The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996. However, it wasn't always designed to protect electronic medical records. HIPAA was originally created to protect the privacy of paper records. Prior to HIPAA, there wasn't a security standard to protect patients' privacy.
As time progresses, so does technology, and in the past decade, healthcare technology has made it possible to use more secure methods to manage medical records. Healthcare facilities have moved to electronic medical records because they are more affordable. Know more details about HIPAA security controls by visiting https://www.cxcsolutions.com/compliance/hipaa.
Additionally, government regulations required electronic medical records to be created. The security standards for electronic protected health information protection, also known by "the security rule", were established and enforced.
This set of new regulations was created in order to protect the privacy of patient information when it is stored electronically. Two-factor authentication is a method in which two different factors of authentication are used for user identification. Over the years, this form of authentication has become a mandatory piece of HIPAA compliance.
Back in October 2003 it was mentioned in a PDF published by the National Institute of Standards and Technology where multi-factor authentication is mentioned. The "Guide to Selecting Information Security Products" document explains what authentication is but does not require that it be implemented.
Evidently, electronic medical records are still new and not used in all facilities. The need for specific authentication was not created or enforced.