Health data gets a category of its own in the App Store rules, and the constraints are stricter than for ordinary data. Guideline 5.1.3 governs how apps handle health and medical information, including HealthKit data, and the headline rules are blunt: you cannot use health data for advertising or data mining, cannot share it without consent, and cannot sell it. On top of Apple's rules sit real privacy laws for health data. If your app touches health or medical information, these are not optional. Here is what Guideline 5.1.3 requires and how to handle health data correctly. This is general information, not legal or medical advice.
Short answer
App Store Guideline 5.1.3 governs health and medical data, and it prohibits using that data, including HealthKit data, for advertising or data mining, sharing it with third parties without user consent, or selling it. Per Apple's health guideline, apps must have a privacy policy, request only the health data they need with clear purpose strings, and obtain consent, and apps conducting human-subject health research need participant consent and appropriate ethics-board approval. Beyond Apple's rules, health data is sensitive personal information subject to laws like HIPAA in the US and the GDPR in the EU. So request minimal health data, never use it for ads or sale, get consent, and secure it.
What you should know
- Health data has stricter rules: Guideline 5.1.3 governs it specifically.
- No advertising, data mining, or sale: of health data.
- Consent and a privacy policy required: before collecting and sharing.
- HealthKit needs purpose strings and minimal access: request only what you need.
- Laws apply too: HIPAA, GDPR, and others for sensitive health data.
What does Guideline 5.1.3 require?
That health and medical data is handled with heightened restrictions and consent. The guideline prohibits using health data gathered through HealthKit, or similar APIs, and health information generally, for advertising, marketing, or use-based data mining, allowing it to be shared for purposes like improving health management or for health research with permission. It bars sharing health data with third parties without the user's consent and selling it outright. Apps must include a privacy policy covering health-data use, and apps that conduct human-subject research must obtain informed consent from participants and approval from an ethics review board. So 5.1.3 sets a high bar: health data is for the user's health purposes, not your monetization, and using it requires consent and transparency. The restrictions reflect how sensitive health information is and how much harm its misuse can cause.
What are the rules for health data?
A set of prohibitions and requirements. The table summarizes them.
| Rule | What it means |
|---|---|
| No advertising or data mining | Health data may not be used for ads or use-based mining |
| No sharing without consent | Third-party sharing requires user permission |
| No selling health data | You may not sell it |
| Privacy policy required | Disclose how health data is used |
| Minimal access with purpose strings | Request only needed HealthKit data, with usage descriptions |
| Research needs consent and ethics approval | Human-subject research requires both |
The throughline is that health data is treated as the user's, for their health purposes, with strict limits on monetization and sharing. HealthKit access specifically requires declaring why you need each data type through usage strings and requesting only what your features use, and it must not feed advertising or sale.
How do you handle health data correctly?
Minimize, get consent, never monetize it improperly, and secure it. Request only the health data your features genuinely need, with clear purpose strings explaining each HealthKit data type you access, and obtain the user's consent. Never use health data for advertising, marketing, or data mining, never share it with third parties without consent, and never sell it. Maintain a privacy policy that accurately describes your health-data use, and keep it consistent with your App Privacy disclosures. Store and transmit health data securely, encrypted at rest and over HTTPS, given its sensitivity. If you conduct health research, obtain informed participant consent and ethics-board approval. And recognize that beyond Apple's rules, health data is regulated personal information, so comply with applicable laws like HIPAA and the GDPR, confirming the specifics with a professional, since this is not legal advice.
What to watch out for
The first trap is using health or HealthKit data for advertising, marketing, or data mining, or sharing or selling it, which 5.1.3 squarely prohibits. The second is requesting broad HealthKit access without clear purpose strings or genuine need; request the minimum. The third is treating App Store compliance as the whole obligation, when health data also falls under laws like HIPAA and the GDPR. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the binary against OWASP MASVS and checks how the app stores and transmits data, supporting the security side of handling health data, while the legal sufficiency needs a professional, since this is not legal advice.
What to take away
- Guideline 5.1.3 prohibits using health data, including HealthKit data, for advertising or data mining, sharing it without consent, or selling it.
- Apps must have a privacy policy, request only the health data they need with clear purpose strings, and obtain consent; research needs participant consent and ethics approval.
- Health data is also regulated by laws like HIPAA and the GDPR, so App Store compliance is not the whole obligation.
- Minimize and secure health data, never monetize it improperly, use a pre-submission scan such as PTKD.com for the security side, and consult a professional for legal sufficiency, since this is not legal advice.
