Access control is a key feature of healthcare information systems to protect the privacy of patients and to ensure access to information as required by healthcare professionals. A problem with many existing access control mechanisms is their static nature. In this paper we propose combining workflow information from medical guidelines, observations and audit logs to create dynamic access rules that are adapted to the actual workings of a hospital. Our aim is to help minimize the use of "break the glass" access.