SIMPLE FAILURES IN PROTECTING MEDICAL DATA CAN HAVE DRAMATIC CONSEQUENCES ON A PATIENT PRIVACY. IN THIS ARTICLE, WE FOCUS MAINLY ON ACCESS CONTROL FOR PROTECTING SENSITIVE DATA WITHIN PATIENT’S ELECTRONIC HEALTH RECORD (EHR). WE PROPOSE A NEW ACCESS CONTROL MODEL CALLED DORMAC CAPABLE OF EXPRESSING BOTH A SECURITY POLICY ESTABLISHED BY A HEALTHCARE PROVIDER AND A PRIVACY POLICY DEFINED BY A PATIENT. FOR EXPRESSING PRIVACY, WE ENRICHED THE ORGANIZATION BASED ACCESS CONTROL MODEL (ORBAC) BY SOME SECURITY CONCEPTS INSPIRED FROM DISCRETIONARY AND MANDATORY POLICIES. THIS MODEL ACHIEVE A GOOD BALANCE BETWEEN AVAILABILITY OF DATA DURING CARE AND PRIVACY PROTECTION.