Due to the cost pressure on the health care system an increase in the need for electronic healthcare records (EHR) could be observed in the last decade because EHRs promise massive savings by digitizing and centrally providing medical data. As highly sensitive patient information is exchanged and stored within such a system, legitimate concerns about the privacy of the stored data occur, as the lifelong storage of medical data is a promising target for attackers. These concerns and the lack of existing approaches that provide a sufficient level of security raise the need for a system that guarantees data privacy and keeps the access to health data under strict control of the patient. This paper introduces PIPE (Pseudonymization of Information for Privacy in e-Health), a new EHR architecture for primary and secondary usage of health data. PIPE's security model is based on pseudonymization instead of encryption.