HHS Section 504 Digital Accessibility Rule Is in Effect. What To Do If You’re Not Compliant

What the Rule Requires, in Plain Terms

Section 504 of the Rehabilitation Act of 1973 has prohibited disability discrimination in federally funded programs for over 50 years. What changed in 2024 is that HHS now specifies exactly what “accessible” means for digital services, and has set enforceable deadlines for meeting that standard.

The previous version of HHS’s Part 84 regulation was silent on digital accessibility. It imposed broad nondiscrimination obligations but did not define what accessible meant for websites, mobile apps, or patient-facing digital tools. That gap is now closed.

The 2024 final rule, published in the Federal Register on May 9, 2024, requires that web content and mobile apps made available by HHS-funded organizations conform to the Web Content Accessibility Guidelines (WCAG) 2.1, Level A and Level AA, published by the World Wide Web Consortium (W3C).

This applies to any organization that receives federal financial assistance from HHS, including organizations that receive Medicare or Medicaid reimbursements, HHS grants, or funding through any of the more than 100 programs HHS administers.

Source: HHS Office for Civil Rights, Section 504 Final Rule Fact Sheet (April 30, 2024)

What Changed, What Was Always Required, and What Was Clarified

This distinction matters and is frequently misunderstood, especially by organizations trying to determine how much of this rule is new versus how much they were already expected to be doing.

Section 504 always prohibited disability discrimination. What is new is the specific technical standard recipients must now meet. What is newly enforced is that web and mobile digital services, not just physical spaces, are explicitly subject to Section 504’s nondiscrimination requirements. And what was clarified is that alternative accommodations are not a sufficient substitute for accessible digital content.

That last point is worth stopping on. Before this rule, organizations sometimes argued that a 24/7 staffed phone line or in-person assistance was a reasonable substitute for an inaccessible website. That argument is no longer available.

The rule states explicitly that staffed telephone services do not provide equivalent access to an accessible website, because websites allow people to review more information, more quickly, and with greater privacy than a phone call allows. That is not an interpretation. It is in the rule text itself.

If your organization has been relying on phone lines or staff workarounds to cover digital accessibility gaps, those gaps are now compliance gaps that must be addressed directly.

Source: HHS, New Requirements on the Accessibility of Web Content, Mobile Apps, and Kiosks

Are You Covered? A Quick Check

The rule applies to recipients of federal financial assistance from HHS. HHS administers more than 100 programs through which that assistance flows. If your organization falls into any of the following categories, you should assume the rule applies unless legal counsel advises otherwise:

• Hospitals and health systems
• Physicians’ offices, clinics, and specialty care providers
• Dentists and dental clinics
• Emergency care facilities and urgent care centers
• Health insurers and managed care organizations
• State Medicaid agencies and CHIP programs
• Nursing homes and post-acute care facilities
• Home health agencies
• Telehealth providers operating under HHS-funded programs
• Child welfare agencies and foster care program providers
• Childcare and social service providers receiving HHS grants
• Medical and nursing schools and health-related universities
• Head Start program operators
• Organizations receiving TANF funding

One important clarification: the 15-employee threshold determines your deadline, not whether you are covered. A small practice with 8 employees that accepts Medicaid is subject to this rule. It simply has until May 10, 2027 rather than May 11, 2026. Do not mistake a later deadline for an exemption.

Federal procurement contracts and contracts of insurance or guaranty are not considered federal financial assistance and are not covered by this rule.

Source: 45 C.F.R. § 84.10; HHS Federal Register Final Rule

What WCAG 2.1 Level AA Actually Requires

WCAG 2.1 is built around four core principles: web content must be Perceivable, Operable, Understandable, and Robust. Level AA is the middle tier of conformance, more rigorous than Level A but less demanding than Level AAA. It is the specific standard this rule requires.

For healthcare and human services organizations, the practical requirements include:

Videos must have accurate captions

Patient education videos, telehealth instructions, recorded webinars, and staff training materials visible on public-facing pages all fall under this requirement.

