In traditional access control systems, security administrators determine whether an information consumer can access a certain resource. However, in reality, it is very difficult for policy makers to foresee what information a user may need in various situations. In hospitals, failing to authorize a doctor for the medical information she needs about a patient could lead to severe or fatal consequences. In this paper, we propose a practical access control approach to protect patient privacy in health information systems by taking the realities in healthcare into consideration. First, unlike traditional access control systems, our proposed access con- trol model allows information consumers (i.e. doctors) to make access decisions, while still being able to detect and control the over-accessing of patients' medical data by quantifying the risk associated with doctors' data-accessing activities. Second, we do not require doctors to do anything special in order to use our system. We learn about common practices among doctors and apply statistical methods and information theory techniques to quantify the risk of privacy violation. Third, occasional exceptions on information needs, which is common in healthcare, is taken into account in our model. We have implemented a prototype of our solution and performed simulations on real-world medical history records. Copyright 2011 ACM.