If a wellness program is offered in connection with an employer sponsored
group health plan, then individually identifiable health
information received in connection with the wellness program
is subject to HIPAA’s compliance obligations. (Health App Use
Scenarios & HIPAA, at 3.)
Third-party wellness vendors that create, receive, maintain, or
transmit health information in connection with an employer group
health plan therefore must sign a business associate agreement
with the group health plan (see Standard Document, HIPAA
Business Associate Agreement (3-501-6706)). If the wellness vendor
in turn contracts with a third-party app developer to assist with
collecting PHI, then the app developer is considered a downstream
business associate of the wellness vendor. As a result, the wellness
vendor must enter into a business associate agreement with the
app developer that complies with the restrictions and conditions
agreed to in the upstream agreement with the group health plan
(45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2)).