The eHealth trend has spread globally. Internet of Things (IoT) devices for medical service and pervasive Personal Health Information (PHI) systems play important roles in the eHealth environment. A cloud-based PHI system appears promising but raises privacy and information security concerns. We propose a cloud-based fine-grained health information access control framework for lightweight IoT devices with data dynamics auditing and attribute revocation functions. Only symmetric cryptography is required for IoT devices, such as wireless body sensors. A variant of ciphertext-policy attribute-based encryption, dual encryption, and Merkle hash trees are used to support fine-grained access control, efficient dynamic data auditing, batch auditing, and attribute revocation. Moreover, the proposed scheme also defines and handles the cloud reciprocity problem wherein cloud service providers can help each other avoid fines resulting from data loss. Security analysis and performance comparisons show that the proposed scheme is an excellent candidate for a cloud-based PHI system.