Electronic health record system (EHRs) has become an important part of medical system, which has more meaningful benefits compared with paper-based records. However, how to conduct secure fine-grained access control remains challenging. Although ciphertext-policy attribute-based encryption (CP-ABE) is a promising candidate for solving the above challenges. It is still not suitable for EHRs when considering privacy preserving. The access policy is uploaded to cloud in plaintext form, which may leak sensitive personal privacy. In this paper, we present a secure fine-grained attribute-based access control with hidden policy for electronic health record system. In the proposed scheme, a novel attribute name randomization scheme is designed to randomize each entity’s attribute names. Therefore, each entity’s attribute name set is different and unreadable. In addition, we utilize garbled bloom filter (GBF) to hide necessary values which are used to help decrypt ciphertext. At the same time, only user has corresponding secret keys can he reveal the hidden values. Moreover, security and performance analysis demonstrate that our scheme is secure and privacy-preserving with low overhead.