Because the medical record that the coder is reviewing may not necessarily reflect the whole picture of what has taken place, I would recommend that a coder not take independent action on this, but rather should escalate their concerns internally first. As you've noted, there are legal and compliance concerns involved both with following laws that require abuse to be reported as well as with respecting patient legal privacy rights. This is a legitimate concern and something you should take to your manager or organization's compliance officer or legal advisors - they are there for that purpose, and if they do not have the answers they should at least be able to get to the people that do. But because of the complexity and sensitivity of something of this sort, I would absolutely not report this externally outside of the organization except as a last resort after having first taken it up the 'chain of command' internally. In cases where I have encountered similar things in the medical records, my leaders in the organizations I've worked with have always taken my concerns seriously and have given me satisfactory assurances that the proper steps have been taken. Hopefully your organization will give you the same support.