In 2024, the U.S. Department of Health and Human Services (HHS) finalized a major update to its Section 504 regulations. For the first time, HHS has made it explicit that web content and mobile apps used in health and human service programs must be accessible for people with disabilities.
If your organization receives federal financial assistance from HHS, this rule changes how you plan, build, and maintain your digital experiences. This FAQ is designed to answer the questions healthcare leaders, digital teams, and compliance officers are already asking.
Note: This FAQ is for educational purposes only and does not constitute legal advice. Always consult your legal counsel about how the rule applies to your specific situation.
HHS’s Office for Civil Rights issued a final rule titled “Discrimination based on Disability in Health and Human Service Programs or Activities.” It updates the regulations implementing Section 504 of the Rehabilitation Act, which prohibits disability discrimination in programs and activities that receive federal financial assistance from HHS.
A key part of the update clarifies that discrimination includes barriers in web content and mobile applications that prevent people with disabilities from accessing services. The rule sets specific requirements for digital accessibility, anchored in the Web Content Accessibility Guidelines (WCAG) 2.1 Level A and Level AA.
The rule applies to recipients of federal financial assistance from HHS. That category is broad. It includes many:
Hospitals and health systems
Clinics and specialty care providers
Health insurers and managed care organizations
State Medicaid agencies
Long-term care and post-acute facilities
Human and social service agencies that receive HHS funding
Telehealth providers and other entities offering HHS-funded health or human services
If your organization participates in programs like Medicaid, CHIP, Medicare, ACA Marketplaces, or HHS grants, you are likely covered. Your legal or compliance team can confirm your status, but most HHS-funded healthcare providers should assume the rule applies and plan accordingly.
Under 45 C.F.R. § 84.84, HHS-funded entities must ensure that the web content and mobile apps they provide or make available—directly or through contracts, licensing, or other arrangements—conform to WCAG 2.1 Level A and Level AA success criteria and conformance requirements.
In practical terms, this means:
Patient-facing websites, portals, and microsites must be accessible.
Mobile apps used for tasks such as viewing test results, accessing portals, scheduling appointments, and managing benefits must be accessible.
Accessibility applies whether the technology is built in-house or provided by a third-party vendor.
The goal is meaningful access. People with disabilities must be able to use core digital services—such as portals, scheduling, billing, and telehealth—on an equal basis with others, not as an afterthought.
The rule took effect on July 8, 2024.
For web content and mobile apps, HHS created two-phased compliance deadlines based on organization size:
May 11, 2026 – Recipients with 15 or more employees must ensure web content and mobile apps comply with WCAG 2.1 Level A and AA.
May 10, 2027 – Recipients with fewer than 15 employees must meet the exact WCAG 2.1 requirements.
These dates may look far off, but if your organization maintains multiple websites, portals, and apps (often across different vendors and platforms), planning, auditing, remediation, and training can easily consume that time.
HHS’s Section 504 rule is one piece of a larger regulatory picture:
Section 504 (HHS): Applies to entities receiving federal financial assistance from HHS, including many healthcare and human service providers.
ADA Title II (DOJ): Applies to state and local governments, including public hospitals, health departments, and public universities.
Both the HHS Section 504 rule and the DOJ’s updated ADA Title II web rule point to WCAG 2.1 Level A and AA as the standard for web and mobile accessibility, aligning expectations.
For many healthcare organizations, this alignment is helpful: it means you can work toward a single technical standard (WCAG 2.1 AA) to address obligations under multiple laws, rather than trying to manage separate digital requirements for Section 504 and the ADA.
HHS’s focus is on removing barriers that prevent people with disabilities from participating in or benefiting from its programs. Examples of common digital issues include:
Inaccessible PDFs and forms used for applications, consents, or instructions
Images that lack descriptive alt text or labels
Videos without captions or, when needed, audio descriptions
Navigation that cannot be used with a keyboard alone
Error messages, status updates, or alerts that are not announced to screen readers
Authentication and login flows based on memory tests, drag-and-drop, or other inaccessible mechanisms
Telehealth platforms, patient portals, and mobile apps are all in scope. Patients should be able to log in, schedule visits, access telehealth sessions, view results, and pay bills using assistive technologies and alternative input methods.
