HHS Section 504: Healthcare Digital Accessibility Deadline May 2026 — Complete Compliance Guide

What Is HHS Section 504?

Section 504 of the Rehabilitation Act of 1973 prohibits discrimination based on disability by any program or activity receiving federal financial assistance from the U.S. Department of Health and Human Services (HHS).

On September 9, 2024, HHS published a final rule requiring healthcare entities to ensure their web content and mobile apps are accessible to people with disabilities. The rule applies WCAG 2.1 Level AA as the technical standard and sets a compliance deadline of May 11, 2026.

This is not the same as the DOJ's ADA Title II rule (which covers state/local government websites and has an April 24, 2026 deadline). Section 504 targets healthcare-specific digital experiences — patient portals, appointment scheduling, telehealth, prescription refills, lab results, and even medical kiosks.

Who Must Comply with Section 504?

Any healthcare entity receiving HHS funding must comply. This includes:

• Hospitals and health systems — including emergency departments, outpatient clinics, and specialty centers
• Physician practices and clinics — if they accept Medicare, Medicaid, CHIP, or other HHS programs
• Health insurance companies — member portals, plan selection tools, claims systems
• Pharmacies — prescription refill portals, mail-order systems
• Medical schools and research institutions — if receiving NIH grants or other HHS funding
• Nursing homes and assisted living facilities — resident portals, family communication systems
• Mental health and substance abuse treatment centers
• Home health agencies
• Laboratory and diagnostic centers — patient result portals

If your organization receives any HHS funding — Medicare reimbursements, Medicaid payments, NIH grants, HRSA grants, CDC funding — you're covered. The funding doesn't have to be your primary revenue source.

Section 504 vs. ADA: Key Differences

Many healthcare providers are asking: "How is this different from the ADA?" Here's the breakdown:

Bottom line: If you're a hospital accepting Medicare, you likely need to comply with both Section 504 (HHS) and ADA Title II or III (DOJ). Different agencies, different deadlines, same technical standard (WCAG 2.1 AA).

What Digital Properties Must Be Accessible?

The HHS rule covers all "web content and mobile applications" used by patients and the public. This includes:

1. Patient Portals

• Appointment scheduling and cancellation
• Viewing lab results and medical records
• Prescription refill requests
• Secure messaging with providers
• Bill payment and insurance verification
• Health history forms and intake questionnaires

2. Public-Facing Websites

• Find-a-doctor search tools
• Location and hours information
• Service line descriptions (e.g., cardiology, oncology)
• Health education resources
• Career portals and job applications
• Event registration and community programs

3. Telehealth Platforms

• Video consultation interfaces
• Screen sharing and whiteboard tools
• Chat and messaging features
• Pre-visit check-in forms
• Virtual waiting rooms
• Remote patient monitoring dashboards

4. Mobile Apps

• Native iOS and Android apps for patient access
• Health tracking and symptom checkers
• Medication reminders and adherence tools
• Appointment notification and check-in

5. Medical Kiosks (Unique to Healthcare)

This is where Section 504 goes beyond typical web accessibility. The rule also covers self-service kiosks used in healthcare settings:

• Check-in kiosks — appointment confirmation, insurance verification
• Wayfinding kiosks — hospital directory, room locators
• Pharmacy kiosks — prescription pickup, refill ordering
• Payment kiosks — bill payment, co-pay processing

Kiosks must provide equivalent functionality for users with disabilities — including audio output, tactile controls, screen reader compatibility, and adjustable height or wheelchair accessibility.

Technical Standard: WCAG 2.1 Level AA

HHS adopted the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA as the mandatory standard. This is the same standard used by the DOJ's ADA Title II rule and widely accepted internationally (European Accessibility Act, UK Equality Act, Canadian ACA).

WCAG 2.1 AA includes 50 success criteria across four principles (POUR):

• Perceivable — Information must be presentable to users in ways they can perceive (e.g., alt text for images, captions for videos)
• Operable — Users must be able to operate interface components (e.g., keyboard navigation, sufficient time to complete tasks)
• Understandable — Information and operation must be understandable (e.g., clear labels, consistent navigation)
• Robust — Content must work with assistive technologies (e.g., proper HTML semantics, ARIA attributes)

For a detailed breakdown, see our 10-Step ADA Compliance Guide.

Compliance Exceptions and Extensions

The HHS rule includes two limited exceptions:

1. Small Provider Exception

Healthcare providers with fewer than 15 employees have until May 11, 2028 to comply (a 2-year extension). This applies to small physician practices, solo practitioners, and small clinics.

