Hospital work is characterized by the need to manage multiple activities simultaneously, constant local mobility, frequently interruptions, and intense collaboration and communication. Hospital employees must handle a large amount of data that is often tied to specific work activities. This calls for a proper access control model. In this paper, we propose a novel approach, Activity-based access Control Model (ACM). Unlike conventional approaches which exploit user identity/role information, ACM leverages user's activities to determine the access permissions for that user. In ACM, a user is assigned to perform a number of actions if s/he poses a set of satisfactory attributes. Access permissions to hospital information are granted according to user's actions. By doing this, ACM contributes a number of advantages over conventional models: (I) facilitates user's work; (2) reduces complexity and cost of access management. Though the design of ACMfirst aims to support clinical works in hospitals, it can be applied in other activity-centered environments.