A few months ago, a hospital-owned retail pharmacy in the Midwest failed a 2026 HRSA audit because its clinic-dispense encounters were missing one key piece, proof that the prescribing provider actually worked for the covered entity when the drug was ordered. The prescriptions looked legitimate. The NPI matched a credentialed provider with privileges in the system. But HRSA’s audit team dug deeper and traced those orders back to an after-hours clinic owned by the pharmacy, not listed on the entity’s OPAIS registration. Every prescription from that clinic was flagged as diversion. Right now, pharmacy-owned clinics are squarely in HRSA’s sights, and feeling it.
HRSA’s 2026 Focus Has Shifted to Where Prescriptions Begin
This year, HRSA’s Office of Pharmacy Affairs isn’t centering its audits only on duplicate discounts or contract pharmacy recordkeeping. Its field teams are drilling into exactly how each prescription originates, on-site and off-site alike. The question is simple: can you prove every prescription ties back to an eligible encounter with a covered-entity provider, at a location listed in OPAIS? Documentation must demonstrate the clinic relationship is organizational, not just physical. When the pharmacy owns the clinic but the entity bills under its own NPI, HRSA now expects structural proof: delegation agreements, shared provider rosters, integrated encounter data. In short, verifiable control under the 340B patient definition.
That’s created friction for independent and health-system outpatient pharmacies alike. Many built pharmacy-owned walk-in clinics to expand access for uninsured or 340B-eligible patients. Trouble is, when those clinics sit outside the hospital cost report or FQHC scope, the origin of prescriptions gets murky fast. HRSA auditors have become especially alert to “shared EHR” setups across covered and non-covered entities. Same EMR doesn’t mean same entity. That’s the compliance cliff most programs slide off without realizing.
Next Problem: Inventory Links Don’t Always Tell a Clean Story
If your origination data holds up, inventory is usually the next snag. In 2026, HRSA audits are reviewing real-time inventory feeds instead of static accumulator summaries. Auditors trace drug shipments from wholesaler purchase to patient dispensing and then compare those against 340B-eligible encounters. If a pharmacy-owned clinic taps into the same inventory as its retail operation, without a controlled virtual 340B model under clear replenishment rules, HRSA flags it as possible comingling.
Drug Channels Institute’s 2025 analysis of U.S. pharmacies showed an ongoing wave of consolidation among PBM-owned chains. That concentration reinforces HRSA’s suspicion that integrated networks blur 340B and commercial inventory for efficiency. Independent covered entities, meanwhile, have fewer contract partners but greater scrutiny, especially around how their data flows between clinic systems and pharmacy software. The more a single organization controls both ends of the process, the higher the bar for demonstrating clean separation.
Today, field auditors routinely demand three full years of order-to-dispense traceability. They check timestamps across purchasing, prescription entry, and replenishment. A few hours of mismatch can prompt a deep dive into your TPA sync settings. If you can’t show an automated, auditable connection, HRSA labels it manual reconciliation, and from there it’s a short road to a diversion finding.
Building a Compliance Framework That’s Actually Operable
Writing a policy binder isn’t enough. Real compliance starts with defining which clinics are covered in OPAIS. If the pharmacy owns a clinic but the entity bills under its cost report, internal documentation must show the site functions as part of the covered entity. Every prescriber should appear on the entity’s credentialed roster, and every encounter should feed the same billing system used at other registered sites. That’s structural proof, not paperwork.
Then come prescription origination checks. HRSA now wants immediate linkage between the encounter and the claim. Configure the EHR workflow to tag encounters under your internal patient definition policy and have that tag push directly to your TPA or split-billing logic. Programs that succeed in audits don’t chase reports, they open an encounter and display the tagged provider, service location, and transaction ID linking to the replenishment order. That’s what HRSA calls “transparent traceability.”
And inventory. If your pharmacy fills both 340B and commercial scripts out of one location, the virtual inventory must handle automatic replenishment from actual 340B dispenses. Avoid manual adjustments or periodic “true-up” file uploads. HRSA’s tolerance for that approach is gone. If your system can’t produce one-to-one linkage on demand, expect a finding. Simple as that.
Lessons From the Systems That Took the Hit
Consider a Texas hospital system audited this spring. They had a polished, consultant-written policy manual, glossy pages, good intentions, but forgot to register their pharmacy-owned urgent care sites in OPAIS. Every prescription flowed through the same EHR as the hospital’s outpatient departments, so administrators assumed it was fine. HRSA disagreed. Because those sites weren’t on the cost report or in OPAIS, every pharmacy-originated prescription there was ruled ineligible. The loss? About $1.3 million in 340B revenue. The missing piece wasn’t policy, it was the data crosswalk connecting HRSA registration, EHR IDs, and pharmacy inventory files.
Organizations surviving 2026 audits took another route. They repositioned IT artifacts, EHR mapping tables, inventory sync logs, as compliance evidence. Pharmacists took ownership of verification routines. Instead of periodic self-audits, they review random 340B claims weekly, matching prescriber NPI, location, and replenishment data. They stopped using the word “audit.” It’s ongoing verification now, and HRSA’s reviewers recognize that as proactive control, not paper defense.
There’s also a mindset shift underway. Many pharmacy leaders still act as if HRSA’s pre-2024 leniency holds. It doesn’t. The 2026 audit teams arrive with data scientists who import your EHR export and flag timestamp mismatches before you even log in. A single nurse mis-click in scheduling can ripple into weeks of documentation scramble. The fix? Nail down data definitions before they can expose the gaps for you. Look, compliance isn’t about more binders, it’s about system design that won’t lie under audit pressure.
Pharmacy-owned clinics remain powerful tools for expanding 340B access, but only when built on clean registration, controlled billing ownership, and rigorous inventory segregation. Without those, they’re easy audit targets. HRSA isn’t guessing anymore; it’s confirming every record against OPAIS filings, cost reports, and wholesaler data feeds. Entities failing this year’s audits share the same flaw: they still view compliance as a paperwork exercise. The solution lives upstream, in data architecture and accountability, not memos.
