From exposure to compliance: a Section 504 action plan for healthcare organizations

In May 2024, HHS finalized the first digital-specific update to Section 504 in nearly 50 years. For HHS-funded healthcare organizations, the rule sets a clear technical standard — WCAG 2.1 Level AA — and a defined deadline to meet it. What it doesn't provide is a roadmap for getting there.

This action plan fills that gap. It lays out a six-phase program — from confirming your obligations through building a sustainable compliance practice — giving your organization a practical path from exposure to defensibility.

It’s important to remember that the HHS Office for Civil Rights (OCR) does not expect perfection by the deadline. What OCR expects — and what protects organizations in an enforcement scenario — is structured, documented, good-faith progress. The goal is not a finished state. The goal is a program.

Step 1: Confirm your coverage and set your deadline 

Before building a compliance program, confirm that Section 504 applies to your organization and identify which deadline applies to you.

Confirm coverage

Section 504 applies to any organization that receives federal financial assistance from HHS. In healthcare, this includes hospitals, health systems, FQHCs, behavioral health providers, home health agencies, telehealth platforms, assisted living facilities, and physician practices that accept Medicare or Medicaid payments. If your organization receives HHS funding — directly or through program participation — Section 504 applies.

Identify your deadline

The 2024 Final Rule establishes two compliance dates for the WCAG 2.1 Level AA technical standard:

• May 11, 2026 — for organizations with 15 or more employees
• May 11, 2027 — for organizations with fewer than 15 employees

Step 2: Inventory and assess

You cannot manage what you haven't mapped. The first step in building a defensible compliance program is understanding exactly which digital properties are in scope — and where you currently stand against WCAG 2.1 Level AA.

Map every patient-facing digital property

Create a comprehensive inventory of all digital systems patients interact with as part of receiving care or services from your organization:

• Your public-facing website
• Patient portals — including EHR-connected interfaces like MyChart
• Online scheduling tools
• Telehealth platforms
• Bill pay portals
• Digital intake and consent forms
• Mobile applications
• Kiosks
• Patient-facing documents and PDFs

Include third-party vendor platforms

Under Section 504, you are responsible for the accessibility of digital services made available through contractual or licensing arrangements. Every vendor platform patients interact with belongs in your inventory.

Prioritize by patient impact

Not all digital properties carry equal risk. Prioritize based on how central each system is to patient access — the pathways patients must use to schedule care, access records, complete intake, or manage billing represent your highest-priority remediation targets.

Conduct a WCAG 2.1 AA baseline audit

Commission an accessibility audit of your highest-priority patient-facing systems. A complete audit combines automated scanning with manual testing using assistive technologies — including screen readers and keyboard-only navigation. Document all findings. The audit record is the foundation of your compliance program.

Step 3: Establish governance and ownership 

A compliance program without designated ownership is not a program — it is a set of intentions. Step 3 establishes the organizational structure that Section 504 requires and that OCR will look for in an investigation.

Designate a responsible employee

For organizations with 15 or more employees, this is a rule requirement. Name a specific individual responsible for overseeing the organization's Section 504 compliance — including digital accessibility. This person does not need to be an accessibility specialist, but they need to exist, be identifiable, and have a documented role.

Establish grievance procedures

Also required for organizations with 15 or more employees. Grievance procedures must provide patients and staff with a clear, documented process for reporting digital accessibility barriers and receiving a timely response.

Assign cross-functional ownership

Digital accessibility in healthcare spans multiple teams. Each function has a role:

• IT and digital teams — responsible for website, portal, and application accessibility
• Compliance — responsible for documentation, audit oversight, and OCR readiness
• Procurement — responsible for vendor accessibility requirements and contract language
• Clinical and operations — responsible for patient-facing document accessibility and workflow-level access

Establish a single coordination point across all functions. When ownership is fragmented, gaps persist.

Step 4: Address vendor accountability 

For most healthcare organizations, a significant portion of digital accessibility risk sits inside systems controlled by third-party vendors. Step 4 addresses that risk directly.