Images must have meaningful alternative text

Medical images, diagrams, charts, and infographics must be described in a way that conveys equivalent information to users who cannot see them.

All functionality must be operable by keyboard alone

Scheduling tools, portal login flows, symptom checkers, appointment reminders, and payment interfaces must work without a mouse.

Forms must have clear, programmatically associated labels

Every input field, from registration forms to consent forms, must be identifiable by assistive technology.

Color cannot be the only way to convey information

Status indicators, alerts, error messages, and required field markers cannot rely on color alone.

Page language must be declared

This allows screen readers to switch to the correct pronunciation engine automatically.

Error messages must be specific and suggest corrections

Generic “something went wrong” messages do not meet the standard.

Contrast ratios between text and background must meet minimum thresholds

Normal text requires a ratio of 4.5:1; large text requires 3:1.

These are not aspirational guidelines. Each is a testable technical criterion with a defined pass/fail condition.

Source: W3C, Web Content Accessibility Guidelines 2.1

The Five Exceptions: And Why They Are Not a Compliance Strategy

The rule includes five narrow categories of content that are exempt from WCAG 2.1 AA conformance. These are legitimate exceptions, but they are frequently misread as broader than they are. None of them are a substitute for a compliance program.

1. Archived web content

Content created before your compliance deadline, retained exclusively for reference or recordkeeping, never updated after archiving, and stored in a clearly identified archive area. If archived content is updated or used to support current public-facing services, the exception does not apply.

2. Preexisting conventional electronic documents

PDFs, Word files, PowerPoint presentations, and spreadsheets that were publicly available before the compliance deadline and are not currently used to apply for, gain access to, or participate in the recipient’s programs or activities. If a pre-2026 PDF is the document a patient uses to apply for services today, it is not exempt.

3. Content posted by a third party

Applies only when the third party is posting independently, not under any contractual, licensing, or other arrangement with the recipient. A public comment on a social media page may qualify. An embedded online payment processor does not.

4. Individualized password-protected documents

Medical records and account-specific files that are password-protected or otherwise secured. Recipients must still ensure that individuals with disabilities can access information from documents that pertain to them, either through accessible formats or effective communication on request.

5. Preexisting social media posts

Posts published before your compliance deadline. All social media content published after your deadline must be accessible.

The rule also includes a “minimal impact” provision for nonconformance that is so limited it would not affect a person with a disability’s ability to use the content in a manner providing substantially equivalent timeliness, privacy, independence, and ease of use. This is a narrow safety valve, not a general compliance buffer.

Undue burden and fundamental alteration defenses also exist in the rule, but the burden of proof falls on the recipient. The decision must be made by the head of the organization after considering all available resources. It cannot be delegated to a vendor, a contractor, or an IT manager.

Where Organizations Are Most Likely to Have Gaps

Whether you are just starting or partway through a remediation effort, gaps tend to appear in the same places. These are the areas to assess first.

Patient portals and EHR-adjacent interfaces

Many electronic health record vendors have separate patient-facing portal products with inconsistent accessibility. The portal is often built on a different platform than the main website, may not have received the same accessibility attention, and may be governed by a vendor contract that predates the rule. The recipient, not the vendor, is responsible for compliance.

Third-party telehealth platforms

If a recipient embeds or contracts a telehealth solution, that platform falls within the rule’s scope. The third-party content exception does not cover technology provided through a contractual arrangement.

PDF-heavy clinical workflows

Forms, consent documents, patient education materials, and benefit applications in PDF format are among the most common sources of WCAG failures. Many of these are regularly updated, which means the preexisting document exception does not apply. Accessibility in PDFs is not automatic when exporting from Word or printing to PDF; it requires deliberate remediation.

Embedded third-party scheduling, billing, and payment tools

Widgets and iframes that pull in third-party functionality inherit the accessibility limitations of that third-party system. If those tools are used to access program services, they are in scope.

