When HRSA auditors walked into a Minnesota hospital’s 340B program review this spring, they didn’t start with contract pharmacy invoices. They started with a telehealth prescribing log. The facility’s virtual platform had generated nearly 4,000 prescriptions across five retail pharmacies, many outside the hospital’s service area. HRSA flagged a third as diverted. The finding wasn’t about bad actors; it was about control. Telehealth volume had outpaced compliance infrastructure, and HRSA noticed.
How HRSA Is Now Applying the 340B Patient Definition to Virtual Care
The law hasn’t changed, but HRSA’s 2026 enforcement mindset certainly has. Covered entities keep asking whether a telehealth encounter counts as a valid patient relationship. The short version: only if it meets HRSA’s 340B patient definition. That requires the covered entity to maintain a documented provider-patient relationship and be responsible for the patient’s care. Virtual visits don’t create a separate category or exemption.
And here’s where it breaks. HRSA’s 2025-2026 audits show a recurring pattern: telehealth contracts running outside the EMR fence line. Where patient records, prescribing data, and covered-entity oversight don’t match up, auditors see diversion. Under new data-sharing protocols, audit teams now crosscheck telehealth prescribing patterns against location eligibility and service-line records. Prescriptions tied to remote sites that aren’t in HRSA’s registration, or weren’t part of an approved clinical service at the time, trigger findings fast.
In practice, if a telehealth vendor’s prescriber writes for a patient in your community but the visit was billed through a non-registered location, that prescription lands outside 340B scope. Drugs dispensed using ceiling prices must be repaid to manufacturers. Several hospitals have already been told to reimburse six‑figure sums tied to telehealth-linked audit findings. Painful lessons, written in repayment letters.
What FQHCs and Hospitals Are Each Up Against
Federally Qualified Health Centers historically kept prescribing close to their home zip codes. Then telehealth redrew the map overnight. HRSA’s 2026 audit teams are tightening scrutiny: if a behavioral health visit happens in a patient’s home two counties away and the Form 5A never listed telehealth as a method of service for that outreach area, those prescriptions fall out. FQHCs that expanded before updating documentation are now racing to retrofit compliance paperwork, retroactively.
Hospitals face a different storm. Drug Channels recently reported that Minnesota hospitals earned over a billion dollars more in 340B margin than they spent on uncompensated care (Drug Channels, Apr 2026). That spotlight sharpened HRSA’s focus on how hospital 340B revenue is actually generated. When systems use telehealth arms or third‑party provider networks to pump volume through contract pharmacies, auditors drill into whether those scripts come from outpatient departments named on the hospital’s Medicare cost report. If not, they’re outside 340B limits. Look, some hospitals have treated telehealth NPIs like shared utilities. HRSA sees a compliance vulnerability big enough to drive a reportable finding through.
The Technology Gap Nobody Wanted
Most telehealth platforms were built by tech companies, not compliance officers. The integrations look seamless, API connections, auto-routing, digital charting, but they skip 340B filters like prescriber type or cost-center tagging. Covered entities assume compliance is happening in the background. It isn’t. HRSA’s 2026 focus on “prescription provenance” means auditors now expect proof that the telehealth prescriber works for or is formally contracted under the covered entity, and that the chart is fully auditable. If auditors can’t open the encounter note from the entity’s EMR, they count the record as missing. Missing equals ineligible.
One FQHC found this out the hard way. During a 2026 HRSA audit, the IT director tried to demonstrate remote EMR access for a sample of telehealth encounters. The vendor’s firewall blocked it. HRSA cited a “failure to maintain auditable records,” and the finding wiped out eligibility for 900 prescriptions. That’s what a compliance miss looks like when it meets an enforcement report.
Hospitals running telehealth across multiple affiliates face another invisible risk, prescription attribution. HRSA is tracing NPIs through personnel rosters in its registration database. Shared or duplicated prescriber IDs across covered and non‑covered settings are creating diversion exposure few hospitals have truly mapped.
Adjustments That Actually Hold Up Under Audit
The way forward, use real‑time eligibility checks that stop a telehealth prescription before it hits the 340B accumulator. Compliance teams belong in the data stream, not waiting in policy review meetings. Map every telehealth encounter back to a registered site and to a defined service line. If the link doesn’t exist, block it. HRSA doesn’t accept intent or good faith as substitutes for evidence, and their auditors have no patience for excuses like “the interface wasn’t ready.”
Entities with contract pharmacies are now updating prescriber employment documentation quarterly. Some even file telehealth prescriber contracts directly into the eligibility binder. It sounds tedious, until the auditor asks mid‑visit. Another sound step: apply location-level filters in split‑billing software so telehealth encounters aren’t mis‐attributed to the main clinic by default. Early corrections prevent large‑scale reversals later, and that’s not theoretical, it’s already happening.
By 2026, compliance officers have learned that telehealth can’t rely on the honor system. HRSA has upgraded its analytics, pulling provider rosters, patient ZIP data, and claims histories with precision most entities underestimated. The 340B statute may read the same, but the enforcement playbook doesn’t. Telehealth diversion is now one of HRSA’s clearest signals of systemic control failure, and the agency is following that signal wherever it leads.
Sources
- Minnesota’s 340B Hospitals Make One Billion More From 340B Than They Spend on Uncompensated Care (Drug Channels, 2026‑04‑23)