App Store RejectionGuideline 5.1.3Health and Health Research Apps

Your health app needs stronger privacy disclosures. Here's what Apple requires.

Apps that collect health or medical data are held to a higher standard by Apple. Missing consent flows, vague privacy policies, or sharing health data with third parties without disclosure will trigger a 5.1.3 rejection. This guide breaks down exactly what you need.

What Apple said

Your app collects users' health or medical information but does not have a privacy policy that clearly explains how this sensitive data is used, stored, or shared. Apps that collect health data must provide clear disclosures and obtain explicit user consent before collecting such information.

What this actually means

Apple treats health data as among the most sensitive information an app can handle. Guideline 5.1.3 requires a detailed privacy policy, explicit in-app consent before any health data is collected, and strict limits on sharing that data. A generic privacy policy that doesn't address health data specifically will not satisfy reviewers.

What Apple needs to see

  • A privacy policy that specifically addresses what health or medical data is collected, why, and who it is shared with
  • An explicit in-app consent screen shown before any health data collection begins, not just at account creation
  • Clear disclosure if health data is shared with third parties, researchers, or advertisers
  • A process for users to request deletion of their health data
  1. 1Update your privacy policy to include a dedicated section on health data — what's collected, why, retention period, and third-party sharing — BaseTerms generates privacy policies with health data disclosure sections that meet Apple's requirements
  2. 2Add an explicit consent screen before any HealthKit access or health data input, with a plain-English explanation of what you're collecting
  3. 3Audit every SDK and third party in your app that receives any health-related data and disclose each one in your privacy policy
  4. 4Build a data deletion flow so users can request their health data be removed — link to it from your support page
  5. 5Add your privacy policy URL to your App Store Connect listing and ensure it loads correctly — a broken privacy policy link is an instant rejection

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — FREE

Common questions

Does this apply to fitness apps that don't use HealthKit?
Yes. Any app that collects health-adjacent data — workout logs, nutrition, sleep, mental health — falls under 5.1.3 even without HealthKit integration. Apple looks at what data you collect conceptually, not just which Apple framework you use.
Can I share anonymized health data with researchers?
Sharing with researchers is permitted under specific conditions: you must disclose it clearly in your privacy policy, get explicit user consent for research use specifically, and ensure the data is genuinely anonymized per HIPAA de-identification standards. Vague 'for research purposes' language won't cut it.
My privacy policy is hosted but Apple says it's not accessible — what's happening?
Apple's review servers try to load your privacy policy URL during review. If your server is down, rate-limiting their IP range, or returning a redirect that resolves to an error, the policy will be flagged as inaccessible. Use a reliable hosting provider and test the URL from a clean browser before submitting.