If the app is for doctors and/or patients, then there *IS* a very high potential for PHI to be involved, and at any point in time, there could be PHI exchanged. Therefore, it's best to follow and obey HIPAA guidelines to avoid costly fines. When in doubt, always follow HIPAA regulations as they offer a framework that is best practice for securing any type of business, not just medical. NIST (National Institute of Standards and Technology) is a government organization that offers a great framework for other business types too. There are many similarities with HIPAA, NIST and other regulations.