When specialty data becomes a compliance risk
In early 2026, HRSA rebilled a major 340B hospital after discovering that a contract specialty pharmacy shared refill data through a non-secure API with a third-party hub vendor. The prescriptions themselves were fine. But HRSA decided that unsecured transfer compromised patient eligibility verification, an integrity requirement under section 340B(a)(5)(A). It was the first time HRSA called out data controls, not diversion or duplicate discounts, as the reason for a repayment. That’s a turning point.
Covered entities have leaned on specialty networks for years, and the tech stack around those pharmacies has become tangled and opaque. Every manufacturer hub, data aggregator, and REMS portal adds new audit exposure. A single limited-distribution drug might touch four different systems before a claim reaches the TPA’s accumulator. Regulators now expect you to prove that every data handoff preserves patient eligibility integrity. That’s not theoretical anymore; it’s operational reality.
HRSA’s 2025-2026 focus on tracing limited-distribution drugs
During the 2025 audit cycle, HRSA flagged over sixty covered entities for “insufficient oversight of limited-distribution or restricted access drugs.” Inspectors zeroed in on biologics and gene therapies released only through exclusive distributors. In the past, entities treated those as a manufacturer problem. By late 2025, HRSA shifted its stance: if you claim 340B pricing on a limited-distribution NDC, you must document exactly how access was obtained and show that your purchasing relationship meets the manufacturer’s allocation rules.
The practice risk is obvious. Specialty manufacturers routinely require prescriber attestation and patient enrollment in a support program before shipment occurs. If the prescriber works for the covered entity, your clinic ownership and encounter data must match the 340B patient definition. In 2026 audits, HRSA has asked for proof that the patient’s care occurred within the entity’s scope before enrollment in a manufacturer’s program. If that link isn’t airtight, your covered entity status won’t shield you.
Look, a children’s hospital recently lost a case on exactly this point. Its CF clinic had referred patients to a manufacturer’s specialty pharmacy rather than using its in-house or contracted TPA channel. HRSA saw that referral as a break in eligible service, classifying all downstream claims as diversion. That single logic chain cost roughly $1.2 million in refunds. The message is simple, limited-distribution access doesn’t let you sidestep eligibility documentation.
Building data-sharing controls that survive audit evidence tests
Most specialty integration failures begin with configuration, not policy. Covered entities often assume that if their TPA imports claims from a specialty pharmacy, patient eligibility was verified earlier. HRSA’s 2026 audits test that directly. Inspectors now compare the timestamp of patient encounter validation with the timestamp of claim import. If import arrives first, HRSA calls it retroactive eligibility assignment, a clear violation.
Effective control depends on sequencing. A compliance guide should map how prescription origination, encounter documentation, patient verification, and purchase attribution flow through your system. Each partner, TPA, specialty pharmacy, EHR integrator, manufacturer hub, needs a documented transmission method, retention period, and security standard. HRSA now expects covered entities to produce end-to-end file evidence, not verbal assurances. Contract addenda must spell out when and how the pharmacy transmits dispensing and refill files and who can reconcile mismatches.
Late 2025 oversight bulletins made something else unambiguous: covered entities remain responsible for claim-level traceability even if using non-owned specialty pharmacies or manufacturer hubs. “The TPA handles that” is no longer a defense. HRSA wants an internal audit trail linking each specialty claim ID to a clinical encounter in your EMR. No EHR visibility? Then negotiate a data-sharing agreement for read-only access before you rely on external claims. Anything less is a gap HRSA will notice.
Designing real-world oversight inside the 340B team
Creating a specialty integration guide isn’t an IT checklist, it’s operational compliance policy. The document should connect pharmacy data flows to program accountability. Good frameworks answer who approves new limited-distribution contracts, how crosswalk tables manage refill sync, and which team reviews exceptions. HRSA doesn’t demand uniform setup, but they want visible review before claims go out the door.
The hospitals coming out of 2026 audits with no findings share one habit. Each month, a pharmacy compliance analyst runs a report of 340B-flagged specialty NDCs, compares dispensing source, eligibility record, and prescriber location, then holds mismatches for secondary review. They record every exception rationale as an audit note, not an email. HRSA doesn’t read every message, yet they always sample at least five outlier claims. When each note cites encounter data and logic, repayment risk drops fast.
Contract pharmacy oversight remains harder. Limited-distribution drugs almost always move through external pharmacies. Since 2025, HRSA has required proof that entities “periodically validate contract pharmacy data integrity.” The phrase isn’t defined, but in practice it means sampling claim-level data quarterly and confirming that each patient record aligns with encounter documentation at the parent site. When identifiers are missing, escalate. HRSA has repeated that data limitations never excuse noncompliance. And they mean it.
Adapting to manufacturer restrictions and the ESP data squeeze
Manufacturer restrictions trail only data-sharing lapses as compliance pain points. By 2026, more than thirty manufacturers used the 340B ESP platform for claims data submission. Specialty coverage often hinges on when those ESP files get uploaded. Some covered entities transmit raw prescription data almost instantly, raising HIPAA concerns. Your compliance playbook should specify which data elements transmit, who receives them, and under what legal authority. Check your Business Associate Agreements to confirm these disclosures fit HIPAA’s operational boundaries.
Court rulings continue to support HRSA’s right to enforce 340B pricing, though distribution channel control remains untested ground. The 2025 Novartis v. HHS decision confirmed both points: HRSA can penalize manufacturers for violations, but entities must still follow manufacturer distribution protocols for limited-distribution drugs. So your internal policy must balance both, HRSA’s audit expectations and manufacturer access rules.
Ultimately, specialty integration thrives on transparency, not speed. The covered entities that treat their data streams with the same diligence as clinical notes, timestamped, verified, retained, are the ones that stay clear of corrective action plans. The statute hasn’t changed in decades. Yet in 2026, compliance lives in the feeds, not in the invoices. And that’s where we all need to be watching.