Myth or fact? All prescriptions require two-factor authentication

Tanya Albert Henry , Contributing News Writer

Physicians are all too familiar with the extra clicks and keystrokes logged when electronically ordering and signing prescriptions for their patients, adding more time to the already overwhelming part of the day they spend in the EHR.

Help Move Medicine

Medicine doesn’t stand still, and neither do we. AMA members don’t just keep up with medicine—they shape its future.

Two-factor authentication, or positive identification through password revalidation, can add 2.5 to 5 seconds per prescription order. In a large health system with an average of 215,000 orders per week, that eats up between about 7,600 to 15,200 hours annually, researchers have found. And studies have shown that these burdens can contribute to physician burnout.

Some health care organizations have enabled the additional security in their EHR system based on the assumption that the law requires it. But are those extra clicks really necessary?

Not always.

It is a myth that all prescriptions require two-factor authorization, according to the AMA’s recent “Debunking Regulatory Myths” investigation. This series aims to provide regulatory clarification to physicians and their care teams. It is part of the AMA’s practice-transformation efforts and provides physicians and their care teams with resources to reduce guesswork and administrative burdens so their focus can be on streamlining clinical workflow processes, improving patient outcomes and increasing satisfaction.

Related Coverage

Digging into the data to cut EHR burdens that drive burnout

The U.S. Drug Enforcement Administration (DEA) does require two-factor authentication for controlled substances. However, there is no federal regulation that requires two-factor authentication to be enabled in the EHR for noncontrolled substance-prescription signatures.

For controlled substances, the DEA requires that an authentication protocol use two of these three factors:

  • A password or answer to a challenge.
  • Biometric identification such as a fingerprint or eye scan.
  • A device separate from the computer that only the prescribing clinician has access to, such as a hard token.

In Ohio, the Board of Pharmacy required that physicians use two-factor authentication and positive identification to sign all EHR prescription orders.

“The billions of clicks caused by this practice have contributed to the time physicians spend in the EHR, which research has linked to ‘click fatigue,’ administrative burden, physician burnout and physicians’ decisions to reduce clinical hours or leave medicine altogether,” the AMA says.

While researching the myth, the AMA discovered that the Ohio Board of Pharmacy had lifted its two-factor authentication for electronic prescription signing for outpatient noncontrolled substances and outpatient orders in 2020. However, nearly two years later, the change to make physicians’ lives easier still wasn’t widely known. While working on debunking the myth, the AMA relayed the information to Epic’s head of physician well-being. The EHR vendor, in turn, shared the information with all of its client chief medical information officers in Ohio.

“Across the Cleveland Clinic alone, this change impacts approximately 11 million orders and saves physicians over an estimated 12,000 hours a year,” the AMA explains.

Physicians should check with their state medical society or pharmacy board to discover the most up-to-date information about their state’s laws regulating controlled and noncontrolled substances sent through the EHR.

Related Coverage

Myth or fact? Verbal orders are prohibited in health care

Learn more with the “AMA Debunking Medical Practice Regulatory Myths Learning Series,” which is available on AMA Ed Hub™ and provides regulatory clarification to physicians and their care teams. For each topic completed, a physician can receive CME for a maximum of 0.25 AMA PRA Category 1 Credit™.

Physicians are encouraged to submit questions or ideas they have about potential regulatory myths. The AMA’s experts will research the matter. If the concern turns out to be a bona fide regulation that unnecessarily burdens physicians and their teams, the AMA’s advocacy arm can get involved to push for regulatory change.