Auditors Are Reading the EMR Before You Do
Late in 2023, several large Disproportionate Share Hospitals received desk audit requests that included full EMR access, not just dispensing data. HRSA contractors are now requesting progress notes, provider credentialing, and confirmation that prescribing providers actively practice at a registered site. Community Health Centers are facing identical requests. If your covered entity hasn’t audited its EMR linkages in the last six months, that’s the first thing you’ll have to answer for.
The 2015 HRSA Omnibus Guidance never became final, yet auditors still apply its “provider relationship” concept when defining a 340B-eligible patient. They crosswalk prescriber NPIs to clinic sites, then pull your HRSA database extract. If any NPI isn’t tied correctly, that 340B claim is gone. One Midwestern FQHC I worked with lost 8% of its outpatient capture simply because the credentialing team didn’t update HRSA registration after deploying a mobile van site. Moral of the story: before HRSA arrives, reconcile provider-to-site data across your EMR, credentialing system, and 340B vendor prescriber tables. Do it now, not when the audit email hits.
Split-Billing Data Is the New Audit Minefield
Hospitals relying on virtual inventory systems like Macro Helix or 340B Architect already know, one mismatched NDC can erase months of work. In 2024 audits, HRSA is demanding transaction-level detail for at least 20 claims, each traced through accumulators and purchase orders. They want evidence that inpatient drugs never hit the outpatient accumulator. If your setup uses ADT feeds, confirm those status updates actually occur in real time. OIG report 23-05-00473 was blunt: delayed ADTs drive diversion in mixed-use pharmacies, and HRSA now checks for it.
I saw a hospital still using nightly manual uploads from its EHR. During audit, HRSA caught 14 orders written while patients were still tagged “observation” and flipped to “inpatient” an hour later. Fourteen findings. $128,000 in repayments. Across seven drugs. Automate the feed. If IT pushes back, remind them a functioning ADT interface costs far less than a repayment cycle. And less stress too.
Don’t Treat the 2024 “Checklist” Like a Form
There’s no official 2024 HRSA audit checklist, and there won’t be one. What counts now is a complete, accessible audit trail. Covered entities should treat five documentation areas as living records: HRSA registrations, Medicaid carve status, provider site lists, inventory and purchasing logs, and contract pharmacy oversight. These need to reflect current operations, not the world as it looked during your last recertification cycle.
Three trends from 2023 are still shaping audits. First, HRSA and OPA have zero tolerance for unreported contract pharmacies. If a pharmacy dispenses under your 340B ID but isn’t active in HRSA’s database, that’s diversion, period. Second, orphan drug tracking still traps DSH and children’s hospitals. HRSA expects compliance with OPA’s 2021 manufacturer restriction guidance until the Third Circuit finally weighs in. Keep every NDC-level exclusion documented. Finally, Medicaid duplicate discount controls are under deeper scrutiny. Following the 2022 OIG audit in Illinois, HRSA now verifies that carve-in entities have active data-sharing agreements with the state. If yours doesn’t list your NPI correctly, fix it now, don’t wait for an audit to reveal it.
For health centers specifically, HRSA’s 2024 desk audits emphasize pharmacy oversight and referral prescribing. If your in-house pharmacy fills scripts from external specialists, maintain and annually review those referral agreements. HRSA hasn’t clarified exactly how integrated care networks count for eligibility, so documentation is your only real defense. Keep the care coordination note, referral record, and signed agreement visible alongside each referral-driven claim. Don’t overthink it, just prove the relationship exists.
Contract Pharmacies and the Reconciliation Trap
Today’s auditors expect operational oversight, not paperwork. Signed contracts are just the starting point. They look for covered entity verification at the claim level, something too many leave to their third-party administrator. That won’t pass. Your compliance officer or pharmacy director should review at least one dispensing location quarterly. For FQHCs, that includes confirming eligibility for both patient and prescriber, especially for late fills after a visit.
Meanwhile, manufacturers like AstraZeneca, Eli Lilly, and Novo Nordisk continue limiting shipments to contract pharmacies. Entities that try to bypass these restrictions with central fill or redistribution setups are entering legally uncertain territory. HRSA’s enforcement power is still unresolved after the Delaware cases, but OIG can pursue False Claims allegations if diversion is obvious. The safe path: reconcile accumulators monthly, tie them to WAC purchases, and flag exceptions. If a claim doesn’t accumulate due to a manufacturer block, mark it as non-340B. No one wants inflated savings numbers built on blocked transactions.
The covered entities that make it through audits clean keep a standing binder, usually digital, holding policies, audit logs, provider credentials, and current split-billing samples. Not because HRSA requires it, but because when your auditor emails on Monday asking for files by Wednesday, time kills you. Every day you spend digging increases the odds they widen the sample set. Don’t let that happen.
Stop Waiting for HRSA to Publish Guidance
Everyone keeps asking when HRSA will roll out new program integrity guidance or revise its 2012 audit protocol. The answer: not this year. The agency is still operating under existing interpretations while litigation over manufacturer restrictions grinds on. Covered entities can’t afford to wait for clarity. The only workable strategy is evidence, written, organized, and retrievable. Every eligibility call, prescription capture, and replenishment order has to be defensible in data. HRSA doesn’t look for intent; they look for ineligible use. The story you think you’ll tell on the audit call? Too late. The data already told it.
This year’s audits feel different. More data-heavy. Less chat, more evidence. Test your own claims, sample yourself, challenge your accumulators, verify every NPI. The teams doing this quarterly aren’t lucky when the audit notice hits, they’re just not scrambling. Look, that’s the whole game. Preparation beats panic every time.