Apps offering medical services, prescription drug access, or mental health support must hold required regulatory licenses and approvals, and health data collected through Apple's HealthKit framework cannot be used for advertising or sold.
This analysis describes what Apple's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Interpretive note: The guidelines do not specify the mechanism by which Apple verifies regulatory approvals for health apps, leaving the practical scope of this compliance gate uncertain.
Consumers using health, medical, or mental health apps distributed through the App Store can rely on the guidelines' requirement that such apps hold applicable regulatory approvals and on the prohibition on using HealthKit health data for advertising; however, the depth of Apple's verification of regulatory compliance during review is not specified in the guidelines.
Cross-platform context
See how other platforms handle Health and Medical App Requirements and similar clauses.
Compare across platforms →Monitoring
Apple has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Apps that provide inaccurate data or that could be used to make medical decisions should be cautious. Apps that offer prescription medication services, mental health support, or medical record management must comply with applicable laws and obtain required regulatory approvals. Apps using HealthKit must have a primary purpose of providing health and fitness services and must not use health information for advertising or selling health data.— Excerpt from Apple's Apple App Store Review Guidelines
REGULATORY LANDSCAPE: Health and medical apps may be subject to FDA oversight as software as a medical device (SaMD) under the Federal Food, Drug, and Cosmetic Act. HIPAA applies to apps that are covered entities or business associates and handle protected health information. The FTC Act applies to health apps that make false or misleading claims. The EU Medical Device Regulation (MDR) applies to apps marketed as medical devices in the EU. Apple's prohibition on using HealthKit data for advertising aligns with HIPAA's restrictions on using PHI for marketing, though not all HealthKit apps are HIPAA-covered entities. GOVERNANCE EXPOSURE: High. Developers of health and medical apps face dual compliance obligations: Apple's guidelines and applicable regulatory frameworks. The guidelines do not specify how Apple verifies regulatory approval claims, which means developer self-certification is the primary mechanism; legal teams should assess whether their app meets FDA, CE marking, or other applicable requirements independently of Apple's review. JURISDICTION FLAGS: US developers offering prescription services must comply with state pharmacy and telehealth licensing requirements in addition to FDA regulations. EU developers must assess MDR applicability. Mental health apps face evolving state licensing requirements for telehealth providers across US jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: B2B health app vendors selling to healthcare organizations should ensure their App Store-distributed apps satisfy HIPAA business associate agreement requirements and that their App Privacy labels accurately reflect PHI handling. Enterprise procurement teams should request evidence of applicable regulatory approvals from health app vendors. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the app qualifies as a medical device under FDA or EU MDR frameworks before submission. HIPAA compliance assessments should cover HealthKit data flows, and BAAs should be executed with any HealthKit-connected third parties that handle PHI. The prohibition on selling or using HealthKit data for advertising should be operationalized through data governance controls rather than relying solely on Apple's review process.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Consumers using health, medical, or mental health apps distributed through the App Store can rely on the guidelines' requirement that such apps hold applicable regulatory approvals and on the prohibition on using HealthKit health data for advertising; however, the depth of Apple's verification of regulatory compliance during review is not specified in the guidelines.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Apple.