Common practice for healthcare organizations is to maintain locally their own files, thus causing a geographic distribution of healthcare records. On the other hand, healthcare personnel treating a patient needs access to previous diagnosis and treatment data, maintained by various institutions in many different locations. Currently, the lack of a reliable authentication and authorization framework is considered a major obstacle for interchanging electronic healthcare records (EHRs). This paper proposes a hierarchical model for controlling access to EHRs and protecting the privacy of subjects of care and healthcare personnel, while facilitating the exchange of information among healthcare information systems.