Most healthcare organizations don’t find out they have an accessibility problem from an internal review. They find out from a complaint.
That’s one of the harder realities of where Section 504 enforcement stands today. HHS pushed the digital accessibility deadline for smaller covered entities to May 11, 2027, but the underlying obligation has been in effect since 2024 — and OCR has been accepting complaints the entire time. The questions that came up most often during our recent webinar — Section 504 in Healthcare: Is Your Compliance Plan Defensible?, hosted by accessiBe and VGM Forbin — reflect what most organizations are actually grappling with: not whether the rule applies, but what defensibility looks like in practice.
Below are six of those questions — answered directly.
Is hitting a high accessibility score enough to stay out of trouble?
No. OCR doesn’t evaluate organizations on whether they hit a particular score on a particular day — websites change constantly, and scores fluctuate with them. What OCR evaluates is whether your organization can demonstrate structured, ongoing, good-faith effort across audits, remediation, monitoring, and governance.
A site at a lower score with documented remediation in progress is in a stronger position than one with a higher score and no program behind it. Defensibility comes from showing a repeatable process that meets Section 504 healthcare requirements, not from chasing a number.
We ran an automated audit and the tool says we’re compliant. What more should we be doing?
Automated audit tools are genuinely useful — they surface a wide range of issues quickly and give organizations a baseline to work from. But no automated scan catches everything that matters under Section 504.
A complete program pairs automated scanning with manual accessibility testing, keyboard navigation reviews, screen reader testing across patient workflows, ongoing remediation, and documentation that demonstrates accessibility effort over time. A clean automated result is a good signal — it isn’t, on its own, a defensible compliance record.
Where do the highest-risk accessibility issues actually sit?
In the patient-facing workflows people have to complete to receive care: appointment scheduling, intake and registration forms, patient portals, prescription access, billing and payment systems, healthcare documentation and accessible PDFs, and communication systems. That’s where complaints and lawsuits tend to originate, because that’s where a barrier actually blocks access to a service.
The 2024 Final Rule also closed a fallback many organizations had relied on for years: offering a phone number as a substitute for an inaccessible digital service no longer satisfies the obligation. The primary digital pathway has to work.
Are we responsible for accessibility on vendor platforms we don’t control?
Yes. Under the 2024 Final Rule, covered entities are responsible for the accessibility of digital services made available through contractual or licensing arrangements — including EHR portals, scheduling tools, and telehealth interfaces. If patients access a service through a third-party platform, you’re responsible for whether that platform is accessible, even when you don’t control the underlying code.
That makes vendor evaluation an active part of compliance: look for transparency around accessibility practices, documentation and reporting capabilities, the ability to track remediation over time, and evidence of continuous improvement rather than a single audit. Section 504 vendor requirements put accountability with your organization — vendor partnerships strengthen your compliance posture, but don’t replace it.
What does a defensible Section 504 program actually include?
Defensibility is built through documentation. When OCR opens a review, the core question is whether your organization can show its work — and that’s a record question, not a memory one. A strong program typically includes a designated employee responsible for accessibility, a documented scope inventory, audit findings on file against WCAG 2.1 Level AA, a remediation plan with named owners and timelines, remediation logs, vendor correspondence, grievance procedures, and ongoing monitoring records.
The thread across all of these is the same: documented, prioritized, continuous effort. OCR’s framework explicitly does not expect perfection by a deadline — it expects a structured Section 504 action plan that demonstrates the obligation is being taken seriously.
What should we do if a complaint or demand letter arrives?
The position you’re in depends almost entirely on what was already in place. Organizations with accessibility documentation, audit records, and remediation logs tend to respond calmly and on a reasonable timeline. Organizations without that record tend to experience immediate disruption — legal, product, marketing, and engineering all coordinating under pressure at the same time.
When a complaint does arrive, the priorities are straightforward: respond promptly and professionally, produce the documentation that already exists, demonstrate ongoing prioritization and governance, and continue remediation work consistently throughout the process. Inaction at this stage — particularly when issues are already known — is what tends to escalate situations.
Where to go from here
Section 504 compliance in healthcare isn’t a one-time project. It’s an ongoing operational practice, and the organizations that handle it well are the ones treating it that way — auditing regularly, documenting their work, distributing ownership across teams, and improving incrementally rather than waiting for a perfect plan.
If you’re evaluating where your organization stands, a useful starting point is an honest review of your highest-traffic patient workflows — scheduling, intake, the portal, billing — and whether each one can be completed independently by someone using a keyboard, a screen reader, or other assistive technology. From there, the path forward gets clearer.
