Three days after the announcement of its open source medical research platform ResearchKit, Apple has now released guidelines for the application developers to protect users’ privacy, safety and rights. In Section 27 of the app store review guidelines, Apple states that “apps using the HealthKit framework or conducting human subject research for health purposes, such as through the use of ResearchKit, must comply with applicable law for each Territory in which the App is made available.”
The guidelines include prohibition of actions like storing users’ health information in iCloud, providing a privacy policy for all apps conducting human subject research. etc. Similar guidelines were previously established for apps made by using Apple’s HealthKit platform.
Below is the outlined guidelines for developers:
27.2
Apps that write false or inaccurate data into HealthKit will be rejected
27.3
Apps using the HealthKit framework that store users’ health information in iCloud will be rejected
27.4
Apps may not use or disclose to third parties user data gathered from the HealthKit API or from health-related human subject research for advertising or other use-based data mining purposes other than improving health, or for the purpose of health research
27.5
Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected
27.6
Apps using the HealthKit framework must indicate integration with the Health app in their marketing text and must clearly identify the HealthKit functionality in the app’s user interface
27.7
Apps using the HealthKit framework or conducting human subject research must provide a privacy policy or they will be rejected
27.8
Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected
27.9
Apps conducting health-related human subject research must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process