diff --git a/interface/reports/cdr_log.php b/interface/reports/cdr_log.php
index 3dede6242d0..1bc08ddc4e0 100644
--- a/interface/reports/cdr_log.php
+++ b/interface/reports/cdr_log.php
@@ -15,9 +15,15 @@
 require_once "$srcdir/options.inc.php";
 require_once "$srcdir/clinical_rules.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo xlt('Not Authorized');
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
diff --git a/interface/reports/cqm.php b/interface/reports/cqm.php
index de64a2c47f7..ec4db1eae10 100644
--- a/interface/reports/cqm.php
+++ b/interface/reports/cqm.php
@@ -21,10 +21,16 @@
 require_once "$srcdir/clinical_rules.php";
 require_once "$srcdir/report_database.inc";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\ClinicialDecisionRules\AMC\CertificationReportTypes;
 use OpenEMR\Common\Csrf\CsrfUtils;
-use OpenEMR\Services\PractitionerService;
 use OpenEMR\Common\Twig\TwigContainer;
+use OpenEMR\Services\PractitionerService;
+
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo xlt('Not Authorized');
+    exit;
+}
 
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {