When HRSA Finds What the State Missed
In late 2024, HRSA ended an audit cycle where more than 40% of hospital findings involved Managed Medicaid duplicate discounts. These weren’t simple keying mistakes, they were breakdowns in system logic between the 340B claim identifier and the state’s rebate exclusion file. In one state, HRSA cited a large disproportionate share hospital for duplicate discounts on 3,200 claims because its third‑party administrator (TPA) was submitting rebate‑blocked claim data three weeks after the agency’s reporting deadline. The hospital had carved in all Medicaid and Managed Medicaid lines on its HRSA database record (as required under 42 USC 256b(a)(5)(A)) but assumed the MCOs and PBMs would automatically exclude those claims from rebate processing. They didn’t.
That assumption has turned into the single costliest compliance mistake in hospital carve‑ins. The exposure is no longer theoretical, OIG’s 2023 report pegged net rebate overpayments tied to 340B Managed Medicaid claims at $109 million nationwide. Manufacturers have used those numbers to pressure state Medicaid directors to restrict carve‑ins or demand monthly reconciliation reports. HRSA auditors now cross‑walk hospital Medicaid exclusion files against CMS’s MDRP rebate datasets, a task they couldn’t do effectively before 2023 because of incompatibility between HRSA’s OPAIS and CMS Form CMS‑R‑74 data.
Carve‑In Declared Doesn’t Mean Carve‑In Compliant
Listing “carve‑in” on OPAIS alone doesn’t satisfy HRSA. The agency makes that explicit in both the 2019 340B OPAIS User Guide and the 2020 audit protocol: the covered entity must show coordination with the state Medicaid agency to prevent duplicate discounts “in every Medicaid billing situation,” including MCOs. When auditors ask for proof, they’re not interested in a dusty MOU. They want file transmission logs and confirmation that the state actually uses those files for both fee‑for‑service and managed care processing.
Audits in 2025 show a new pattern. States like Virginia, Michigan, and Arizona have rolled out automated Medicaid NDC alignment checks. If a Managed Medicaid claim lacks the “20” modifier at the NCPDP level or doesn’t match the covered entity’s HRSA ID in the state database, the claim defaults into the rebate queue. HRSA counts that against the hospital. Once carve‑in status is declared, the burden of proving exclusion sits squarely on the covered entity. In one Arizona example, a health system’s FFS Medicaid mapping was fine, but its MCO identifiers were incomplete. HRSA concluded the hospital hadn’t truly “worked with the state,” the statute’s carve‑in requirement, and issued a finding.
That shift is changing compliance practice quickly. Hospitals that carved in every payer line are now re‑mapping data flows with state agencies. Some are carving out Managed Medicaid entirely, citing cost and audit exposure. Others are still discovering, too late, that a tagging glitch in their pharmacy software allowed unflagged MCO BIN/PCN combinations to slip into weekly extracts. I’ve seen systems forfeit millions through those quiet technical misses.
The Push‑Pull Between Manufacturers and States
Manufacturers have seized on these audit outcomes to argue that state carve‑ins make rebate validation unworkable. PhRMA’s 2024 comments to CMS on MDRP modernization pressed for centralized reporting, claiming states can’t reliably track 340B identifiers in MCO data. A few states agreed. Florida, for instance, froze all Managed Medicaid carve‑ins in 2024 after an OIG follow‑up exposed ongoing duplicate payments between 340B hospitals and SunPass MCO claims. HRSA hasn’t banned carve‑ins, but the mood has shifted: more states now require hospital attestation letters or quarterly reconciliations to keep carve‑in status active.
From the hospital vantage point, the legal gap is maddening. The 340B statute doesn’t distinguish between FFS and MCO Medicaid, it simply forbids duplicate discounts. HRSA, though, defines “duplicate” so broadly that any claim potentially invoiced for a rebate qualifies. Hospitals have told HRSA they can’t control how Managed Medicaid PBMs process NDC data after it leaves their network. HRSA’s position, stated in 2024 audit letters, is: “If you can’t demonstrate control, don’t carve in.” No ambiguity left there.
Meanwhile, the workload for states is crushing. Some Medicaid agencies now field exclusion files from over 120 covered entities every month. Each one in a slightly different format. The NCPDP D.0 “420‑DK” field helped, but uneven PBM mapping still breaks the chain. HRSA’s audit contractors, Public Consulting Group and newly added Guidehouse, have started requesting documentation from both hospitals and state agencies. That’s new territory. Audits have become joint exercises in accountability, not just hospital reviews.
What Better Coordination Looks Like in 2025
The cleanest systems use full EDI integration between the hospital TPA and the state’s rebate database, with carve‑in attestations tied to weekly automated file drops. Hospitals appoint a Medicaid coordinator who reviews every Managed Medicaid claim before it hits the 340B accumulator. States verify HRSA IDs in real time. Minnesota’s Department of Human Services is piloting this model, and its 2024 audit reports came back with zero duplicate discount findings. Contrast that with Illinois, where 27% of audited hospitals had Managed Medicaid duplicates because the state processed only FFS rosters.
Getting to that level means both sides must abandon old assumptions. The annual carve‑in declaration doesn’t carry through complex MCO networks. Every PBM environment is its own compliance universe. I tell clients bluntly: if you can’t locate a claim right now and see its 340B status, you’re already offside. The TPA contract has to guarantee tagging accuracy and reconciliation timelines. Most still don’t. HRSA’s 2025 draft audit protocol, circulated in February, adds a new test point requiring “evidence of third‑party oversight of Managed Medicaid data transmissions.” Quiet clause. Big consequence.
There’s no easy shortcut. Even with clean EHR mapping, preventing duplicate discounts in Managed Medicaid takes monthly coordination, hospital, TPA, MCO, PBM, and state agency all moving in sync. HRSA isn’t waiting for the technology to mature; findings are being issued now. With states embedding 340B‑exclusion validation directly into rebate analytics, every late or partial submission becomes an audit risk. For hospitals relying on 340B savings to offset uncompensated care, often 8-12% of annual net revenue, that’s not a minor compliance box to tick. It’s survival. And that’s where most of them finally realize: the paperwork never was the problem.