Access Control to patients' medical information in Hospital Information Systems (HIS) is a challenge in modern Patient-Centered (PC) healthcare. Fine-Grained Access Control (FGAC) in particular has been identified as one of the security requirements in these systems. In FGAC, only parts of medical information that are relevant and required by healthcare providers are accessed at the point of care. This cannot be achieved without a holistic view of a medical condition through a Patient-Centered Fine-Grained Access Control (PCFGAC), in which patient-centricity is considered. This research proposes using Business Process Management (BPM) to achieve PCFGAC in order to provide a real-time access control based on a "need-to-know" principle. Through a prototype that uses BPM, security requirements of PCFGAC were met. These include: authority control, informed decision support, fine-grained access control, and dynamic policies support. Thus, a contribution to the knowledge and practice has been introduced.