The personal health records (PHR) always contain much health-related privacy information in different categories. When storing the PHR data in the cloud, the PHR owner loses control to the sensitive information and is confronted with potential privacy exposure. In this paper, we propose a scheme to enable the protection of the PHR data hosted in the cloud. It not only supports that the data access can be fine-grained and base on the privacy policies specified by the PHR owner, but also affords an effective encryption mechanism and flexible key management approach to enforce the privacy policies sticky to the PHR data. DOI: http://dx.doi.org/10.11591/telkomnika.v11i4.240