**1. Introduction**

LPHR is "an electronic, lifelong resource of health information needed by individuals to make health decisions" [1] and to "improve the quality and efficiency of their own health care" [2, 3]. Building electronic health record (EHR) was required by "the Health Insurance Portability and Accountability Act of 1996 (HIPAA)" [4]. The first "HIPAA Privacy Rule was released" [4] to "improve privacy standards and to restrict the disclosure of Protected Health Information (PHI) and personal identifiers to unauthorized individuals" [4]. In 2009, "the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was enacted" [5] to remediate a loophole in HIPAA Privacy Rule and promote personal health record (PHR). Untethered (cross-organizational) [6] PHR has been a preferred choice of building LPHR [6]. LPHR is attractive to patients because patients can have holistic view of their health information that are scattered in multiple information systems at various facilities. Federal agencies and local governments have been promoting PHR adoption in the past two decades with numerous "laws and regulations, incentives, and penalties" [3, 7, 8]. However, "the LPHR adoption rate has been low" [3, 8] in the United States. A.A. Abd-alrazaq et al. found out that "patients' privacy and security concerns is a major negative factor impacting LPHR adoption" [3, 7]. Patients like to fully control privacy and security of their own LPHR [3, 7]. "However, little is known how to model and construct a scalable and interoperable LPHR with patient-controlled security and privacy that both patients and providers trust" [3]. Solving this problem is "considered important to increase LPHR adoption rate and improve the efficiency as well as the quality of care" [3].

To protect the security and privacy of LPHR, encryption is an intuitive and good choice of solution [9–16]. Encryption can prevent external security attack, however, it cannot defend against insider threat [3, 17]. We argued that insider threat can be remediated via a secure access control model that is implemented correctly at user or session or process level [3, 18, 19]. Combining access control model with encryption is a better resolution. Traditional access control model, in which users are well known, has been used to couple with attribute-based encryption (ABE) as an approach. However, in PHR systems, users can be known or unknown. To overcome this problem, we proposed next generation access control which offers "open access surroundings" where "users can be centrally known or unknown" [3]. We chose the "National Institute of Standards and Technology (NIST)" "Next Generation Access Control (NGAC)" [20], a type of "attribute-based access control (ABAC)" model [3, 21]. Nevertheless, NGAC suffers a race condition in distributed system. This led to our proposal of a "novel Blockchain-enabled Next Generation Access Control (BeNGAC) model" [3] using permissioned blockchain that can ease the race condition. We explained the merits of the new model with additional benefits brought by blockchain technology. We offered the freedom of choice of encryption methods to PHR generators. With BeNGAC as the core of the LPHR access control mechanism, we designed the BET-LPHR that both patients and providers can trust. We discussed two application limitations of the design: a) when the secret private key is lost; b) when the patient cannot directly authorize the access. Possible solutions are offered to solve the limitations. We also compared our approach with prior works.
