HIPAA governs Protected Health Information (PHI) held by covered entities (providers, plans) and their business associates.
Relevant principles: Privacy Rule — minimum-necessary disclosure, patient rights Security Rule — administrative, physical, and technical safeguards (access control, encryption, audit controls, integrity) Breach Notification Genomic data tied to an individual is PHI. If your app processes PHI on behalf of a covered entity, you're a Business Associate and need a BAA — including with any LLM provider that touches PHI.
Keeping processing on-device can keep you out of scope for some of this, which is a real architectural advantage.