What Section 504 actually requires from healthcare organizations

For many healthcare organizations, Section 504 of the Rehabilitation Act has been a background compliance requirement for decades — broad in principle, vague in practice. The rule said people with disabilities must have equal access to programs and services. What that meant for a website, a patient portal, or a scheduling tool was largely undefined.

That changed in May 2024.

For the first time, HHS issued a final rule that explicitly defines what digital accessibility means under Section 504 — which systems are covered, which technical standard applies, and when compliance is required. 

The rule closes the gap that allowed organizations to treat digital accessibility as a best-effort commitment rather than a legal obligation.

The question now isn't whether Section 504 applies to your digital environment. For most HHS-funded healthcare organizations, it does. The question is which systems are in scope, what the standard requires, and what you need to document before the deadline arrives.

What Section 504 is — and what changed in 2024 

Section 504 of the Rehabilitation Act of 1973 prohibits disability discrimination in any program or activity that receives federal financial assistance. Because nearly all healthcare organizations — from large hospital systems to rural FQHCs — receive some form of HHS funding, Section 504 has long applied to the healthcare sector.

What the 1973 statute did not anticipate was a healthcare system delivered through websites, mobile apps, patient portals, telehealth platforms, and electronic health record interfaces. For decades, organizations operated without any explicit digital standard under Section 504.

On May 9, 2024, HHS published a final rule amending 45 C.F.R. Part 84 — the first substantive update to the Section 504 regulations in nearly 50 years. 

The rule does two things that matter for healthcare organizations:

1. It formally establishes that digital accessibility is part of Section 504 compliance — not optional, not aspirational, but required
2. It sets a specific technical standard that covered web content and mobile applications must meet

What is WCAG 2.1 Level AA?

WCAG — the Web Content Accessibility Guidelines — is the internationally recognized framework for digital accessibility, developed by the World Wide Web Consortium (W3C). The guidelines define measurable criteria across three conformance levels:

• Level A — the most fundamental accessibility requirements, representing the minimum threshold
• Level AA — the standard referenced by most accessibility regulations worldwide, and what Section 504 now requires
• Level AAA — the highest and most demanding level of conformance

WCAG 2.1, which the Section 504 rule adopts, extended the earlier 2.0 standard to better address mobile accessibility, low vision needs, and cognitive disabilities. In practical terms, Level AA conformance means meeting criteria across areas including, but not limited to:

• Sufficient color contrast between text and background
• Keyboard-navigable interfaces — no mouse required
• Screen reader compatibility
• Properly labeled form fields
• Accessible document structure

Does Section 504 apply to your organization?

Section 504 applies to any organization that receives federal financial assistance from HHS. In healthcare, that includes:

• Hospitals and health systems — including those that receive Medicare and Medicaid reimbursements, which HHS treats as federal financial assistance
• Federally Qualified Health Centers (FQHCs) — which receive direct federal grants under Section 330 of the Public Health Service Act
• Behavioral health and substance use disorder providers — including community mental health centers that receive HHS block grant funding
• Home health and home care agencies — that bill Medicare or Medicaid for services
• Telehealth platforms — when the platform is used to deliver services on behalf of a covered healthcare organization, or when the platform itself receives federal funding
• Assisted living and long-term care facilities — that participate in Medicaid waiver programs
• Physician practices and specialty clinics — that accept Medicare or Medicaid payments

The common thread is HHS funding. If your organization receives federal financial assistance from HHS — directly or through program participation — Section 504 applies.

What about smaller organizations? 

Size affects your deadline and certain structural requirements, but it does not determine whether you're covered. Organizations with fewer than 15 employees have a later technical compliance date and are exempt from some governance requirements — but they are still subject to Section 504's non-discrimination obligation. Being small does not mean being exempt.

The two deadlines — and what they mean for your organization

The 2024 Final Rule establishes two compliance dates for the WCAG 2.1 AA technical standard:

• May 11, 2026 — for organizations with 15 or more employees
• May 11, 2027 — for organizations with fewer than 15 employees

A few important clarifications on what these dates mean:

1. The deadlines apply to the WCAG 2.1 AA technical standard, not to the broader non-discrimination obligation. The rule became effective July 8, 2024. From that date forward, organizations are required to comply with Section 504's non-discrimination provisions as updated by the rule — including the requirement that digital services be accessible. The May 2026 and 2027 dates are the deadlines by which the specific WCAG 2.1 AA technical conformance requirement must be met.
2. Smaller organizations are still subject to Section 504. Being below the 15-employee threshold affects your deadline and certain structural requirements — but it does not place you outside Section 504's reach. The designated responsible employee and formal grievance procedure requirements apply only to organizations with 15 or more employees, but the fundamental requirement to provide equal access to digital services applies regardless of size.
3. The deadlines are not the starting line. Organizations that wait until May 2026 to begin remediation will face significantly more risk than those who begin now. OCR has enforcement authority that predates the technical deadline, and demonstrating good-faith structured progress before the deadline is a key element of defensible compliance.