Audit your current vendor stack

Review every third-party platform your organization provides to patients. For each one, assess:

• Does a current Accessibility Conformance Report (ACR) exist for the version you are using?
• Does the ACR reflect independent testing, or vendor self-assessment?
• Does your current contract include WCAG 2.1 AA conformance requirements?
• Does the vendor have a documented remediation roadmap for known gaps?

Request VPATs and ACRs from all patient-facing vendors

A VPAT — Voluntary Product Accessibility Template — is the standardized form vendors use to document their product's accessibility. Once completed, it becomes an ACR. Treat these documents as a starting point for verification, not proof of compliance.

Add conformance language to all new contracts and renewals

Every new vendor agreement and every contract renewal is an opportunity to close the contractual gap. New agreements should include explicit WCAG 2.1 AA conformance requirements, vendor-paid remediation for accessibility defects, and regression protection for future updates.

Engage vendors with known gaps now

If a vendor acknowledges accessibility limitations, get that acknowledgment and their remediation roadmap in writing. Documentation of the vendor's commitment — even where gaps remain — is part of your defensible compliance record.

For detailed guidance on vendor contract language and VPAT review, see the Section 504 vendor procurement checklist.

Step 5: Remediate

With an inventory completed, an audit conducted, and vendor accountability established, Step 5 focuses on fixing what the audit found — sequenced by patient impact.

Prioritize by patient impact

The HHS Office for Civil Rights focuses enforcement on where barriers block patients from completing required processes — not simply where technical errors are easiest to find. Sequence your remediation accordingly:

• Start with the digital pathways patients must complete to access care — scheduling, portal login, intake, bill payment, telehealth access
• Address high-traffic, time-sensitive patient-facing content before lower-priority or archived material
• Fix barriers in vendor platforms patients rely on before addressing lower-risk administrative tools

Integrate accessibility into development and content workflows

Remediation is not a one-time project. For it to be sustainable, accessibility review needs to be embedded into the processes that produce digital content and code:

• Accessibility checks as part of the content publishing workflow
• Accessibility testing as part of the software development and QA cycle
• Accessible document standards for any patient-facing materials produced by clinical or administrative teams

Track and document remediation progress

Every fix applied should be logged — what was found, what was done, and when. This remediation log is a critical component of your compliance documentation and is exactly what OCR will request in an investigation.

Step 6: Build an ongoing program 

Section 504 compliance is not a one-time project. Digital environments change constantly — new content, new features, new vendor releases, new patient-facing workflows. Accessibility achieved today can be eroded by tomorrow's update.

Establish ongoing monitoring

Implement automated monitoring of your public-facing web environments to catch new accessibility issues as content changes. Automated tools provide continuous coverage that manual auditing alone cannot sustain.

Schedule regular re-testing

Plan periodic manual audits — at minimum annually, or whenever significant changes are made to patient-facing systems. This ensures that automated monitoring is complemented by human judgment for issues that automated tools cannot catch.

Maintain vendor accountability over time

Request updated ACRs from vendors annually or at major platform releases. Track open accessibility issues and their resolution timelines. Include accessibility reviews in contract renewal assessments.

Keep training current staff

Ensure that the people responsible for creating content, managing vendors, and procuring technology understand their accessibility obligations — and that this understanding is refreshed as your team changes and evolves.

Continue documenting

Ongoing compliance requires ongoing documentation. Maintain your remediation log, update your accessibility statement, and keep records of vendor correspondence and governance decisions as the program matures.

accessiBe has your back — every step of the way 

Building a defensible Section 504 compliance program across a complex healthcare digital environment requires the right tools and expertise at every stage — not just at the finish line.

Combining the best in AI automation, human expertise, and developer tools, accessiBe's end-to-end accessibility platform supports healthcare organizations throughout the entire compliance journey:

AI-powered remediation

As your digital environment evolves with new content, new features, and vendor updates, automated monitoring and remediation provides continuous coverage across your public-facing web properties, delivering screen reader compatibility and keyboard-only navigation support for patients who rely on assistive technologies.

Source code accessibility

When your technical teams are identifying and fixing accessibility issues at the code level —  implementation gaps, heading structure failures, unlabeled form fields — developer-level tooling tracks every issue and every fix over time, building the documented remediation history that demonstrates structured progress to OCR.

