Security and privacy are widely recognized as important requirements for access and management of electronic health record (EHR) data. In this paper, we argue that EHR data need to be managed with customizable access control in both spatial and temporal dimensions. We present a role-based and time-bound access control (RBTBAC) model that provides more flexibility in both roles (spatial capability) and time (temporal capability) dimensions to control the access of sensitive data. Through algorithmic combination of role-based access control and time-bound key management, our RBTBAC model has two salient features. First, we have developed a privacy-aware and dynamic key structure for role-based privacy aware access and management of EHR data, focusing on the consistency of access authorization (including data and time interval) with the activated role of user. In addition to role-based access, a path-invisible EHR structure is built for preserving privacy of patients. Second, we have employed a time tree method for generating time granule values, offering fine granularity of time-bound access authorization and control. Our initial experimental results show that tree-like time structure can improve the performance of the key management scheme significantly, and RBTBAC model is more suitable than existing solutions for EHR data management because it offers high-efficiency and better security and privacy. Copyright © 2013 John Wiley & Sons, Ltd.