Yes, but they are narrow.
The digital accessibility section of the rule includes:
Limited content exceptions, for example:
Certain archived web content
Some pre-existing electronic documents
Limited third-party content not under the recipient’s control
Individualized, password-protected documents
Pre-existing social media posts
Undue burden and fundamental alteration provisions, where a recipient can show that full conformance would fundamentally alter a program or impose undue financial and administrative burdens.
The rule also allows conforming alternate versions of web content or mobile apps only when it is not possible to make the primary version directly accessible due to technical or legal limitations. Even then, the alternate version must provide equivalent access and be easy to find.
In other words, exceptions exist—but they are not a strategy. HHS expects covered entities to make current, patient-facing digital services accessible wherever feasible.
The requirement covers a wide range of digital properties that recipients provide or make available in connection with their programs and activities, including those delivered through third-party vendors.
Examples include:
Main public websites and location-specific sites
Patient portals and account areas
Online scheduling, triage, and symptom-check tools
Telehealth platforms and in-browser visit tools
Native mobile apps for patients and caregivers
Web-based forms, questionnaires, and document upload flows
If patients, caregivers, or members of the public use a site or app to apply for, pay for, or receive services from an HHS-funded program, you should assume it is in scope.
Most HHS-funded organizations follow a similar sequence:
Inventory digital assets
Create a clear list of the websites, portals, apps, and telehealth tools your patients use—including key third-party tools.
Run a baseline WCAG 2.1 AA audit.
Combine automated scanning with expert manual testing and, where possible, user testing with people who rely on assistive technologies. Focus first on high-impact journeys like portal login, scheduling, billing, and telehealth access.
Prioritize remediation work
Tackle the systems and flows with the most significant impact on access to care. Break work into sprints or phases, assign owners, and align timelines with the 2026 and 2027 compliance dates.
Embed accessibility into workflows
Integrate checks into design reviews, development processes, and QA test plans so accessibility is part of how you ship changes, not a separate project.
Establish governance and training.
Define who makes decisions about accessibility, how issues are triaged, and how your accessibility statement and documentation will be maintained. Train content authors, designers, developers, and clinical teams.
A structured approach makes it easier to show regulators and internal stakeholders that you are moving toward compliance in a deliberate, documented way.
The rule makes clear that recipients are responsible for the web content and mobile apps they provide or make available, directly or through contractual, licensing, or other arrangements.
Practically, that means:
Accessibility requirements should be part of procurement and contracting with EHR, portal, telehealth, and other digital vendors.
You should evaluate key third-party tools during your accessibility audits.
If a vendor solution cannot be made accessible in the necessary timeframe, you may need to:
Work with the vendor on a remediation plan,
Implement an accessible workaround in the short term, or
Consider alternatives that better support WCAG 2.1 AA.
Vendor management is now an essential part of your Section 504 digital accessibility strategy.
While this FAQ focuses on the HHS rule itself, many healthcare organizations find they need additional capacity and expertise to meet these expectations.
An experienced accessibility partner can help you:
Interpret WCAG 2.1 AA in real workflows such as portals, telehealth, scheduling, and billing.
Conduct targeted audits and user testing that prioritize patient journeys.
Provide developer-ready remediation guidance and services to reduce the burden on internal teams.
Set up monitoring and reporting to track progress and demonstrate ongoing improvements.
The goal is not just to pass an audit, but to build a sustainable digital accessibility program that aligns with Section 504, supports your patients, and fits your team’s reality.
Disclaimer: The materials in this blog are for educational purposes only and do not constitute legal advice. Organizations should consult their legal counsel for advice on specific situations.