The Leak: Providing unnecessary additional information when making a check or credit-card purchase. Has a merchant ever asked for your address and phone number when you bought something with a credit card? Or written your credit-card number on the back of the check you’re paying with? Both practices may violate your privacy, and they may also violate card-company rules and state law.

The Plug: Refuse—nicely—to provide the information. Some merchants just aren’t aware of the rules and are “only following store policy.” You can inform them that Visa, MasterCard, and American Express all forbid merchants to refuse a sale just because someone doesn’t want to provide more information than is already on her card. Know, too, that a number of states have passed laws prohibiting merchants from recording certain personal information in connection with credit-card transactions. If you’re paying with a check, merchants often ask to see two forms of ID — typically a driver’s license and a credit card. You can show them the cards, but don’t let them write your credit-card number on the check. Aside from the obvious risk of fraud, the practice is illegal in more than 20 states. Never let anyone write your Social Security number on a check, either. For a list of states and the privacy laws pertaining to credit-card and check transactions, go to www.privacyrights.org/fs/fs15plus.htm.

Your Medical Records

The Leak: Going to the doctor or a hospital. Think about what’s in your medical records — they may contain information not only about your physical health but also about your family relationships, sexual behavior, substance use, and even thoughts you’ve expressed to a psychotherapist. This information is often keyed to a Social Security number, meaning that — like your personal financial information — it is vulnerable to hacking. Parts of your medical record may also be made available, with or without your permission, to a variety of other parties, and this information can influence your ability to get health insurance and the rate you pay for coverage.

The Plug: Be aware of the authorized uses of your information. The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health-care providers to give every patient a Notice of Privacy Practices, which explains how the provider may use the information in your health records. HIPAA sets a minimum federal standard for protected health information (PHI), but states and individual providers may have even more stringent standards, so be sure to read each privacy statement you’re given. Be aware, though, that even with these privacy protections, there are cases where PHI may be shared without your consent — for emergency treatment or to obtain a third-party payment, for example, or if subpoenaed for a court case. Health providers must have authorization, though, to use your data for most marketing, research, and fund-raising activities.

As with your credit report, it’s important to know what’s in your medical records and to correct any inaccurate information. Under HIPAA, you have the right to inspect and request amendments to your health records and to know if any information has been disclosed without your authorization. Also under HIPAA, your health provider and insurer must provide you with information on when, why, and with whom your records were shared (only if you request it and only once a year). You also have the right to request that communications about your health be sent confidentially (to a particular address or phone number or in an envelope instead of on a postcard, for example) and that additional restrictions be placed on what can be disclosed about your treatment or state of health. You could request, for instance, that a hospital not disclose anything about a surgical procedure you’ve had. Note that providers are obligated only to consider such requests, not necessarily to agree to them.

If you can avoid having your Social Security number linked to your medical records, so much the better (although some providers may refuse service if you choose not to provide them with your number). For more information on health-care privacy, go to the Department of Health and Human Services website, www.hhs.gov/ocr/hipaa/.