Health and medical app compliance — HealthKit/Health Connect rules, no health data mining

Apple guideline 5.1.3 (HealthKit) and Google Play's Health Connect policy prohibit transmitting health data to advertising or analytics platforms — a prohibition that is routinely violated by apps that include general analytics SDKs like Mixpanel or Amplitude without filtering health data from event properties. GDPR Article 9 classifies health data as a special category requiring explicit consent separate from general ToS acceptance. HIPAA §164.514 applies if the app is used in a clinical context. Over-permissioning HealthKit data types (requesting menstrual cycle data for an app that has no tracking feature) is flagged automatically by Apple's review tooling.

Audit every HKObjectType (iOS) or HealthPermission (Android) requested and remove any type not mapped to a visible user-facing feature:

// Only request types you visibly use
let typesToRead: Set<HKObjectType> = [
  HKObjectType.quantityType(forIdentifier: .stepCount)!  // used in step tracker screen
  // Remove: HKObjectType.quantityType(forIdentifier: .heartRate) — no heart rate screen exists
]

For analytics calls, ensure no health variable appears as an event property:

// Wrong — health data in analytics event
mixpanel.track('workout_completed', { duration_min: 30, heart_rate_avg: 142 });

// Correct — anonymous aggregate only
mixpanel.track('workout_completed', { duration_min: 30 });

Add a dedicated health data consent screen (separate from ToS) before the first HealthKit read.

• ID: app-store-policy-compliance.regulated-industries.health-medical-compliance

• Severity: medium

• What to look for: Count all relevant instances and enumerate each. If HealthKit (iOS) or Health Connect (Android) integration is detected, examine every read and write API call: (1) Data minimization — What health data types does the app request? Look for HKObjectType.quantityType(forIdentifier:) (HealthKit) or HealthPermission (Health Connect) calls. List every requested type: step count, heart rate, sleep, menstrual cycle, blood glucose, medications, reproductive health. Does the app request types it does not visibly use? Apple requires that HealthKit data be used only for health purposes, not for advertising or analytics. (2) Health data transmission — Trace every health variable to fetch(), axios.post(), or any network call. If health data is transmitted to a server, is it necessary for the app's stated purpose? Apple's guideline 5.1.3 prohibits transmitting health data to third parties without explicit, conspicuous user consent — separate from general ToS acceptance. (3) Advertising prohibition — Search for analytics SDKs (analytics, mixpanel, amplitude, braze, firebase/analytics) that might receive health data as event properties. Any track() or logEvent() call that includes a health metric as a property violates Apple and Google's health data policies. (4) Clinical decision support — If the app presents personalized health recommendations based on HealthKit data, does it include a disclaimer that the app is not a medical device and recommendations are not medical advice?

• Pass criteria: Health data is used only for health purposes visible to the user. At least 1 implementation must be verified. Requested data types match visible app functionality. Health data is not transmitted to analytics platforms. Network transmission of health data is encrypted and purposeful, with explicit user consent disclosure. Clinical recommendations include appropriate disclaimers.

• Fail criteria: Health data types requested exceed visible app functionality (over-permissioning); health data included as properties in analytics events; health data transmitted to third parties without a specific, prominent consent disclosure; no disclaimer on personalized health recommendations.

• Skip (N/A) when: No HealthKit or Health Connect integration detected — no react-native-health, expo-health, import HealthKit, or HealthConnectClient found in source.

• Detail on fail: "HealthKit reads menstrual cycle data but no menstrual tracking feature exists in the app — over-permissioning detected" or "Mixpanel track() call in src/analytics/events.ts includes heart_rate as an event property — health data sent to analytics platform"

• Remediation: Apple treats health data policy violations as serious guideline violations.

  1. Request only the HealthKit/Health Connect types you visibly use in the app — remove any reads for types that don't map to a user-facing feature
  2. Never include health data as properties in analytics events — use anonymous event counts only
  3. Add a dedicated consent screen (separate from ToS) before reading health data: "This app will access your [data types] from Apple Health to [specific purpose]"
  4. Add a disclaimer to any screen that presents personalized health recommendations

  Review the configuration in src/ or app/ directory for implementation patterns.