Mobile apps developed independently of the main website

Organizations that have invested in website accessibility but not applied the same rigor to their iOS or Android apps have a gap that is easy to miss until it is formally assessed.

Social media content going forward

The rule requires that images on social media posts have alt text, videos have captions, and text-based content is accessible. This is an ongoing operational requirement, not a one-time project. Most organizations do not yet have an accessibility workflow for social content.

Governance and ownership gaps

The rule requires recipients with 15 or more employees to designate a responsible employee to coordinate Section 504 compliance and to adopt grievance procedures. Many organizations have no one formally accountable for digital accessibility. Without clear ownership, remediation work stalls even when intent exists.

What to Do Now: A Prioritized Action Plan

Whether you are starting from scratch or picking up an existing effort, the sequence below applies. The earlier in this list you are, the more urgency you should assign to the steps that follow.

Step 1: Establish scope. Inventory all websites, patient portals, mobile apps, telehealth platforms, and significant third-party digital tools that patients or program participants use to access services. Include tools that are embedded or provided under vendor contracts. You cannot remediate what you have not inventoried.

Step 2: Conduct a baseline assessment. Automated scanning is a starting point, not a conclusion. Automated tools typically detect only 20 to 30 percent of WCAG failures. Combine automated scanning with manual expert testing focused on the highest-impact patient journeys: portal login, appointment scheduling, telehealth access, billing, and benefit applications. Testing against real assistive technologies such as screen readers, keyboard-only navigation, and voice control is essential for an accurate picture.

Step 3: Prioritize remediation by risk and impact. Not every WCAG criterion poses the same risk to access. Focus first on barriers that prevent users from completing critical transactions: logging in, scheduling care, accessing test results, completing required forms, and communicating with providers. A phased remediation approach tied to patient impact is more defensible than a random fix list.

Step 4: Address vendor accountability. Review existing vendor contracts for accessibility representations. For new procurements, require WCAG 2.1 AA conformance as a contract term and ask vendors for their Voluntary Product Accessibility Template (VPAT) or Accessibility Conformance Report (ACR). If a vendor cannot meet the standard, you need to know now, not in 2026.

Step 5: Build ongoing compliance into operations. Accessibility is not a project with an end date. New content, new features, and new vendor tools create new risks. Governance, training, monitoring, and regular re-assessment need to become standard practice before the compliance deadline, not after.

Step 6: Document everything. In the event of a complaint or OCR investigation, documentation of your compliance program, including scope inventory, audit findings, remediation plans, vendor correspondence, and training records, demonstrates good-faith effort and structured progress. Documentation is not bureaucracy. It is your evidence of due diligence.

What Enforcement Looks Like

This rule adopts the enforcement procedures of Title VI of the Civil Rights Act of 1964. That is not a light-touch framework.

HHS OCR can initiate compliance reviews and investigations without waiting for a complaint. It can also respond to complaints filed through its online portal, by phone at (800) 368-1019, or by email at [email protected].

If OCR finds noncompliance, enforcement can escalate through voluntary compliance efforts, administrative proceedings, fund termination proceedings, and referral to the Department of Justice for litigation. The DOJ can then file or intervene in lawsuits, pursue injunctive relief, or seek specific performance.

This is the same enforcement pathway used for race, color, and national origin discrimination under Title VI. It is a well-established process with real consequences, including the loss of federal funding.

The compliance deadlines mark when WCAG 2.1 AA becomes the specific technical benchmark OCR will apply. They do not mark when OCR begins enforcing Section 504. That obligation has been in effect since July 8, 2024.

Source: 45 C.F.R. § 84.98; HHS OCR Complaint Portal

Role-by-Role: Who Needs to Act and How

Chief Compliance Officers and Legal Counsel

Your organization needs a documented compliance posture now. OCR can investigate proactively without a complaint being filed. The May 11, 2026 deadline is the technical benchmark date, not the start of your obligation. Ensure your organization has designated a responsible employee for Section 504 digital accessibility, has adopted grievance procedures, and has a documented remediation plan in place.

