The process of submitting apps to the Apple App Store can be daunting. Many developers have the first version of their iOS apps rejected due to improper procedures and packaging. Both Apple and Google have certain requirements that must be followed when publishing apps, with more stringent guidelines being placed on healthcare apps. You can learn more about Google Play Store requirements for health apps in our other post. Due to safety and security concerns, Apple recently updated their app store policies and added additional requirements for digital health apps. So when developing for iOS what are the requirements for submitting health apps to the app store?
Developer Program Overview
Apple Developer Program Cost:
$99 per year (Individuals & Basic Organizations) and $299 per year (Enterprise)
Apple provides several types of developer memberships.
- Individuals: Developers who will sell apps user their personal name.
- Organizations: Organizations who will sell apps using their legal entity name.
- Enterprise: Organizations distributing apps to their own employees.
Apple Developer Program Enrollment Time:
For an individual enrollment into the apple developer program, you can expect an email activation link within 24 to 48 hours, sometimes even in the same hour.
Organization enrollment may take longer, since Apple may review your legal entity status and other information. Apple also states that you can switch from an individual account to an organization account, by contacting them, and sending any needed information.
Time for App Approval:
Apple claims that on average, 50% of iOS apps are reviewed in 24 hours and over 90% are reviewed in 48 hours. You may want to submit your app earlier than anticipated, in case your app is rejected and you need to make changes.
You can also request an expedited review of your app if the release has an “urgent bug fix” or conflicts with a “time-sensitive event”. You read more about Apple’s app review process here.
Apple App Store Requirements
All iOS apps that are listed on the App Store are required to follow the App Store Review Guidelines & the Apple Developer Program License Agreement. Apple provides very detailed guidelines for publishing apps, so it is best to take time to read through the documentation. Here are the essential guidelines for health apps.
HTTPS Is Required:
Starting January 1, 2017, Apple will require all apps in the App Store to have implemented App Transport Security, which is a forced SSL/TLS connection. You can learn more about implementation in Apple’s ATS documentation.
Push Notifications Should Not Contain Sensitive/Confidential Info:
Avoid using protected health information (PHI) identifiers, and keep notifications useful and non-descriptive. This is a basic rule for health apps and maintaining HIPAA compliance. It is also listed in the review guidelines.
4.5.4 Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information.
Apple expands this requirement to all apps that handle personal data, in their “Data Use and Sharing” section:
5.1.2 (i) Apps cannot use or transmit someone’s personal data without first obtaining their permission and providing access to information about how and where the data will be used.
Health Specific Guidelines
Recent additions to the app store guidelines, specifically the Safety Section and the Health and Health Research Section lay out greater requirements for health apps.
Medical Apps That Could Provide Inaccurate Data or Be Used For Diagnosis Are Under Greater Scrutiny:
If your app is going to be used like a medical device, Apple will perform a stricter app review.
If you have received FDA or other regulatory clearance for your app and/or connected device, share this information with your app submission.
1.4.1 Medical apps that could provide inaccurate data or information, or that could be used for diagnosing or treating patients may be reviewed with greater scrutiny. If your medical app has received regulatory clearance, please submit a link to that documentation with your app.
Only Certain Entities Can Publish Drug Dosage Calculators:
Apple wants drug dosage apps to be accurate, regularly updated and maintained. Therefore, only specific organizations are allowed to publish these apps.
1.4.2 Drug dosage calculators must come from the drug manufacturer, a hospital, university, health insurance company, or other approved entity, or receive approval by the FDA or one of its international counterparts.
Health, fitness, medical research, and HealthKit data cannot be used for advertising or other data-mining purposes:
Apple explicitly states that health apps cannot use health and fitness data for purposes other than improving health management and health research.
5.1.3 (i) Apps may not use or disclose to third parties data gathered in the health, fitness, and medical research context—including from the HealthKit API, Motion and Fitness, or health-related human subject research—for advertising or other use-based data mining purposes other than improving health management, or for the purpose of health research, and then only with permission.
You Cannot Write Inaccurate Data Into HealthKit &
You Cannot Store Personal Health Information In iCloud:
You may not spoof or add inaccurate data that may deceive users into HealthKit. For security and compliance reasons, Apple does not allow developers to store personal health data in iCloud.
5.1.3 (ii) Apps must not write false or inaccurate data into HealthKit or any other medical research or health management apps, and may not store personal health information in iCloud.
Additional Requirements For Research-Based/ResearchKit Apps
You must get consent for health-related human subject research:
- For minors, you must obtain consent from a parent or guardian.
- You must share the nature, purpose, and duration of the research.
- You must share the procedures, risks, and benefits to the participant/user.
- You must share information about confidentiality and handling of data (including any sharing with third parties)
- You must provide a point of contact for participant questions
- You must provide a point of contact and information about the withdrawal process.
5.1.3 (iii) Apps conducting health-related human subject research must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process.
Research Apps Require Ethics Review Board Approval:
Medical research apps must go through ethics board review, this includes all apps made using Apple ResearchKit. Proof is required on request.
5.1.3 (iv) Apps conducting health-related human subject research must secure approval from an independent ethics review board. Proof of such approval must be provided upon request.
There are many nuances to navigate when submitting health-tech apps to the app stores. Data security and user safety is key when building apps health apps and should be thoroughly reviewed regardless of submission guidelines. Apple has a complex process for app submission and review. With some planning and common sense, app store submission can be a less painful process.