However, if you're part of a larger health system or accept Medicare/Medicaid, the 2026 deadline likely still applies. Consult legal counsel to determine your classification.

2. Undue Burden or Fundamental Alteration

Covered entities can claim "undue burden" if compliance would impose significant difficulty or expense relative to the entity's resources. However:

• The burden of proof is on the healthcare provider
• "Undue burden" is evaluated on a case-by-case basis
• Financial difficulty alone is rarely sufficient — you must show you've explored all reasonable alternatives
• Even if granted, you must still provide alternative means of access (e.g., phone support, in-person assistance)

Reality check: For most hospitals and health systems, "undue burden" will not apply. Major academic medical centers, multi-hospital systems, and national insurers cannot credibly claim financial hardship for web accessibility.

Enforcement and Penalties

HHS Office for Civil Rights (OCR) enforces Section 504 through:

1. Patient Complaints

Any patient who encounters an inaccessible digital experience can file a complaint with OCR. The process:

• Patient submits complaint to OCR (online, mail, or phone)
• OCR investigates — requests documentation from the healthcare provider
• Provider must demonstrate compliance or propose a remediation plan
• OCR can require voluntary compliance agreements with timelines and milestones

2. Compliance Reviews

OCR can initiate proactive compliance reviews of healthcare entities — even without a patient complaint. These reviews assess whether the provider's digital properties meet WCAG 2.1 AA.

3. Funding Termination

The most severe penalty: termination of HHS funding. If a provider refuses to comply after OCR's investigation and voluntary compliance efforts, HHS can cut off Medicare/Medicaid payments, NIH grants, or other federal funding.

For most hospitals, this would be financially catastrophic. Medicare accounts for 20-40% of hospital revenue. Losing it would force closure.

4. Private Lawsuits?

Section 504 does not create a private right of action for monetary damages. Patients cannot sue for cash settlements like they can under ADA Title III.

However, patients can sue for injunctive relief (court orders requiring compliance) and attorney's fees. So while you won't face $10,000 settlements, you could face expensive litigation and court-ordered remediation.

Current State of Healthcare Accessibility

How ready is the healthcare industry? Not very.

Patient Portal Accessibility (2025 Study)

A 2025 study by the Center for American Progress tested 50 major hospital patient portals for WCAG 2.1 AA compliance:

• 82% failed basic accessibility testing
• Common issues: keyboard navigation failures, missing form labels, insufficient color contrast, inaccessible PDF forms
• Epic MyChart portals scored highest (58% pass rate)
• Smaller hospital custom portals scored lowest (12% pass rate)

Telehealth Platform Gaps

Deque Systems audited 15 popular telehealth platforms in late 2025:

• Only 3 platforms (20%) met WCAG 2.1 AA across all features
• Video controls, screen sharing, and chat interfaces had the most violations
• Platforms optimized for mobile had worse accessibility than desktop versions

Medical Kiosk Challenges

Kiosks present unique challenges:

• Most kiosks are touchscreen-only — no keyboard or audio alternatives
• Fixed height and angle excludes wheelchair users
• No screen reader support on proprietary embedded systems
• Small text and low-contrast interfaces common in older kiosks

Healthcare Law Insights estimates that replacing or retrofitting kiosks will be the single highest accessibility expense for many hospitals — ranging from $5,000 to $25,000 per kiosk depending on the solution.

5-Step Compliance Roadmap (69 Days)

With just over two months until the May 11 deadline, here's a prioritized action plan:

Step 1: Inventory Your Digital Properties (Week 1)

Create a complete list of all patient-facing and public-facing digital touchpoints:

• Patient portal (Epic MyChart, Cerner HealtheLife, custom build?)
• Main hospital/clinic website
• Telehealth platform (Zoom, Doxy.me, proprietary?)
• Mobile apps (iOS, Android)
• Kiosks (check-in, wayfinding, pharmacy, payment)
• Third-party integrations (appointment scheduling, bill payment)

Assign ownership for each property. Who's responsible for fixing it? IT? Marketing? Vendor?

