Is two-factor authentication required for all prescriptions?

This resource is part of the AMA's Debunking Regulatory Myths series, supporting AMA's practice transformation efforts to provide physicians and their care teams with resources to reduce guesswork and administrative burdens.

Organizations are required by federal law to enable two-factor authentication within an electronic health record (EHR) for signing both controlled and non-controlled prescriptions.

There is no federal regulation that requires two-factor authentication to be enabled within an EHR for both controlled and non-controlled substance prescription signatures. The Drug Enforcement Administration (DEA) does require two-factor authentication to sign electronic prescriptions for controlled substances. For these, any authentication protocol must use two of the three following factors: (1) a password or answer to a challenge, (2) biometric identification such as a fingerprint or eye scan, and/or (3) a device separate from the computer that only the prescribing clinician has access to such as a hard token.¹

Physicians and other prescribers who electronically order and sign prescriptions for their patients may be asked to provide a password and additional security key before they are able to order, sign, and send a prescription. This is called positive identification through password re-validation, or two-factor authentication. This additional requirement can be burdensome, adding extra clicks and keystrokes for prescribers, contributing to the already overwhelming amount of time spent in the EHR. Some organizations may enable this additional security based on the assumption that it is required by law for all prescribing.

For almost two decades, physicians in the State of Ohio used two-factor authentication and positive identification to sign all EHR prescription orders to comply with State of Ohio Board of Pharmacy regulations. The billions of clicks caused by this practice have contributed to the time physicians spend in the EHR, which research has linked to “click fatigue”, administrative burden, physician burnout, and physicians’ decisions to reduce clinical hours or leave medicine altogether.^2,3,4

The AMA discovered that a previous state-specific requirement had been lifted, and there is no longer a requirement for two-factor authentication for electronic signing of prescriptions for non-controlled substances in the State of Ohio.⁵ The State of Ohio Board of Pharmacy confirmed that positive identification is no longer required for electronic prescription of outpatient non-controlled substances and outpatient orders.^5,6 Unfortunately, this significant change that helps decrease unnecessary work for physicians was largely unknown.

The AMA relayed their findings to the head of physician wellbeing at Epic, who then communicated the expiration of this requirement to all Chief Medical Information Officers of Epic clients in Ohio. Across the Cleveland Clinic alone, this change impacts approximately 11 million orders and saves physicians over an estimated 12,000 hours a year.^a

While Ohio’s law has been lifted, multiple states have passed laws requiring all prescriptions to be prescribed electronically. Check with your state medical society or board of pharmacy to get the most up to date information on your state’s laws regulating the prescription of controlled and non-controlled substances.

• DEA Requirements for Electronic Orders and Prescriptions. Accessed March 30, 2023.
• Ohio Administrative Code Chapter 4729: 5-19- Clinics and Prescriber Offices. Accessed March 30, 2023.
• Ohio Administrative Code Rule 4729:5-3-11 Rule 4729: 5-3-11- Transmission of Outpatient Prescriptions. Accessed March 30, 2023.
• Ohio State Board of Pharmacy Guidance on Issuing a Valid Prescription. Accessed March 30, 2023.
• August 2022 Ohio State Board of Pharmacy Guidance: Approval of Electronic Prescription Transmission Systems & Computerized Prescriber Order Entry Systems. Accessed March 30, 2023.
• Download this myth: Two-factor Authentication for Electronic Prescriptions (PDF)

1. Drug Enforcement Administration. Requirements for Electronic Orders and Prescriptions.; 2005. Accessed March 30, 2023. https://www.ecfr.gov/current/title-21/chapter-II/part-1311
2. Collier R. Rethinking EHR interfaces to reduce click fatigue and physician burnout. Canadian Medical Association Journal. 2018;190(33):E994-E995.
3. Melnick ER, Fong A, Nath B, et al. Analysis of Electronic Health Record Use and Clinical Productivity and Their Association With Physician Turnover. JAMA Network Open. 2021;4(10). Accessed March 30, 2023. https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2784810
4. Melnick ER, Harry E, Sinsky CA, et al. Perceived Electronic Health Record Usability as a Predictor of Task Load and Burnout Among US Physicians: Mediation Analysis. Journal of Medical Internet Research. 2020;22(12). Accessed March 30, 2023. https://pubmed.ncbi.nlm.nih.gov/33289493/
5. Ohio Legislative Service Commission. Transmission of Outpatient Prescriptions.; 2020. Accessed March 30, 2023. https://codes.ohio.gov/ohio-administrative-code/rule-4729:5-3-11
6. Ohio Legislative Service Commission. Clinics and Prescriber Offices.; 2020. Accessed March 30, 2023. https://codes.ohio.gov/ohio-administrative-code/chapter-4729:5-19

Visit the overview page for information on additional myths.

^aAn average of 215,000 orders per week multiplied by 52 weeks is 11.18 million orders per year. Validation takes 2.5-5 seconds, depending on the method, making the time required for the task of approving this amount of orders 7,638-15,277 hours per year.

Disclaimer: The AMA's Debunking Regulatory Myths (DRM) series is intended to convey general information only, based on guidance issued by applicable regulatory agencies, and not to provide legal advice or opinions. The contents within DRM should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. An attorney should be contacted for advice on specific legal issues.