Supplemental Medical Review Contractor (SMRC)

Medical Records Request Scam: Watch out for Phishing

CMS identified phishing scams for medical records. This may include scammers faxing you fraudulent medical records requests to get you to send patient records in response; see example external link icon.

When you review any requests, look for signs of a scam, including:

  • Directing you to send records to an unfamiliar fax number or address
  • Referencing Medicare.gov or @Medicare (.gov)
  • Indicating they need records to “update insurance accordingly”

A scam request may include:

  • Poor grammar, misspellings, or strange wording
  • Incorrect phone numbers
  • Skewed or outdated logos
  • Graphics that are cut and pasted

If you think you got a fraudulent or questionable request, work with your Medical Review Contractor external link icon to confirm if it’s real. Submit medical documentation through the Electronic Submission of Medical Documentation (esMD) external link icon system or CMS medical review contractor secure internet portals, when available.

Supported by the CMS, the SMRC, a Supplemental Medical Review Contractor, through the Center for Program Integrity, has been awarded to Noridian Healthcare Solutions, LLC (Noridian).


As the SMRC, Noridian performs and/or provides support for a variety of tasks aimed at lowering the improper payment rates and increasing efficiencies of the medical review functions of the Medicare and Medicaid programs.

With CMS directed topic selections and time frames, Noridian conducts nationwide medical reviews (Part A, Part B, and DME), in accordance with all applicable statutes, laws, regulations, national and local coverage determination policies, and coding guidance, to determine whether Medicare claims have been billed in compliance with coverage, coding, payment, and billing practices. Such reviews are assigned through CMS formal notifications and focus on analysis of national claims data issues identified by Federal agencies, such as the Office of Inspector General (OIG), Government Accountability Office (GAO), CMS internal data analysis, the Comprehensive Error Rate Testing (CERT) program, and professional organizations, and/or analysis reports such as First-Look Analysis Tool for Hospital Outlier Monitoring (FATHOM) report, and Program for Evaluating Payment Patterns Electronic Report (PEPPER). Reviews are based upon Provider Compliance Group (PCG), Program Integrity (PI), Healthcare Fraud Prevention Partnership (HFPP) project types.

Noridian must notify CMS of identified improper payments and noncompliance with documentation requests. We will initiate claim adjustments and/or overpayment recoupment via the standard overpayment recovery process.

Last Updated Jun 24, 2024