When a Midwestern behavioral health hospital went through its HRSA audit earlier this year, nobody in the 340B world was surprised by the outcome. HRSA questioned 63 prescriptions from psychiatrists treating patients who didn’t have a qualifying outpatient medical record in the hospital’s EMR. The hospital argued the encounters were part of a community therapy continuum under its care umbrella, but HRSA didn’t agree. The agency deemed the purchases non-qualifying and ordered refund calculations going back 18 months. That’s 2026 compliance in a nutshell: behavioral health hospitals sitting in the gray edges of the patient definition are first in line for findings.
Where the Patient Definition Breaks Down
HRSA hasn’t rewritten the statutory patient definition since 1996, but the 2026 enforcement tone is another story entirely. For behavioral health hospitals, HRSA is laser-focused on whether the encounter driving a prescription is unmistakably an outpatient hospital service. Auditors demand a direct clinical link, prescriber, record, and the covered entity’s clear responsibility for the care episode. If it looks like a community mental health referral, even if the psychiatrist carries hospital credentials, it’s being labeled ineligible. Full stop.
Behavioral health delivery models don’t make this easy. Split billing systems often operate off to the side of the core EMR, with manual crosswalks connecting therapy documentation and prescribing data. If you’re still passing Excel sheets back and forth between pharmacy and outpatient clinics, stop now. You will lose an audit. HRSA’s 2026 auditors are trained to follow data lineage. A compliant setup must produce audit-traceable records: encounter notes, prescriber verification, and documented attribution of hospital care responsibility. No shortcuts.
Dispensing Oversight: The Move Toward Real-Time Proof
In the 2026 audit manual, HRSA emphasizes real-time, or very nearly real-time, verification of each dispensed drug. Behavioral health hospitals that rely on batch validation cycles are out of step. Auditors want proof that every script is validated against an eligible encounter before replenishment occurs. That pressure has pushed compliance and automation into a head-on collision. If your pharmacy checks eligibility only after dispensing, it’s already behind regulatory rhythm.
Drug distribution trends add more chaos. According to Drug Channels’ March 2026 roundup, large payers such as Cigna and Express Scripts continue to build 340B “workarounds” within their vertically integrated networks. That design obscures the moment of dispense from covered entities and severs visibility into manufacturer channels. For behavioral health hospitals without in-house retail operations, this gap magnifies compliance risk. You need confirmation of dispensing data, not secondhand claim pings from a PBM portal.
The most disciplined programs now reconcile every dispense to a qualifying patient encounter within 48 hours. Miss that mark, and the transaction gets quarantined for manual review. It’s tedious, but far less painful than repayments and civil monetary penalties. Behavioral health hospitals using contract pharmacies should record their reconciliation process down to timestamps. When auditors see review delays longer than two business days, they issue notations. They’ve said so directly.
Contract Pharmacies: Access or Exposure?
In 2026, HRSA continues to hold covered entities, not the contract pharmacies, fully responsible for compliance. Behavioral health hospitals feel this unevenly because their networks often rely on local independents or community pharmacies for patient access. Yet PBM-owned specialty and mail-order players still dominate, as Drug Channels’ April 2026 analysis made clear. The result: behavioral entities lose real-time access to fill data. Bad visibility equals higher diversion risk, and no defense when HRSA requests proof.
Here’s the fix: renegotiate your contract pharmacy agreements. Require claim-level visibility including 340B status identifiers, not just monthly summaries. Demand remote audit rights and use them. HRSA now expects documented oversight, not after-the-fact reviews. If a pharmacy offers quarterly data feeds, that fails under 2026 expectations. Auditors are explicit, quarterly reviews don’t meet standards for high-volume or multi-site relationships.
Some hospitals are trimming their networks instead. One behavioral health system I advised last spring cut its partners from twelve pharmacies down to three, each connected to clinics they actually oversee. Sure, fewer rebates, but also fewer sleepless nights. Manufacturers still restrict 340B access in contract settings, and smaller, better-controlled networks mean cleaner data and reduced duplicate discount exposure. Look, bigger isn’t better here. It’s just louder risk.
Designing a Compliance Guide That Doesn’t Sit on a Shelf
Every behavioral health hospital needs a 340B program manual tailored to its unique care model, not a repurposed file from some other entity. Keep it alive and modular: eligibility (what counts), documentation (how to prove it), and oversight (how to verify it). Build a rhythm of internal challenge, auditing your own auditors. When HRSA flags documentation lapses, treat those as forecasts. Fix your EMR workflow and contract terms now. Waiting means defending those same gaps under oath next year. Nobody wants that hearing.
And one more thing: push your data partners. PBM-linked entities have locked up too much of the dispensing chain, limiting the visibility covered entities depend on. Behavioral health hospitals that can’t validate dispense custody can’t credibly defend 340B pricing. HRSA sees the difference. This year’s audits are making it plain which hospitals treat compliance as governance, and which still treat it as hope.
