Since the development of information technology and network increase many personal privacy data divulging and cause legal problems. For special personal medical information industry, the effect of a more even owned Great leak. If the medical institution fails to take timely protection mechanisms, resulting in leakage of privacy issues, will face civil damages up to 200 million NT dollars, more likely to produce serious medical institutions damaged the credibility of the consideration. Therefore, the medical institutions of privacy and information security measures also become more important. ISO 27001 is widely used in international information security management system standards. ISO 27799 is the extension of ISO 27001 for the medical institutions to develop medical information security management standards, while in Taiwan; there is less hospital use this standard for information security management. With response to the implementation of the new Personal Information Protection Act, medical institutions in information security management, they need to incorporate the concept of personal data protection, reducing leakage the privacy of medical information system risks. This research used the groung theory to construct the prototype of the mechanisms, including the four control areas, 21 control objectives and 70 controls, via 12 experts to check and modify it. Then used case study to interview with relevant person to understand two case hospitals how to take responses to the Personal Data Protection Act and what is the current situation and difficulties. After that, this research analyzed the role of division and responsibilities. Through case study can realized for this research institutional architecture of the applicability in practice. The protection mechanism constructed in this research, can be used to assist local SMEs expect comprehensive medical institutions in response to a funded under this Act to establish a sound legal compliance and medical information security protection framework.