Apps offering medical services, prescription drug access, or mental health support must hold required regulatory licenses and approvals, and health data collected through Apple's HealthKit framework cannot be used for advertising or sold.
This analysis describes what Apple's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Interpretive note: The guidelines do not specify the mechanism by which Apple verifies regulatory approvals for health apps, leaving the practical scope of this compliance gate uncertain.
The updated guidelines state that developers must ensure kids receive age-appropriate experiences within their apps and must remove user-generated content that violates the guidelines, terms of service, or community standards. Under the revised policy, if Apple identifies policy-violating content, the developer will be asked to remove it and provide a compliance improvement plan. Based on the developer's response, the app may be removed from the App Store until compliance is demonstrated. This establishes a formal escalation pathway where developer inaction or inadequate remediation can result in app suspension or removal.
View change record →This new high-severity provision establishes comprehensive regulatory compliance requirements for health and medical apps, including restrictions on health data monetization and mandatory regulatory approvals.
View full change record →Consumers using health, medical, or mental health apps distributed through the App Store can rely on the guidelines' requirement that such apps hold applicable regulatory approvals and on the prohibition on using HealthKit health data for advertising; however, the depth of Apple's verification of regulatory compliance during review is not specified in the guidelines.
How other platforms handle this
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Apple has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Apps that provide inaccurate data or that could be used to make medical decisions should be cautious. Apps that offer prescription medication services, mental health support, or medical record management must comply with applicable laws and obtain required regulatory approvals. Apps using HealthKit must have a primary purpose of providing health and fitness services and must not use health information for advertising or selling health data.— Excerpt from Apple's Apple App Store Review Guidelines
REGULATORY LANDSCAPE: Health and medical apps may be subject to FDA oversight as software as a medical device (SaMD) under the Federal Food, Drug, and Cosmetic Act. HIPAA applies to apps that are covered entities or business associates and handle protected health information. The FTC Act applies to health apps that make false or misleading claims. The EU Medical Device Regulation (MDR) applies to apps marketed as medical devices in the EU. Apple's prohibition on using HealthKit data for advertising aligns with HIPAA's restrictions on using PHI for marketing, though not all HealthKit apps are HIPAA-covered entities. GOVERNANCE EXPOSURE: High. Developers of health and medical apps face dual compliance obligations: Apple's guidelines and applicable regulatory frameworks. The guidelines do not specify how Apple verifies regulatory approval claims, which means developer self-certification is the primary mechanism; legal teams should assess whether their app meets FDA, CE marking, or other applicable requirements independently of Apple's review. JURISDICTION FLAGS: US developers offering prescription services must comply with state pharmacy and telehealth licensing requirements in addition to FDA regulations. EU developers must assess MDR applicability. Mental health apps face evolving state licensing requirements for telehealth providers across US jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: B2B health app vendors selling to healthcare organizations should ensure their App Store-distributed apps satisfy HIPAA business associate agreement requirements and that their App Privacy labels accurately reflect PHI handling. Enterprise procurement teams should request evidence of applicable regulatory approvals from health app vendors. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the app qualifies as a medical device under FDA or EU MDR frameworks before submission. HIPAA compliance assessments should cover HealthKit data flows, and BAAs should be executed with any HealthKit-connected third parties that handle PHI. The prohibition on selling or using HealthKit data for advertising should be operationalized through data governance controls rather than relying solely on Apple's review process.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Consumers using health, medical, or mental health apps distributed through the App Store can rely on the guidelines' requirement that such apps hold applicable regulatory approvals and on the prohibition on using HealthKit health data for advertising; however, the depth of Apple's verification of regulatory compliance during review is not specified in the guidelines.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Apple.