This paper describes foundational work investigating the protection requirements of sensitive medical information, which is being stored more routinely in repository systems for electronic medical records. These systems have increasingly powerful sharing capabilities at the point of clinical care, in medical research and for clinical and managerial audit. The potential for sharing raises concerns about the protection of individual patient privacy and challenges the duty of confidentiality by which medical practitioners are ethically and legally bound. By analysing the protection requirements and discussing the need to apply policy-based controls to discrete items of medical information in a record, this paper suggests that this is a problem for which existing privacy management solutions are not sufficient or appropriate to the protection requirements. It proposes that a knowledge management approach is required and it introduces a new framework based on the knowledge management techniques now being used to manage electronic medical record data. The background, existing work in this area, initial investigation methods, results to date and discussion are presented, and the paper is concluded with the authors' comments on the ramifications of the work.