In the modern health services era, data is accessed by the doctors and nurses using small handheld devices like mobile, Personal Digital Assistants and other electronic handheld devices. Individual's health related information is normally stored in a central health repository. This data can be accessed by authorized doctors. Data is prone to be exposed to a number of mobile attacks while being accessed. Potential attacks like man-in-the-middle attacks can be seen while accessing the information from the central health repositories using handheld devices. This paper proposes an architecture using XACML (eXtensible Access Control Markup Language) policy to control the privacy and data access of health service data accessed through handheld devices. © 2010 IEEE.