Chief Information Officers and Digital Technology Leaders

Full conformance assessment requires manual testing by qualified reviewers and, where possible, testing with users who rely on assistive technologies. Automated scans are not sufficient on their own. Your vendor contracts should include accessibility representations, and your procurement process should require WCAG conformance documentation as a standard deliverable.

Digital and Web Teams

Every piece of web content or mobile app functionality deployed after your compliance deadline must be accessible at publication. Accessibility needs to be embedded in design reviews, development sprints, QA testing, and content publishing workflows. Your team also needs practical guidance on what accessible alt text, captions, and form structure look like in your specific environment.

Operations and Program Managers

If your program uses kiosks (self-service transaction machines), you need a documented procedural alternative for individuals with disabilities who cannot use them. This might mean allowing those individuals to bypass the kiosk and work directly with staff. This is not a technology fix; it is an operational procedure that must be established and maintained before the deadline.

Human Resources and Training

Content authors and communications staff need practical training on how to write descriptive alt text, use captions for video, create accessible PDFs, and structure forms and documents correctly. These are production skills, not policy statements. Training needs to happen before staff are publishing content against the compliance deadline.

How This Relates to ADA Title II

Organizations also subject to the Department of Justice’s updated ADA Title II web accessibility rule, which applies to state and local government entities, will find that both rules point to the same technical standard: WCAG 2.1 Level AA. A single accessibility program built around WCAG 2.1 AA satisfies the technical requirements under both frameworks, which simplifies planning for organizations covered by both.

For private healthcare organizations that are not state or local government entities, the DOJ’s Title II rule does not apply. The HHS Section 504 rule is the governing requirement.

Source: U.S. Department of Justice, Accessibility of Web Information and Services

Who Is Not Materially Impacted

Not every organization needs to act on this rule. These scope boundaries matter.

Organizations that do not receive federal financial assistance from HHS are not subject to this rule. Private companies that do not participate in Medicare, Medicaid, CHIP, HHS grants, or other HHS programs are not covered. They may be subject to other laws, including ADA Title III, which applies to places of public accommodation, but those are separate obligations with separate requirements.

Federal agencies are not recipients of their own financial assistance and are not governed by Part 84. They are subject to Section 508 of the Rehabilitation Act, which has its own technical standards and enforcement framework.

Educational institutions that receive HHS funding, such as medical schools that receive research grants, are covered for the programs and activities supported by that assistance. The rule does not automatically extend to every activity of every department of a large university.

Key Dates at a Glance

• May 9, 2024 — HHS final rule published in the Federal Register
• July 8, 2024 — Rule effective date; general Section 504 obligations apply now
• May 11, 2026 — WCAG 2.1 AA compliance deadline for recipients with 15 or more employees
• July 8, 2026 — Recipients must have at least one accessible examination table and/or weight scale in place (medical equipment requirement)
• May 10, 2027 — WCAG 2.1 AA compliance deadline for recipients with fewer than 15 employees

How TestPros Can Help

TestPros has provided independent testing, assessment, and compliance validation services to federal agencies and regulated industries for decades. Our accessibility practice is built on the same technical rigor we apply to software quality assurance and federal system testing.

For organizations working toward HHS Section 504 WCAG 2.1 AA compliance, whether they are starting their first assessment or validating work already underway, TestPros provides independent conformance assessments that combine automated scanning with expert manual testing and assistive technology validation. We also support organizations in building remediation roadmaps, establishing accessibility governance frameworks, and setting up ongoing monitoring programs.

Independent assessment matters here for a specific reason: organizations need to know their actual conformance status, not an optimistic estimate from the team that built the system being evaluated. If OCR investigates, the documentation that carries weight is the documentation that reflects an objective, third-party view of where you stand.

For more information about TestPros’ accessibility assessment services, contact us today.