You may assume that your medical information on file with your healthcare providers is private and protected, and in some cases, it is. Thanks to the federal Health Insurance Portability Act (HIPAA)—which protects medical records maintained by healthcare providers, health plans, and health clearinghouses that maintain electronic records—there has been a national standard for privacy of health information since 2003.

But what you may not know is that much of your health-related data is not protected by HIPAA, either because it is not stored and transmitted electronically, or because it is kept outside of the files of healthcare facilities and health plans.

In the case of health insurance companies, which use medical information to make decisions about underwriting policies, you will be asked to forfeit confidentiality by releasing your records in order qualify for insurance and get a policy issued to you. Once you give permission, these records may be released to the insurance company directly from your doctors and other healthcare providers.

Therefore, your insurance company may have access to any of the reports common to most health records, including your medical history and results of your physical, significant illnesses and surgeries, health habits, current medications, lab and X-ray reports, physician’s orders, and more.

Once one insurance company gets a hold of your records, your data may end up in the hands of other insurers via a large central database at the MIB Group, Inc. (formerly called the Medical Information Bureau). The MIB is not subject to HIPAA, because the files are not complete medical records as such.

Not everyone’s health information is on file at the MIB, but there is a chance that yours is there, alongside data on approximately 18 million Americans and Canadians. You’re particularly likely to be in the MIB’s computers if you have a severe condition that seriously impacts your health, and if you have applied for an insurance policy in the past seven years with an MIB Group member.

If so, then medical information from your policy application may have been converted to codes for specific medical conditions and lifestyle choices that can be shared by request with any of the MIB’s approximately 600 fee-paying member companies.

When considering whether or not to issue a policy, health insurers have certain “underwriting standards” to help them determine their decision and price. These standards apply to age, height and weight, personal and family history, and health habits. Although insurers are not supposed to deny you coverage based on your MIB report alone, there are 230 specific codes used by the MIB to represent various health conditions and lifestyle choices, which are directly related to underwriting standards.

So for example, insurance companies will be able to determine whether applicants have been diagnosed with conditions like AIDS, bipolar disorder, and multiple sclerosis, as well as whether they engage in high-risk activities such as smoking or extreme sports.

So what can you do to try to make your personal health information more secure? Although there is no surefire way to protect your medical data, you can at least become more informed about the whereabouts of your information so that you can make choices accordingly. Here are a few tips to expand your knowledge:

Check the fine print. When applying for an insurance policy, insurers must notify prospective policyholders that they’re planning to request their records from the MIB, but it may be buried in the legal language, so be sure to look carefully.

Check if the MIB has a file on you. You can request an annual free copy of your consumer file at MIB by calling toll-free in the United States: 1-866-692-6901.

Find out which companies know about you. If there is information on you being kept at the MIB, it will include details about which insurance companies reported data about you to the MIB, and which received a copy of your file in the previous two years. You can find this information in your consumer file when you request it from the MIB.

Correct inaccurate information. If your MIB file contains wrong information, you can contact the MIB at the number above and request a reinvestigation. They will send you a form where you can document discrepancies.

It can be unsettling to recognize how many different people and companies potentially have access to your health data. But by taking some steps upfront, you can help to keep your records accurate and gain a better idea of exactly who has viewed your information, rather than waste time wondering.