Physicians and other prescribers who electronically order and sign prescriptions for their patients may be asked to provide a password and additional security key before they are able to order, sign, and send a prescription. Some organizations may enable this additional security based on the assumption that it is required by law for all prescribing. This iteration of the DRM series provides clarification around when two-factor authentication is required for prescriptions.
To earn full credit for this activity, you must review all accompanying resources, which have been curated to support your learning of the subject matter.
Organizations are required by federal law to enable two-factor authentication within an electronic health record (EHR) for signing both controlled and non-controlled prescriptions.
There is no federal regulation that requires two-factor authentication to be enabled within an EHR for both controlled and non-controlled substance prescription signatures. The Drug Enforcement Administration (DEA) does require two-factor authentication to sign electronic prescriptions for controlled substances. For these, any authentication protocol must use two of the three following factors: (1) a password or answer to a challenge, (2) biometric identification such as a fingerprint or eye scan, and/or (3) a device separate from the computer that only the prescribing clinician has access to such as a hard token.1
Physicians and other prescribers who electronically order and sign prescriptions for their patients may be asked to provide a password and additional security key before they are able to order, sign, and send a prescription. This is called positive identification through password re-validation, or two-factor authentication. This additional requirement can be burdensome, adding extra clicks and keystrokes for prescribers, contributing to the already overwhelming amount of time spent in the EHR. Some organizations may enable this additional security based on the assumption that it is required by law for all prescribing.
For almost two decades, physicians in the State of Ohio used two-factor authentication and positive identification to sign all EHR prescription orders to comply with State of Ohio Board of Pharmacy regulations. The billions of clicks caused by this practice have contributed to the time physicians spend in the EHR, which research has linked to “click fatigue”, administrative burden, physician burnout, and physicians' decisions to reduce clinical hours or leave medicine altogether.2- 4
The AMA discovered that a previous state-specific requirement had been lifted, and there is no longer a requirement for two-factor authentication for electronic signing of prescriptions for non-controlled substances in the State of Ohio.5 The State of Ohio Board of Pharmacy confirmed that positive identification is no longer required for electronic prescription of outpatient non-controlled substances and outpatient orders.5,6 Unfortunately, this significant change that helps decrease unnecessary work for physicians was largely unknown.
The AMA relayed their findings to the head of physician wellbeing at Epic, who then communicated the expiration of this requirement to all Chief Medical Information Officers of Epic clients in Ohio. Across the Cleveland Clinic alone, this change impacts approximately 11 million orders and saves physicians over an estimated 12 000 hours a year.1
While Ohio's law has been lifted, multiple states have passed laws requiring all prescriptions to be prescribed electronically. Check with your state medical society or board of pharmacy to get the most up to date information on your state's laws regulating the prescription of controlled and non-controlled substances.
DEA Requirements for Electronic Orders and Prescriptions. Accessed March 30, 2023.
Ohio Administrative Code Chapter 4729: 5-19- Clinics and Prescriber Offices. Accessed March 30, 2023.
Ohio Administrative Code Rule 4729:5-3-11 Rule 4729: 5-3-11- Transmission of Outpatient Prescriptions. Accessed March 30, 2023.
Ohio State Board of Pharmacy Guidance on Issuing a Valid Prescription. Accessed March 30, 2023.
August 2022 Ohio State Board of Pharmacy Guidance: Approval of Electronic Prescription Transmission Systems & Computerized Prescriber Order Entry Systems. Accessed March 30, 2023.
Download this myth: Two-factor Authentication for Electronic Prescriptions (PDF)
Sign in to take quiz and track your certificates
To help improve the quality of its educational content and meet applicable education accreditation requirements, the content provider will receive record of your participation and responses to this activity.
The AMA Debunking Medical Practice Regulatory Myths series provides physicians and their care teams with regulatory clarification to streamline clinical workflow processes and improve patient outcomes.
AMA CME Accreditation Information
CME Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.
Disclaimer: The AMA's Debunking Regulatory Myths (DRM) series is intended to convey general information only, based on guidance issued by applicable regulatory agencies, and not to provide legal advice or opinions. The contents within DRM should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. An attorney should be contacted for advice on specific legal issues.
Debunking Regulatory Myths overview
Visit the overview page for information on additional myths.
Submit your regulatory myth
AMA seeks to aid physicians and care teams by helping them understand medical regulatory requirements. Help us help you—submit a myth you'd like clarification on.
Credit Designation Statement: The American Medical Association designates this Enduring Material activity for a maximum of 0.25 AMA PRA Category 1 Credit(s)™. Physicians should claim only the credit commensurate with the extent of their participation in the activity.
Successful completion of this CME activity, which includes participation in the evaluation component, enables the participant to earn up to:
It is the CME activity provider's responsibility to submit participant completion information to ACCME for the purpose of granting MOC credit.
You currently have no searches saved.
You currently have no courses saved.