States from Montana to Mississippi are hastily drafting plans to tap a $50 billion federal pot aimed at shoring up rural health care, and the push is revealing a growing fault line between infrastructure investment and patient privacy. Governors’ offices and health departments are proposing telehealth platforms, broadband upgrades and interoperable electronic records — all projects that promise to keep small hospitals open and expand access — even as regulators wrestle with whether the data those systems generate is protected under existing law.

“On the ground, it feels like a two-week sprint,” said a rural hospital chief information officer who asked not to be named. “We have to say what we’ll build and who will run it, but we don’t yet have clear rules about how vendor apps will handle our patients’ data.”

Federal health privacy rules, principally the Health Insurance Portability and Accountability Act, require covered entities — hospitals, clinicians and insurers — to safeguard protected health information, obtain certain consents and report breaches. But HIPAA’s reach is narrower than many patients assume. Consumer-facing health apps that collect menstrual tracking, fitness, symptom or medication adherence data generally fall outside HIPAA if they are not acting as business associates of a covered entity. That leaves thousands of apps governed instead by the Federal Trade Commission’s general ban on unfair and deceptive practices, state laws, and the companies’ own privacy policies.

The discrepancy matters because the $50 billion program encourages partnerships with private vendors and the rapid deployment of app-driven services. Industry analysts caution that without explicit contractual requirements, patient data could be routed through third-party analytics and ad-tech firms. “We’re building systems now that could funnel highly sensitive data into the data broker ecosystem,” said a privacy lawyer with a digital health advocacy group. “That’s exactly the kind of outcome patients thought HIPAA protected them from.”

Regulatory reforms over the last decade have expanded patient access to their own records. The 21st Century Cures Act and subsequent rules force many health systems to provide records via standardized APIs, a move intended to empower patients and spur innovation. But the same tools that let patients download their data also enable apps to receive streams of clinical information when users authorize access, often under lengthy terms of service few read.

State officials say they recognize the tension but are racing against a tight federal timeline to secure funds. Several state health directors told officials in recent briefings that applications will prioritize telehealth hubs and broadband grants but that they lack time to develop comprehensive data governance plans. Advocacy groups warn that the absence of uniform guardrails creates an opening for politicization, particularly around reproductive and behavioral health information that has become highly sensitive in some states.

Lawmakers and privacy experts are urging that federal allocations be conditioned on explicit data protections: contractual clauses preventing resale of data, minimum cybersecurity standards, transparent consent processes and independent audits. Without such measures, the injection of cash may expand access while leaving patients exposed.

“The technology can save lives in rural America,” the hospital CIO said. “But if we don’t bind vendors to clear privacy and security commitments now, we could trade short-term survival for long-term harm.”