Electronic　health　record　(EHR)　sharing　schemes　are　widely　used　in　healthcare,　medical,　and　research.　However,　privacy　may　be　a　concern　for　patients　with　EHRs.　In　this　paper,　a　secure　EHR　sharing　scheme　with　sanitizable　signature　is　proposed　to　protect　patients＇　privacy　and　enhance　accountability.　Our　proposed　scheme　makes　the　following　contributions:　(1)　doctors　can　specify　patients　to　modify　some　fields　before　the　expiration　time;　(2)　patients　can　convert　the　original　signature　into　a　new　and　unlinkable　signature　for　the　modified　record　without　interacting　with　the　doctor;　(3)　the　scheme　satisfies　traceability　and　can　distinguish　the　generator　of　a　given　signature.　In　contrast　to　existing　approaches,　we　introduce　a　new　limited　sanitizable　signature　scheme　as　the　main　ingredient,　which　allows　the　signer　not　only　to　decide　which　message　blocks　can　be　modified,　but　also　to　determine　the　maximum　number　of　modifiable　blocks　and　the　expiration　time　for　sanitization.　Finally,　the　security　analysis　and　experimental　results　show　that　the　security　and　efficiency　of　our　scheme　can　be　approved.