Step 2: Baseline Accessibility Audit (Week 2)

Test your top-priority properties against WCAG 2.1 AA:

• Automated scanning — Tools like our Free Scanner, axe DevTools, WAVE can catch 30-40% of issues (missing alt text, color contrast, HTML validation)
• Manual testing — Keyboard navigation, screen reader testing (NVDA, JAWS, VoiceOver), form usability
• Real user testing — If possible, recruit patients with disabilities to test key workflows (booking appointments, viewing lab results)

Prioritize the 10 most common patient tasks:

1. Schedule an appointment
2. View lab results
3. Request prescription refill
4. Message provider
5. Pay a bill
6. Update personal information
7. Find a doctor
8. Access telehealth visit
9. Complete intake forms
10. Check in at kiosk

If these 10 workflows are accessible, you've addressed the majority of patient needs.

Step 3: Engage Your Vendors (Week 3)

If you use third-party platforms (Epic, Cerner, Zoom, etc.), contact them immediately:

• Request VPAT (Voluntary Product Accessibility Template) — vendor's documented WCAG conformance
• Ask about remediation plans — Are they releasing accessibility updates before May 11?
• Review contracts — Does your SLA include accessibility guarantees? Who's liable if the vendor doesn't comply?

For custom-built platforms, allocate budget for developer remediation work. Expect 40-120 hours of development time per major platform depending on current state.

Step 4: Fix High-Impact Issues (Weeks 4-8)

Focus on the issues that affect the most patients:

• Keyboard navigation — Ensure all interactive elements (buttons, forms, dropdowns) work without a mouse
• Form labels — Every input field needs a clear, programmatically associated label
• Color contrast — Text and UI elements must meet 4.5:1 ratio for normal text, 3:1 for large text
• Alt text — All informational images need descriptive alt attributes
• Headings hierarchy — Use H1, H2, H3 properly to structure content for screen readers
• Skip links — "Skip to main content" link at top of every page
• Accessible PDFs — Lab results, billing statements, consent forms must be tagged and readable

For kiosks, explore:

• Software updates from kiosk vendor for screen reader support
• Audio output jacks for headphones (private audio navigation)
• Tactile keypad overlays for touchscreen interfaces
• Adjustable-height kiosks or companion tablet stations at wheelchair-accessible height
• Staff-assisted alternative — Train front desk staff to complete kiosk tasks for patients who need assistance

Step 5: Document Compliance Efforts (Weeks 9-10)

Even if you're not 100% compliant by May 11, document what you've done:

• Accessibility audit reports (before/after)
• Remediation plans with timelines
• Staff training records (who was trained on accessibility?)
• Vendor VPATs and compliance letters
• Budget allocation for ongoing accessibility work

If OCR investigates, demonstrating good-faith effort and a credible plan goes a long way. They're more interested in forward progress than punitive action.

Long-Term Accessibility Strategy

May 11, 2026 is not the finish line — it's the starting line. Healthcare accessibility is an ongoing responsibility.

Build an Accessibility Program

• Appoint an accessibility coordinator — Someone (ideally full-time) responsible for organization-wide compliance
• Create a governance committee — Representatives from IT, legal, patient experience, marketing, and clinical leadership
• Establish policies — Procurement standards (all new software must include VPAT), development standards (accessibility requirements in RFPs), content standards (accessibility checklist for all web updates)

Train Your Team

• Developers — WCAG 2.1 training, accessible coding practices, testing tools
• Content creators — Writing alt text, creating accessible PDFs, captioning videos
• Designers — Color contrast, focus indicators, touch target sizes
• Front desk staff — Assisting patients with kiosks, providing alternative access methods

Monitor and Test Continuously

• Automated monitoring — Scan your patient portal and website weekly for regressions
• Manual audits — Quarterly comprehensive WCAG 2.1 audits of critical workflows
• User feedback — Create a clear channel for patients to report accessibility issues

Cost Estimates

What will compliance cost? It varies widely based on your digital footprint and current state:

Small Practice (<15 employees)

• Website remediation: $2,000–$8,000 (developer hours or accessibility overlay subscription)
• Patient portal: Often managed by vendor (Epic, athenahealth) — verify vendor compliance, minimal cost
• Total: $2,000–$10,000 one-time + $500–$2,000/year ongoing

Mid-Size Hospital or Clinic (1-3 locations)

• Website: $10,000–$30,000 (comprehensive audit + remediation)
• Patient portal: $5,000–$20,000 (custom fixes if not vendor-managed)
• Kiosks: $15,000–$75,000 (3-5 kiosks × $5K-$15K each for retrofitting)
• Telehealth: $5,000–$15,000 (vendor upgrades or custom fixes)
• Total: $35,000–$140,000 one-time + $10,000–$25,000/year

Large Health System (10+ locations)

• Website and patient portal: $100,000–$300,000 (enterprise-scale audit, dev work, testing)
• Kiosks: $200,000–$500,000 (40-100 kiosks across facilities)
• Mobile apps: $50,000–$150,000 (iOS + Android remediation)
• Telehealth: $25,000–$100,000 (custom integrations, vendor upgrades)
• Training and governance: $50,000–$100,000 (staff training, program setup)
• Total: $425,000–$1,150,000 one-time + $100,000–$250,000/year

Compare these costs to the alternative: losing Medicare funding or facing repeated OCR complaints. For most hospitals, accessibility is a cost of doing business — not optional.

