HRSA’s 2024 audit findings changed the telehealth conversation
In late 2024, HRSA quietly revised its audit training slides for manufacturers and covered entities, highlighting “telehealth-prescribed outpatient drugs” as a new audit focus. That wasn’t a casual update. Several grantees were cited for diverting 340B drugs to patients whose prescriptions came from contracted telehealth providers with no verifiable link to the grantee’s scope of project. One FQHC lost nearly 14% of its 340B claims when HRSA found its telemedicine prescribers operated under a contractor, not under the health center’s medical oversight. HRSA’s stance is firm: a telehealth encounter must meet the exact same patient definition under the 1996 guidance as an in-person visit. Video doesn’t equal exemption.
The bigger issue, technology sped past the policy. The 1996 “patient” definition never imagined a video call or asynchronous prescribing app. Covered entities are improvising compliance policies to show they meet both telehealth billing rules and 340B eligibility standards. Some are succeeding; others are rolling the dice.
Where the patient definition still breaks down
HRSA’s position hasn’t changed since the 1996 Federal Register notice: an individual qualifies as a “patient” only if the covered entity has an established relationship and maintains health records of the encounter. In telehealth, that means the encounter must sit in the same EHR used for in-person visits, and the prescriber must be employed by or under contract such that clinical responsibility remains with the entity. That final clause, “other arrangements”, is where compliance counsel now spends most of its time.
Telehealth vendors like to assert their clinicians operate “on behalf of” the covered entity for 340B purposes. HRSA auditors have consistently pushed back when a provider’s NPI isn’t in the entity’s HRSA database and the contract fails to give the entity operational control. If a telehealth vendor such as Wheel, UpScript, or MDLive simply transmits a digital prescription for what it claims is your patient, but you never directed the care, it fails. HRSA’s 2023 audit summaries included multiple findings where entities repaid 340B savings for exactly these setups.
Programs that want to survive audit scrutiny are now structuring telehealth agreements as they once structured part-time specialty clinics, credentialing through medical staff, shared EHR access, routine peer review by the CMO. Anything looser, and the exposure isn’t hypothetical.
Pharmacy oversight gets messy in hybrid dispensing
Telehealth often links with mail or central-fill dispensing, and that’s where oversight unravels. Contract pharmacies love marketing “turnkey telehealth prescribing” that drops directly into their dispense queues. But covered entities remain fully responsible for 340B eligibility accuracy. HRSA hasn’t issued clear guidance on whether telehealth prescriptions through a contract pharmacy require separate procedures, yet auditors have asked for verification logs showing how the prescriber-patient relationship was confirmed for remote scripts. No records? That’s diversion.
One Midwest hospital system learned this the expensive way. Its telepsychiatry vendor handled after-hours consults. Vendor physicians wrote antidepressant prescriptions, captured in the system’s virtual EHR, filled at Walgreens, a contract pharmacy. The 340B software tagged those as eligible by NPI match. HRSA disagreed: no contractual delegation of clinical responsibility. Result, $412,000 repayment and immediate suspension of the telepsychiatry program. Hard lesson.
If you’re updating your compliance guide for 2025, tackle pharmacy oversight head-on. Spell out how virtual prescribers are credentialed, how routing is logged, and what exceptions trigger manual review when tech doesn’t match IDs. Don’t pretend your TPA can fix this upstream. TPAs handle data, not medical judgment. You need a human checkpoint in the workflow, period.
How to build a compliance guide HRSA can actually respect
By 2025, a workable telehealth 340B guide must mirror HRSA’s audit logic: demonstrate relationships, show documentation, prove control. No official HRSA checklist exists for telehealth, but recent audit letters make its expectations obvious. A defensible policy addresses at least four pillars:
1. Provider credentialing. Define how telehealth clinicians are brought under your license, contracts, malpractice coverage, credentialing minutes. HRSA will ask for them.
2. Encounter documentation. Every telehealth visit producing a 340B prescription belongs in your EHR, not the vendor’s app. Auditors look for encounter timestamps, codes, and notes that show real clinical responsibility.
3. Prescription matching. Crosswalk each telehealth script to an eligible patient record before applying 340B pricing. Relying only on NPIs? Too thin. Use encounter IDs or unique patient keys.
4. Audit trail and reconciliation. You should reproduce any telehealth-based dispense within five business days, traceable to the encounter note, not buried in a batch log.
The best-run programs don’t isolate telehealth. They fold it into quarterly oversight, stratifying claims by encounter type to measure error rates. Many FQHCs have learned that virtual visits fail HRSA’s patient test twice as often as in-person ones, almost always because of missing documentation. Frustrating, but fixable.
What’s next for HRSA and telehealth in 340B
HRSA hasn’t launched rulemaking to redefine “patient” for telehealth, but OPA leaders hinted during the 2024 340B Grantee Conference that updates are under review. Until then, conservative programs treat telehealth encounters as fully auditable patient visits. The legal landscape remains unsettled: the 2023 Adventist Health case questioned HRSA’s reliance on subregulatory guidance to define eligibility. Telehealth adds another layer of uncertainty. If courts restrict HRSA’s enforcement authority to the plain text of Section 340B(a)(5), entities could gain breathing room, emphasis on “could.”
For now, assume HRSA will keep applying the 1996 patient definition with sharper focus on virtual care. Before signing another telehealth contract, make sure your compliance guide spells out how that vendor fits within your HRSA registration, clinical governance, and records. If you can’t explain that linkage clearly, an auditor won’t buy it. Look, the technology’s exciting, but compliance isn’t optional. And that’s where most programs trip.