Current paradigm changes for improving safety, quality and efficiency of care processes under massive deployment of information and communication technologies (ICT) place high requirements on privacy and security. These mainly focus on privilege management and access control harmonized in international standards and their further evolution. NIST and ISO, but especially HL7 play a prominent role in this context. Starting with classic role-based access control (RBAC) foundations to new specifications for security and privacy labeling of segmented health information, HL7 security is presented as a scalable intermediate solution on the way to comprehensive privilege management and access control by explicit, ontology-based, formal and therefore machine-processable policies. The successfully balloted HL7 labeling specification supports context-sensitive communication and cooperation between different stakeholders and processes with different purposes of use, based on meta-data of information, actors and processes involved. Basics of policy management and practical solutions are discussed.