Because health information has some different properties from other general data, it is important to understand 'information subject,' 'subject of information generation,' 'subject of information management' according to the characteristics of each medical information. It makes it possible to develop the appropriate security technology under the current legal regulations. In this paper, we identify some incorrect uses in existing papers, we show that "Patient-Participated on Electronic Health Record Systems" is more appropriate expression rather than "Patient-Controlled on Electronic Health Record Systems." We discuss three key factors (information subject, subject of information generation, subject of information management) of medical information and 'personal information self-determination.' As a solution for privacy, we suggest the 'Secure and dynamic consent system' and 'Personally-controlled health record on PHR (Personal Health Records)' should be developed under the current law and the current (or future) integrated medical information system.