depending on which wholesaler or contract pharmacy they use. HRSA officials said in February 2026 audit briefings that they’re “continuing to monitor compliance with manufacturer restoration timelines.” But the agency hasn’t explained how it will actually verify that ESP data submissions trigger restorations, which leaves everyone guessing where compliance ends and discretion begins.
HRSA Oversight Has Teeth, But Only If It Uses Them
After the District of Delaware’s 2025 decision upholding HRSA’s authority over manufacturer restrictions, the agency issued several letters warning that ongoing data-validation gating could count as an impermissible restriction. Still, no penalties have been made public as of April 2026. Manufacturers continue to rely on ESP as their compliance filter, demanding detailed NDC, claim, and payer-level data from covered entities to “prove non-duplication.”
Here’s the tension everyone sees: HRSA audit teams can review ESP documentation, but they don’t have direct access to the system. So they take whatever proof the entity offers, screenshots, confirmation numbers, internal logs, as evidence. The result? Massive inconsistency. Some auditors ask for file headers. Others accept confirmation emails. In a few 2026 audits, entities were even cited for “incomplete documentation of the manufacturer submission process” despite having ESP receipts in hand.
So oversight has evolved. HRSA isn’t questioning whether ESP exists anymore; they’re asking whether the entity has a defensible workflow around it. The politics have taken a back seat. It’s now about data traceability, timestamp discipline, and being able to prove you actually controlled your own inputs.
The Data Integrity Minefield
Every compliance officer I know says the same thing: ESP preparation is a full-time job. A single mismatch between a TPA export and an ESP field can derail a manufacturer’s restoration cycle. The usual culprits? NCPDP IDs, dispense dates, BINs, or prescriber NPIs that don’t align, tiny differences that trigger “invalid claim” rejections. That’s why some teams end up uploading multiple file versions just to satisfy varying manufacturer algorithms.
The fatigue is real. In February, one DSH hospital in Texas accidentally uploaded duplicate data for five outpatient pharmacies after its TPA failed to correctly separate commercial and Medicaid MCO claims. ESP accepted both files, but only one reached the manufacturers. When Lilly later investigated, four pharmacies lost access all over again. The hospital appealed through the 340B Prime Vendor, but HRSA told them “data validation disputes are outside statutory scope.” That gap leaves covered entities wedged between HRSA’s paper audit world and manufacturers’ private systems with no clear referee.
After sitting through too many post-audit debriefs this year, I’ve started telling teams to treat ESP hygiene like charge reconciliation. If you can’t reconcile claim counts and checksums before upload, you’re gambling with your access. HRSA hasn’t demanded that level of internal control yet. But it’s coming, and once auditors start tying submission discrepancies to diversion findings, data hygiene will decide who passes and who doesn’t.
How Access Restorations Are Playing Out in Practice
By spring 2026, nearly every one of the original 20 manufacturers that limited contract pharmacy participation had turned ESP into a condition of access. AstraZeneca wants biweekly data, Novo Nordisk wants quarterly files, Boehringer Ingelheim processes restorations monthly. HRSA’s 2025 memo told them restorations must happen “timely upon sufficient data,” but that word, “sufficient”, has no definition. So identical submissions can yield different outcomes depending on the manufacturer.
Hospitals with split-billing technology that auto-feeds into ESP usually see faster results. FQHCs running manual exports through Macro Helix or Sentry wait longer. It’s not about volume, it’s about credibility. Manufacturers trust automated feeds; they assume cleaner data. That bias leaves resource-limited entities at the back of the line, even when they’ve done everything right.
Some entities are pushing back, adding clauses to wholesaler agreements requiring notice before any re-block due to ESP delays. It’s a smart move, but mostly symbolic. Wholesalers still hide behind “manufacturer data policy” language, and HRSA hasn’t pressed them yet. No audit to date has forced a wholesaler to justify a re-block, even though those decisions often determine whether a 340B discount exists in practice at all.
Compliance Strategies That Actually Work in 2026
The entities still standing treat ESP as a regulatory deliverable, not an IT annoyance. They keep timestamped logs, run QA on every export, and talk directly with manufacturer 340B teams instead of generic ESP help desks. HRSA’s informal advice is clear enough: maintain “audit-ready documentation showing the sequence of data exchanges related to access restoration.” Translation, know exactly what you sent, when, and what came back.
I’ve watched small critical access hospitals dig out of chaos just by assigning one data coordinator to own their ESP cycle. One person. Excel sheets, time stamps, screenshots, but it worked. HRSA saw control, not confusion, and the manufacturer reopened the portal. It may sound tedious, but that’s compliance maturity in 2026. It’s not glamorous. It’s just deliberate.
Until HRSA publishes ESP audit standards, the safest path is obsessive documentation. Keep receipts of every file, every confirmation code, every follow-up email. Because when HRSA finally maps ESP activity into its audit framework, those with paper trails will step forward ready. Everyone else will wish they'd started earlier. And that’s probably how this chapter of 340B will be remembered, entities learning that control isn’t optional anymore, it’s survival.