Given the sensitive nature of health data, privacy of eHealth systems is of prime importance. An eHealth system must enforce that users remain private, even if they are bribed or coerced to reveal themselves or others. Consider e.g. a pharmaceutical company that bribes a pharmacist to reveal information which breaks a doctor’s privacy. In this paper, we first identify and formalise several new but important privacy notions on enforcing doctor privacy. Then we analyse privacy of a complicated and practical eHealth protocol (DLVV08). Our analysis shows to what extent these new properties as well as properties such as anonymity and untraceability are satisfied by the protocol. Finally, we address the found ambiguities which result in privacy flaws, and propose suggestions for fixing them.