Abstract: With the rapid development of Internet technology, the emergence of mobile health (mHealth) is expected to improve the quality of medical care. However, data security and user privacy issues in the mHealth field have not been fully resolved. The access control protocol based on ciphertext-policy attribute-based encryption (CP-ABE) is a promising technique for the sharing of personal health records (PHRs). However, direct adoption of the traditional CP-ABE in mHealth causes many problems. Firstly, centralized attribute authority has low ability to resist risks. Secondly, the access policies are in cleartext and leak the patient’s privacy in the encrypted PHRs. Finally, it is difficult for the traditional CP-ABE scheme to track down the user who intentionally discloses the private key. Therefore, to solve these problems, we propose a fine-grained policy-hiding and traceable decentralized access control in mHealth. This scheme implements a decentralized attribute authority mechanism. Each attribute is expressed by an attribute name and an attribute value. In the encryption phase, the attribute value is hidden in ciphertext and only generic attribute name is exposed. When the private key is maliciously leaked, the regulator can use the identity mapping table to trace the malicious user. Through experimental simulation and comparative analysis, our scheme is suitable for the actual mHealth environment in terms of security and performance.