Many　sanitizable　signature　schemes　have　been　proposed　to　facilitate　and　secure　the　secondary　use　of　medical　data.　These　schemes　allow　a　patient,　authorized　by　the　doctor,　to　modify　and　re-sign　his/her　electronic　health　record　(EHR)　to　hide　sensitive　information　and　the　new　signature　can　be　verified　successfully.　However,　this　may　lead　to　fraud　because　patients　may　forge　medical　records　for　profit.　To　further　standardize　sanitization　and　reduce　the　sanitizers　power,　this　paper　proposes　a　new　limited　sanitizable　signature　scheme,　which　allows　the　signer　to　not　only　decide　which　message　blocks　can　be　modified　but　also　determine　the　maximum　of　modifiable　blocks　and　the　expiration　time　for　sanitization.　We　also　propose　a　secure　EHR　sharing　scheme　suitable　for　medical　scenarios　based　on　the　above　limited　sanitizable　signature　to　realize　privacy　preserving　medical　data　sharing.　Finally,　the　security　analysis　and　experimental　results　show　that　the　security　and　efficiency　of　our　scheme　can　be　accepted.