IoT and 5G-enabled smart healthcare allows medical practitioners to diagnose patients from any location via electronic health records (EHRs) by wireless body area network (WBAN) devices. Privacy, including the medical practitioner's identity and the patient's EHR, can easily be leaked from hospitals or cloud servers, and secret keys used to access EHRs must be revoked after diagnosis. In response to the challenges associated with user authentication and secret key revocation, this paper proposes an access control scheme with privacy-preserving authentication and flexible revocation for smart healthcare using attribute-based encryption (ABE), named PAFR-ABE, which provides access control to prevent malicious users from decrypting EHRs. Meanwhile, PAFR-ABE ensures privacy-preserving authentication for users during secret key generation, safeguarding users' identities and preventing unauthorized requests for secret keys. In addition, PAFR-ABE achieves flexible revocation and recovery of secret keys, eliminating the need to update secret keys for unrevoked users. Security analysis indicates that PAFR-ABE meets the security requirements of an access control scheme for smart healthcare, especially in terms of forward security and backward security. Performance analysis shows that PAFR-ABE scheme is efficient in the key generation and revocation algorithms.