HRSA Auditors Are Zeroing in on State Medicaid Data Gaps
Every 340B administrator who’s endured a recent HRSA audit can tell you, the tone is different now. In 2026, auditors aren’t limiting their scope to exclusion files or contract pharmacy invoices. They’re pulling state Medicaid rebate records and crosswalking them to your HRSA declarations. The Integrity and Oversight Division, which HRSA stood up in 2025, has made this comparison routine: what the covered entity says it carved in must match what the state says it rebated. If there’s daylight between the two, HRSA directs the manufacturer to pursue repayment, sometimes even before the entity knows it’s been flagged.
I saw this play out at a Federally Qualified Health Center in Texas. The site carved in for fee-for-service Medicaid, but the state rebate file included several NDCs dispensed through its contract pharmacy network. The data vendor had correctly labeled those claims “Medicaid Excluded = Y,” but a third-party processor used a BIN/PCN pair the state didn’t recognize. That small mismatch triggered 42 “potential duplicate discount” findings. The clean-up stretched on for months, and the manufacturer, AstraZeneca, demanded repayment at wholesale cost instead of the 340B-to-WAC margin. Brutal example of how precise the game has become.
Contract Pharmacies Have Become the Weakest Link in Carve-Out Consistency
When HRSA reiterated its expectations for contract pharmacy oversight in the 2025 update to the old 1996 guidance, it didn’t create new rules. Still, auditors clearly took it as an operational directive. Any contract pharmacy setup that fails to align with the entity’s carve-in status or a state’s Medicaid billing logic now gets written up. The choke point, over and over, is communication: data vendors and contract pharmacies not staying synchronized on which Medicaid BIN/PCNs apply. Sounds easy to fix, until you remember that states like Florida and Michigan completely retooled their managed Medicaid identifiers in 2025. Miss one update, and your system creates instant audit exposure.
Even tiny discrepancies draw findings. One unmarked Medicaid managed care claim? HRSA calls it a duplicate discount until you can disprove it. By 2026, auditors had started demanding contract language and technical documentation proving how third-party administrators prevent such errors. A simple policy that says “we carve out Medicaid MCO claims” doesn’t cut it anymore. They want to see the mechanics, tables, maps, and transmission workflows.
At one DSH hospital in Illinois, that standard was met the hard way. HRSA issued a material breach notice citing missing controls across ten contract pharmacies. The hospital leaned on a TPA exclusion file that hadn’t been refreshed since the state consolidated its managed care networks in 2025. The penalty exposure: $2.6 million in manufacturer rebates. Only a one-off internal extract saved them, showing those 340B claims never hit the state rebate feed. That rescue trick won’t fly under HRSA’s new 2026 crosswalk file format, which mandates direct traceability.
Manufacturer Leverage Is Growing Through the HRSA-ESP Portal
Manufacturers have been studying HRSA’s audit patterns and using the ESP data portal as leverage. Since 2025, nearly every major manufacturer with contract pharmacy limits, Eli Lilly, Novo Nordisk, Johnson & Johnson, AbbVie, has been cross-referencing covered entity submissions through ESP against state rebate systems. In theory this prevents “double dipping.” In practice, it gives them an early look at potential audit targets. HRSA has denied that ESP drives its audits, but the reality on the ground says otherwise: manufacturer flags feed directly into HRSA’s audit queue.
The result is uncomfortable. Covered entities now get hit from both sides, HRSA on compliance, manufacturers on access. Section 340B(a)(5)(A) hasn’t changed, but the manufacturer interpretation of enforcement certainly has. HRSA’s Office of Pharmaceutical Affairs insists it alone sets audit standards, yet as of April 2026 the agency still hasn’t said how ESP data fits into official audit procedures. That silence feels deliberate. Maybe cautious. Maybe political. Hard to tell.
Either way, act as if ESP accuracy is mandatory. Because when a manufacturer flags discrepancies, HRSA presumes they’re valid until you disprove them. The burden flipped somewhere around mid-2025, and no one announced it. Covered entities that treat ESP submissions like a compliance checkbox are already behind.
What Covered Entities Should Be Doing Right Now
If it’s been more than a quarter since you checked your contract pharmacy Medicaid logic, you’re already late. The most disciplined programs now run quarterly carve-in/carve-out reconciliations, comparing each contract pharmacy’s identifiers to what’s registered in HRSA’s 340B database. That extra audit pass catches mismatches HRSA auditors would otherwise find first. Smart administrators also dig into live switch data, BINs, PCNs, group numbers, instead of trusting whatever the TPA’s exclusion file claims. Those filters fail silently when a health plan rekeys its identifiers or someone reprocesses a rejected claim by hand.
Documentation has become the new currency of compliance. Think in layers: policy-level carve-in decisions, operational-level systems mapping, transaction-level proof. HRSA now expects to see all three stacked neatly, and they’ve begun citing entities for failing to notify their pharmacies of carve-in status changes within 30 days, a new audit letter theme in early 2026. Miss that step and you own the exposure, even if no claim error ever occurred.
Perfect control? Not happening. Between intermediaries, switch edits, and managed care carve-outs, things slip. But entities need to show they understand where vulnerabilities live. Vendors’ “trust us” isn’t a defense. HRSA’s auditors want covered entities to own their data paths, every field, every hop.
Why 2026 Feels Different
This year’s audit tone didn’t appear from nowhere. Congress leaned hard after the 2025 OIG report that blasted HRSA for missing duplicate discounts across multi-pharmacy networks. That report tallied roughly $130 million in potential manufacturer rebate exposure in ten states. HRSA had to respond, and it did, by pulling in CMS and several state Medicaid rebate offices for shared-data audits. The precision jumped overnight. So did the findings.
That precision cuts both ways. Compliance is finally data-driven, but most 340B programs still live on piecemeal systems. ESP feeds, HRSA’s database, state rebate files, they don’t natively talk. Big hospitals can script around that. Small FQHCs? Not so much. Still, HRSA’s made it clear that “technical limitations” won’t excuse violations. Fair or not, they mean it. And look, pretending otherwise is wishful thinking.
These 2026 audits don’t just review policies, they trace dollars. Every rebate that might have been paid twice becomes a breadcrumb for HRSA to follow. If your contract pharmacy footprint can’t show exactly where Medicaid dollars stop and 340B discounts start, HRSA will assume they don’t meet. And then you’ve got a much bigger problem to explain.