Electronic health records (EHR) promise to improve communication between health care providers, thus leading to better quality of patients’ treatment and reduced costs. As highly sensitive patient information provides a promising goal for attackers and is also demanded by insurance companies and employers, there is an increasing social and political pressure regarding the prevention of health data misuse. This paper presents a detailed description of the new system PIPE (Pseudonymization of Information for Privacy in e-Health) which differs from existing approaches in its ability to securely integrate primary and secondary usage of health data. Therefore, PIPE provides a solution to shortcomings of existing approaches. Our approach may be used as a basis for implementing secure EHR architectures or as an extension to existing systems.