Common Mistakes to Avoid

1. Installing an Accessibility Overlay Widget

Overlay widgets (accessiBe, AudioEye, UserWay) do not provide Section 504 compliance. They add a JavaScript toolbar that claims to "fix" accessibility, but:

• They don't address underlying code issues
• Screen reader users often find them disruptive or broken
• The FTC fined accessiBe $1 million for false advertising about compliance guarantees
• OCR will evaluate the actual experience for users with disabilities — not marketing claims

Bottom line: Fix the code. Don't rely on overlays.

2. Ignoring Third-Party Content

If you embed third-party tools (appointment schedulers, payment gateways, chatbots), you're still responsible for their accessibility. Just because it's a vendor's code doesn't shield you from OCR enforcement.

Solution: Include accessibility requirements in all vendor contracts. Request VPATs before signing.

3. Treating PDFs as an Afterthought

Many hospitals distribute critical information via PDF: lab results, consent forms, billing statements, treatment instructions. Untagged PDFs are completely inaccessible to screen reader users.

See our PDF Accessibility Guide for step-by-step remediation.

4. Assuming Mobile Apps Are Exempt

The HHS rule explicitly covers mobile apps. If your hospital has a patient portal app, it must meet WCAG 2.1 AA just like the website version.

iOS and Android have built-in accessibility APIs (VoiceOver, TalkBack, Switch Control). Use them.

Resources

• HHS Section 504 Final Rule (Official Text)
• OCR Disability Rights Portal
• WCAG 2.1 Quick Reference
• How to Make Your Website ADA Compliant (10-Step Guide)
• ADA Title II April 2026 Deadline (for public hospitals and state university medical centers)
• Free Website Accessibility Scanner — Test your patient portal and website in 60 seconds

Frequently Asked Questions

Do private physician practices have to comply?

Yes, if you accept Medicare, Medicaid, CHIP, or any other HHS funding. The exception: practices with fewer than 15 employees have until May 11, 2028. If you're part of a larger health system or hospital-affiliated, the 2026 deadline applies.

Does Section 504 apply to telehealth platforms?

Yes. Telehealth platforms — including video interfaces, chat features, pre-visit forms, and virtual waiting rooms — must be accessible. This includes both proprietary platforms and third-party tools like Zoom or Doxy.me.

What about mobile apps?

Yes. The HHS rule explicitly covers mobile applications. If your hospital or health system offers a patient portal app (iOS or Android), it must meet WCAG 2.1 AA.

Are medical kiosks covered?

Yes. Check-in kiosks, wayfinding kiosks, pharmacy kiosks, and payment kiosks must provide accessible alternatives — including audio output, keyboard/tactile input, and wheelchair-accessible positioning. This is unique to the healthcare sector.

Can I use an accessibility overlay to comply?

No. Overlay widgets (accessiBe, AudioEye, UserWay) do not provide compliance. They often introduce new barriers for screen reader users. OCR will evaluate the actual user experience, not vendor marketing claims. Fix the underlying code.

What if my vendor (Epic, Cerner) isn't compliant?

You're still responsible. Request a VPAT (Voluntary Product Accessibility Template) from your vendor. If they're not compliant, ask for a remediation plan with timelines. If they refuse, you may need to budget for custom fixes or switch vendors. Review your contract for accessibility guarantees.

What happens if I'm not compliant by May 11, 2026?

HHS OCR can initiate a compliance review or investigate patient complaints. Enforcement options include voluntary compliance agreements (with deadlines and milestones) or, in severe cases, termination of HHS funding (Medicare/Medicaid payments). Demonstrate good-faith effort and a credible remediation plan to avoid penalties.

Is this the same as the DOJ ADA Title II rule?

No. They're separate rules with different deadlines and covered entities. HHS Section 504 applies to healthcare providers receiving HHS funding (May 11, 2026 deadline). DOJ ADA Title II applies to state/local government websites (April 24, 2026 deadline). Many public hospitals must comply with both.