Expert audits and VPAT documentation 

When you need to understand where your organization actually stands, verify what your vendors are claiming, or produce the compliance documentation that OCR expects to see, our professional services team conducts independent manual testing against WCAG 2.1 AA and produces the Accessibility Conformance Reports that form the foundation of a defensible compliance record.

If your organization is preparing for the May 2026 deadline, our Section 504 specialists can review your current approach and help identify practical next steps.

Press here for a one-on-one demo with an accessibility expert, to find a plan that best fits your needs -> 

Frequently asked questions about creating a practical plan for Section 504 compliance

Q1. What is Section 504 and how does it apply to healthcare organizations?
A1. Section 504 of the Rehabilitation Act prohibits disability discrimination in any program or activity that receives federal financial assistance from HHS. For healthcare organizations, this includes hospitals, health systems, FQHCs, behavioral health providers, home health agencies, telehealth platforms, and physician practices that accept Medicare or Medicaid payments. The 2024 Final Rule extended this obligation explicitly to digital services — websites, mobile applications, patient portals, and third-party vendor platforms — requiring conformance to WCAG 2.1 Level AA.

Q2. What does WCAG 2.1 Level AA conformance require?
A2. WCAG — the Web Content Accessibility Guidelines — is the internationally recognized framework for digital accessibility, developed by the World Wide Web Consortium (W3C). Level AA is the mid-tier conformance level required by most accessibility regulations worldwide and what Section 504 now mandates. In practical terms, it means ensuring sufficient color contrast, keyboard-navigable interfaces, screen reader compatibility, properly labeled form fields, accessible document structure, and support for assistive technologies across all patient-facing digital environments.

Q3. What are the Section 504 digital accessibility compliance deadlines?
A3. The 2024 Final Rule establishes two deadlines for WCAG 2.1 Level AA technical conformance: May 11, 2026 for organizations with 15 or more employees, and May 11, 2027 for organizations with fewer than 15 employees. Both deadlines apply to web content and mobile applications used to deliver programs and services to patients and the public.

Q4. What does defensible Section 504 compliance look like?
A4. The HHS Office for Civil Rights does not expect perfection by the deadline. A defensible compliance position is built on structured, documented, good-faith progress — a designated responsible employee, established grievance procedures, a scope inventory of patient-facing digital properties, audit findings on file, a remediation plan with owners and timelines, vendor correspondence demonstrating active oversight, and a running log of remediation activity. Organizations that can produce this documentation are in a fundamentally stronger position than those who cannot.

Q5. Which third-party vendor platforms fall within Section 504 scope?
A5. Under 45 C.F.R. § 84.84(a), covered entities are responsible for the accessibility of digital services made available through contractual, licensing, or other arrangements. This includes EHR patient portals, telehealth platforms, online scheduling tools, bill pay systems, digital intake forms, and any other platform patients interact with as part of receiving care — regardless of whether the organization controls the underlying code.

Q6. How does Section 504 relate to other federal accessibility laws?
A6. Section 504 applies to HHS-funded organizations and requires WCAG 2.1 Level AA conformance. ADA Title II applies to state and local government entities — including public hospitals and health departments — and also requires WCAG 2.1 Level AA. Organizations subject to both should treat the obligations as parallel and reinforcing. Section 508 applies to federal agencies and their contractors, currently referencing WCAG 2.0 Level AA. Healthcare organizations contracting directly with federal agencies may be subject to all three frameworks simultaneously.

Q7. What resources are available to help healthcare organizations prepare for Section 504 compliance?
A7. accessiBe has developed a complete set of Section 504 resources for healthcare organizations — covering scope and obligations, enforcement risk, vendor accountability, scan data from healthcare websites, and practical tools for building a compliance program. These include What Section 504 actually requires from healthcare organizations, What happens if you don't comply: Section 504 enforcement in healthcare, Under Section 504, your vendor's accessibility problem is your problem, the Section 504 digital accessibility readiness checklist, and the Section 504 vendor procurement checklist.