diff --git a/app/controllers/contracts_controller.rb b/app/controllers/contracts_controller.rb
index 6f943ec..73997e1 100644
--- a/app/controllers/contracts_controller.rb
+++ b/app/controllers/contracts_controller.rb
@@ -48,10 +48,8 @@ class ContractsController < ApplicationController
     # Native release contracts must be generated on-the-fly; non-native releases have a contract attachment
     if releasable.native?
       send_file contract.to_pdf, download_attributes
-    elsif policy(contract).show?
-      redirect_to releasable.contract.service_url
     else
-      raise Pundit::NotAuthorizedError
+      redirect_to releasable.contract.service_url
     end
   end
 end
diff --git a/app/policies/medical_release_policy.rb b/app/policies/medical_release_policy.rb
index 087f087..b752a8b 100644
--- a/app/policies/medical_release_policy.rb
+++ b/app/policies/medical_release_policy.rb
@@ -4,7 +4,7 @@ class MedicalReleasePolicy < ReleasePolicy
   end
 
   def show?
-    true
+    user.account_manager?
   end
 
   def update?
diff --git a/spec/policies/medical_release_policy_spec.rb b/spec/policies/medical_release_policy_spec.rb
index 8b79891..b4b7421 100644
--- a/spec/policies/medical_release_policy_spec.rb
+++ b/spec/policies/medical_release_policy_spec.rb
@@ -1,7 +1,8 @@
 require "rails_helper"
 
 describe MedicalReleasePolicy do
-  let(:user_context) { build(:user_context) }
+  let(:user) { create(:user) }
+  let(:user_context) { create(:user_context, user: user, account: user.primary_account) }
 
   subject { described_class }
 
@@ -9,8 +10,28 @@ describe MedicalReleasePolicy do
     it { is_expected.to permit(:create) }
   end
 
-  permissions :show? do
-    it { is_expected.to permit(:show) }
+  context "for an account manager" do
+    let(:user) { create(:user, :account_manager) }
+
+    permissions :show? do
+      it { is_expected.to permit(user_context, :show) }
+    end
+  end
+
+  context "for an associate" do
+    let(:user) { create(:user, :associate) }
+
+    permissions :show? do
+      it { is_expected.not_to permit(user_context, :show) }
+    end
+  end
+
+  context "for a manager" do
+    let(:user) { create(:user, :manager) }
+
+    permissions :show? do
+      it { is_expected.not_to permit(user_context, :show) }
+    end
   end
 
   permissions :update? do