When a children’s hospital in the Midwest discovered its specialty pharmacy was shipping infliximab to a patient recently discharged from care, the compliance team braced for the inevitable. HRSA had already sent its audit notice, and the pharmacy’s shipment logs were about to be dissected. In 2026, these aren’t isolated headaches anymore. HRSA has expanded its diversion focus to the exact points where specialty drugs move, physically, electronically, and contractually, across manufacturer, wholesaler, pharmacy, and patient lines. Today, three issues mark a covered entity’s risk profile: patient definition, shipment verification, and contract pharmacy oversight.
How HRSA’s 2026 Oversight Has Shifted
Until recently, most covered entities could expect HRSA auditors to stick to a standard list, eligibility documentation, patient records, duplicate discount screens, contract pharmacy contracts. But this year, those checklists grew up. HRSA’s 2026 audit cycle has fused diversion checks with supply-chain verification. Entities are now producing documentation showing shipment paths for specialty orders, who handled cold-chain custody, and whether the dispensing pharmacy was contractually linked to the entity on the day of the fill. The core question isn’t just “Who’s your patient?” anymore. It’s “Show me your shipment.”
The timing tracks with industry consolidation. As Drug Channels highlighted in its April and May 2026 analyses, PBM-affiliated giants now dominate contract and specialty dispensing. They’ve folded 340B distribution into vertically integrated benefit models. HRSA has responded by auditing the ecosystem, not just individual providers. That systemic lens exposes weak points in how entities define patient eligibility and document prescribing paths when PBM-owned pharmacies ship across multiple states. It’s messy data, and HRSA is done tolerating “we’ll clean it later.”
Patient Definition in the Specialty Era
Every 340B compliance officer can recite the 1996 patient definition criteria from memory, even though HRSA never formalized them in regulation. The hardest part has always been proving continuity of care. In 2026, that ambiguity has deepened as specialty therapies get routed through subspecialists or management service organizations. Complex cases, oncology, MS, cystic fibrosis, often originate from physicians outside the entity’s payroll but tied through care coordination. HRSA auditors now expect documented proof that those encounters live inside the covered entity’s EHR, not on some external platform the entity can’t control.
Once a contract pharmacy enters the picture, the risk doubles. A PBM-owned specialty pharmacy may receive a prescription from an affiliated prescriber in a neighboring clinic. If the covered entity can’t show a qualifying patient encounter with its own provider, HRSA calls it diversion. That’s not speculative, it’s how audits are trending. HRSA hasn’t issued any new written definition, but auditors are applying one through enforcement. Entities that rely on contract pharmacies for biologics should assume they must demonstrate direct, electronic linkage between encounter note, prescribing provider, and dispense record. No linkage, no protection.
Shipment Verification and Documentation Standards
Most of HRSA’s 2026 diversion findings come down to a simple mismatch: the shipment address. Refill shipments for specialty therapies are landing at patient homes or third-party hubs, yet covered entities can’t present chain-of-custody proof. HRSA’s auditors now ask for end-to-end shipment logs showing the product’s path from wholesaler to pharmacy to patient. If a covered entity can’t map that trail, HRSA assumes diversion, even when the patient is technically eligible. That’s become a harsh but consistent rule.
Leaning on TPA audit-trail reports doesn’t cut it anymore. HRSA expects primary-source evidence, courier scans, temperature logs, or signed proof-of-delivery files. Some audit teams even request time-synced data between the TPA feed and the hospital’s EHR dispensing record. Miss a timestamp match, lose the savings. Entities have had entire specialty lines, pembrolizumab, ustekinumab, disqualified on documentation gaps alone. At this point, precision in shipment data is compliance, not paperwork.
Contract Pharmacy Oversight After Consolidation
The 2026 contract pharmacy landscape hardly resembles its old form. PBM-linked giants control most dispensing volume, and HRSA’s auditors treat those networks as arms of the covered entity itself. One compliance lapse at a high-volume chain can contaminate your entire 340B contract list. The serious programs have already shifted, performing monthly data validations, not quarterly, and demanding full subrecord access from each chain location. Anything less puts control in someone else’s hands.
Manufacturers continue to push 340B pricing through electronic submission platforms with strict data validation. If a contract pharmacy manages that reporting without internal verification, the covered entity is gambling on accuracy it can’t prove. HRSA’s current oversight expects active monitoring: does the entity actually review the pharmacy’s compliance data, or does it just have a contract saying it will? That’s not a rhetorical question. Auditors now expect to see transaction-level monitoring, not policy statements or PowerPoints.
There’s also the tug-of-war between PBM-owned specialty pharmacies and covered entities. PBMs steer refills internally to maximize their own network economics, while covered entities depend on 340B savings to sustain services. Compliance officers need visibility into where those refills land, fast. If half your biologic claims are rerouted to a non-contracted PBM pharmacy, HRSA will spot it before you do. Auditors already compare TPA dispensing data to contract-level pharmacy reports. That gap between the two? That’s where duplicate discounts and diversion hide.
What Prudent Programs Are Doing Now
The best programs in 2026 build verification into their daily workflow. Not as a quarterly project, part of normal operations. They map encounters the second a prescription is created, tie it electronically to the dispense, and confirm shipment data in real time. Specialty fills get reviewed weekly. Some compliance teams even run mini “cold-chain fire drills” before each HRSA reporting cycle, testing whether addresses and providers can be reconciled under audit pressure. And when a contract pharmacy won’t maintain transparency, those entities don’t negotiate, they terminate. Revenue loss hurts less than payback.
No formal HRSA guidance captures how this new oversight era feels. It’s not just regulatory enforcement, it’s operational surveillance. And it leaves no margin for half-documented exceptions. Covered entities still framing specialty pharmacy as a secondary channel will end up in HRSA’s crosshairs. Audits have become more forensic than theoretical. The real 2026 question isn’t whether your patient counts; it’s whether you can prove it, one shipment, one scan, one timestamp at a time. Look, that’s the line between compliant and cited now. And everyone knows it.
