Health data

HealthKit data access App Review checklist

HealthKit access is more specific than a health claim. Each data type needs a user purpose, read/write direction, and privacy boundary.

Quick answer

Request only the HealthKit data types the feature needs, and separate read access from share/write access. Apple says HealthKit requires fine-grained authorization and users must grant permission for each data type. AppReviewReady interpretation: create a data-type-by-purpose matrix before the first prompt appears.

01

Map each data type to a feature

List heart rate, workouts, steps, sleep, nutrition, mindful minutes, medication, clinical records, or any other HealthKit type separately. A workout feature does not justify broad health-data access by itself.

For each type, record whether the app reads, writes, or does both. A diary app that writes workouts has a different review case from an analytics app that reads historical health data.

02

Ask after explaining the health benefit

  • Show the user why the specific data type improves the feature.
  • Do not request every possible type during first launch.
  • Handle partial authorization when the user grants some types but not others.
  • Avoid claims that the app diagnoses or treats conditions unless separately supported.
  • Keep sample or demo data clearly labeled so it is not confused with real health records.
03

Respect HealthKit privacy boundaries

Health data is highly sensitive. Apple HealthKit privacy guidance emphasizes user control. If any health-derived data leaves the device, the privacy policy and App Store privacy labels should describe purpose, linkage, sharing, and deletion.

AppReviewReady interpretation: do not bury server export in analytics language. A computed readiness score, coaching insight, or risk flag can still be health-derived data.

04

Test partial and denied authorization

  1. Grant all requested types, then deny one critical type and one optional type.
  2. Write sample data and confirm it appears only where expected.
  3. Revoke Health permissions from Settings and return to the app.
  4. Test no Health data, old data, duplicated samples, and multiple devices.
  5. Verify account deletion and data export promises match server behavior.
05

Prepare HealthKit review evidence

Use fictional or seeded data in review. Do not ask a reviewer to connect personal health records or perform a real workout to see the app's behavior.

If the app combines HealthKit data with camera, microphone, location, or AI analysis, review the combined data story. Separate permissions can become a single sensitive profile once the app derives insights from them.

For coaching or recommendations, show the confidence and limits of the result near the output. HealthKit data access does not automatically justify medical advice or emergency guidance.

If data is missing, avoid fabricating trends or readiness scores.

For multi-user devices or shared iPads, verify that health data never crosses app accounts.

Copy-ready frameworkAdapt every bracketed field
HealthKit review matrix:
Data types requested: [types]
Read/share direction: [read, write]
Feature purpose: [why]
Denied behavior: [fallback]
Server upload: [none or fields]
Sample data path: [steps]
Privacy label checked: [date]
Sources

Primary references checked for this guide

Policy statements above are grounded in the linked Apple documentation. Operational recommendations are AppReviewReady's interpretation and should be tested against your app and the current guideline text.

Put it to work

Check HealthKit readiness

Review HealthKit data types, permission states, privacy labels, and sample evidence.

Open the tool