[Skip to Content]
Outline
Abstract The Myth Debunking the Myth Background Success Story Resources Article Information References
Quiz
Electronic Health Records

Are Organizations Required to Enable Two-Factor Authentication Within an Electronic Health Record (EHR) for Prescription Medication?

Learning Objectives
1. Describe the myth or issue that impacts physicians and their care teams
2. Explain the facts that debunk the myth or issue that impacts physicians and their care teams
3. Explain circumstances under which two-factor authentication is required for prescribing medication
0.25 Credit CME
AMA Debunking Medical Practice Regulatory Myths Learning Series
Published Online: October 31, 2023
Article Course
editorial comment icon
Editorial
Comment
 related articles icon
Related
Articles
 author interview icon
Interviews
 multimedia icon
Multimedia
Module Take Quiz
Abstract

Physicians and other prescribers who electronically order and sign prescriptions for their patients may be asked to provide a password and additional security key before they are able to order, sign, and send a prescription. Some organizations may enable this additional security based on the assumption that it is required by law for all prescribing. This iteration of the DRM series provides clarification around when two-factor authentication is required for prescriptions.

To earn full credit for this activity, you must review all accompanying resources, which have been curated to support your learning of the subject matter.

The Myth

Organizations are required by federal law to enable two-factor authentication within an electronic health record (EHR) for signing both controlled and non-controlled prescriptions.

Debunking the Myth

There is no federal regulation that requires two-factor authentication to be enabled within an EHR for both controlled and non-controlled substance prescription signatures. The Drug Enforcement Administration (DEA) does require two-factor authentication to sign electronic prescriptions for controlled substances. For these, any authentication protocol must use two of the three following factors: (1) a password or answer to a challenge, (2) biometric identification such as a fingerprint or eye scan, and/or (3) a device separate from the computer that only the prescribing clinician has access to such as a hard token.1

Background

Physicians and other prescribers who electronically order and sign prescriptions for their patients may be asked to provide a password and additional security key before they are able to order, sign, and send a prescription. This is called positive identification through password re-validation, or two-factor authentication. This additional requirement can be burdensome, adding extra clicks and keystrokes for prescribers, contributing to the already overwhelming amount of time spent in the EHR. Some organizations may enable this additional security based on the assumption that it is required by law for all prescribing.

Success Story

For almost two decades, physicians in the State of Ohio used two-factor authentication and positive identification to sign all EHR prescription orders to comply with State of Ohio Board of Pharmacy regulations. The billions of clicks caused by this practice have contributed to the time physicians spend in the EHR, which research has linked to “click fatigue”, administrative burden, physician burnout, and physicians' decisions to reduce clinical hours or leave medicine altogether.24

The AMA discovered that a previous state-specific requirement had been lifted, and there is no longer a requirement for two-factor authentication for electronic signing of prescriptions for non-controlled substances in the State of Ohio.5 The State of Ohio Board of Pharmacy confirmed that positive identification is no longer required for electronic prescription of outpatient non-controlled substances and outpatient orders.5,6 Unfortunately, this significant change that helps decrease unnecessary work for physicians was largely unknown.

The AMA relayed their findings to the head of physician wellbeing at Epic, who then communicated the expiration of this requirement to all Chief Medical Information Officers of Epic clients in Ohio. Across the Cleveland Clinic alone, this change impacts approximately 11 million orders and saves physicians over an estimated 12 000 hours a year.1

While Ohio's law has been lifted, multiple states have passed laws requiring all prescriptions to be prescribed electronically. Check with your state medical society or board of pharmacy to get the most up to date information on your state's laws regulating the prescription of controlled and non-controlled substances.

Resources

Sign in to take quiz and track your certificates

To help improve the quality of its educational content and meet applicable education accreditation requirements, the content provider will receive record of your participation and responses to this activity.

The AMA Debunking Medical Practice Regulatory Myths series provides physicians and their care teams with regulatory clarification to streamline clinical workflow processes and improve patient outcomes. Learn more

Related

  1. Test Result Responsibility
    0.25 CME

See More About

Electronic Health Records Neurology Neuromuscular Diseases Muscular Dystrophy
Article Information

AMA CME Accreditation Information

CME Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.

If applicable, all relevant financial relationships have been mitigated.

Disclaimer: The AMA's Debunking Regulatory Myths (DRM) series is intended to convey general information only, based on guidance issued by applicable regulatory agencies, and not to provide legal advice or opinions. The contents within DRM should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. An attorney should be contacted for advice on specific legal issues.

Debunking Regulatory Myths overview

Visit the overview page for information on additional myths.

Contact us

Submit your regulatory myth

AMA seeks to aid physicians and care teams by helping them understand medical regulatory requirements. Help us help you—submit a myth you'd like clarification on.

Contact Us

References
1.
Drug Enforcement Administration.  Requirements for Electronic Orders and Prescriptions.; 2005. Accessed March 30, 2023. https://www.ecfr.gov/current/title-21/chapter-II/part-1311
2.
Collier  R.  Rethinking EHR interfaces to reduce click fatigue and physician burnout.  Canadian Medical Association Journal. 2018;190(33):E994–E995.Google ScholarCrossref
3.
Melnick  ER, Fong  A, Nath  B,  et al.  Analysis of Electronic Health Record Use and Clinical Productivity and Their Association With Physician Turnover.  JAMA Network Open. 2021;4(10). Accessed March 30, 2023. https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2784810Google Scholar
4.
Melnick  ER, Harry  E, Sinsky  CA,  et al.  Perceived Electronic Health Record Usability as a Predictor of Task Load and Burnout Among US Physicians: Mediation Analysis.  Journal of Medical Internet Research. 2020;22(12). Accessed March 30, 2023. https://pubmed.ncbi.nlm.nih.gov/33289493/Google Scholar
5.
Ohio Legislative Service Commission.  Transmission of Outpatient Prescriptions.; 2020. Accessed March 30, 2023. https://codes.ohio.gov/ohio-administrative-code/rule-4729:5-3-11
6.
Ohio Legislative Service Commission.  Clinics and Prescriber Offices.; 2020. Accessed March 30, 2023. https://codes.ohio.gov/ohio-administrative-code/chapter-4729:5-19
AMA CME Accreditation Information

Credit Designation Statement: The American Medical Association designates this Enduring Material activity for a maximum of 0.25  AMA PRA Category 1 Credit(s)™. Physicians should claim only the credit commensurate with the extent of their participation in the activity.

Successful completion of this CME activity, which includes participation in the evaluation component, enables the participant to earn up to:

  • 0.25 Medical Knowledge MOC points in the American Board of Internal Medicine's (ABIM) Maintenance of Certification (MOC) program;;
  • 0.25 Self-Assessment points in the American Board of Otolaryngology – Head and Neck Surgery’s (ABOHNS) Continuing Certification program;
  • 0.25 MOC points in the American Board of Pediatrics’ (ABP) Maintenance of Certification (MOC) program;
  • 0.25 Lifelong Learning points in the American Board of Pathology’s (ABPath) Continuing Certification program; and
  • 0.25 credit toward the CME of the American Board of Surgery’s Continuous Certification program

It is the CME activity provider's responsibility to submit participant completion information to ACCME for the purpose of granting MOC credit.

Close
Close
Close
Close

Name Your Search

Save Search
Close
Close

Lookup An Activity

or

My Saved Searches

You currently have no searches saved.

Close

My Saved Courses

You currently have no courses saved.

Close
Our website uses cookies to enhance your experience. By continuing to use our site, or clicking "Continue," you are agreeing to our Cookie Policy | Continue