The five narrow exceptions

The final rule includes five categories of content that may be exempt from the WCAG 2.1 AA technical requirement under specific, limited conditions. These are not blanket carve-outs — they apply only when clearly defined criteria are met:

1. Archived web content Content that is maintained solely for reference, research, or recordkeeping purposes — and is not updated after the compliance deadline — may qualify for an exemption. The key conditions: the content must be clearly identified as archived, it must not be used in active programs or services, and it must be stored in a dedicated archive area. Content that is old but still referenced in active workflows or linked from current pages does not qualify.
2. Preexisting conventional electronic documents Word documents, PDFs, spreadsheets, and presentation files that were created before the compliance deadline and are not used to apply for, gain access to, or participate in a covered entity's programs or services may be exempt. The critical word is "used" — if a pre-2026 document is still being provided to patients as part of active care delivery, the exemption does not apply.
3. Content posted by third parties Content posted by a third party that is not controlled by the covered entity may be exempt. This applies narrowly — it does not apply to content your vendor posts on your behalf, or to platforms you provide to patients through a contractual arrangement.
4. Individualized password-protected documents Documents created specifically for a particular patient or individual and shared only with that individual through a password-protected account may be exempt. This is a narrow exception for truly individualized communications, not a broad exemption for patient portal content generally.
5. Preexisting social media posts Social media posts published before the compliance deadline are exempt. New posts published after the deadline are not.

What these exceptions do not cover: A general principle runs through all five exceptions — they do not apply to digital content that patients or program participants rely on to access, participate in, or benefit from your services. When in doubt, the safer assumption is that content is in scope.

What phone workarounds no longer cover 

A common response to accessibility gaps has been to offer a phone number or staff assistance as an alternative access route. 

Under the updated Section 504 rule, this approach is explicitly insufficient as a substitute for accessible digital services.

The rule requires that covered entities ensure their web content and mobile applications are accessible by default — not accessible "upon request" or when a patient asks for help. Providing a staffed phone line as a workaround for an inaccessible patient portal or scheduling tool does not satisfy the digital accessibility requirement.

This matters practically because many healthcare organizations have used the "call us" approach as a compliance fallback for years. 

That fallback no longer works as a defense against an OCR complaint or a private lawsuit. The primary digital pathway must be accessible.

How Section 504 relates to ADA Title II and Section 508 

Healthcare organizations operating in complex regulatory environments often ask how Section 504 intersects with other federal accessibility laws. 

The relationships between these three laws  are worth understanding:

Section 504 and ADA Title II:ADA Title II applies to state and local government entities — including public hospitals, public health departments, and state-funded healthcare programs. Organizations that are both HHS-funded and government-operated may be subject to both Section 504 and Title II simultaneously. Both laws now require WCAG 2.1 Level AA as the technical standard, and the compliance frameworks are largely parallel. Organizations subject to both should treat them as reinforcing obligations, not separate ones.

Section 504 and Section 508:Section 508 of the Rehabilitation Act applies to federal agencies and their contractors. Healthcare organizations that contract directly with federal agencies — such as VA healthcare contractors or federal employee health program providers — may also have Section 508 obligations. Section 508 currently references WCAG 2.0 Level AA as its technical benchmark, an earlier version of the guidelines, though many federal procurement officers now expect WCAG 2.1 as a practical standard.

The most important point: If your organization receives HHS funding — which includes Medicare and Medicaid reimbursements — Section 504 applies. You do not need to be a government entity or a federal contractor for the digital accessibility obligation to apply to you.

What defensible progress looks like 

HHS OCR does not expect every covered organization to achieve perfect WCAG 2.1 AA conformance on May 11, 2026. What OCR expects — and what protects organizations in an investigation — is structured, documented, good-faith progress.

A defensible compliance posture includes:

A designated responsible employee

For organizations with 15 or more employees, the rule requires a named individual responsible for overseeing Section 504 compliance. This person does not need to be an accessibility specialist — but they need to exist, be identifiable, and have a documented role.

Grievance procedures

Also required for organizations with 15 or more employees, grievance procedures must provide a clear process for patients and staff to raise accessibility concerns and receive a timely response.

A documented scope inventory

Organizations that can show they have systematically identified which digital properties are in scope, and how they have prioritized remediation, are in a significantly stronger position than those who have not.

Audit findings on file

A WCAG 2.1 AA audit — even one that reveals significant gaps — demonstrates that the organization has taken a structured look at its digital environment. An audit with gaps is far better than no audit at all.

A remediation plan with owners and timelines

Documented plans that assign ownership and set realistic timelines for fixes demonstrate that accessibility is being treated as a managed program, not a one-time cleanup.

Vendor correspondence

Emails or contract terms showing that you have required WCAG conformance from your third-party vendors, or that you have asked vendors for their VPAT/ACR documentation, are part of the paper trail that demonstrates active oversight.

The common thread across all of these: documentation. OCR investigations focus heavily on whether organizations can demonstrate reasoned, intentional progress — not whether they have achieved perfection.

How accessiBe helps healthcare organizations prepare 

Meeting Section 504's digital accessibility requirements across a complex healthcare environment — websites, patient portals, scheduling tools, documents, third-party platforms — requires a structured, layered approach.

accessiBe’s end-to-end accessibility platform combines AI automation, human expertise, and developer tools to help healthcare organizations build a defensible compliance program:

• Expert audits and VPAT documentation — accessServices provides manual accessibility testing against WCAG 2.1 AA, helping organizations understand their current state and produce the Accessibility Conformance Reports (ACRs) that document it.
• Code-level remediation — accessFlow gives technical teams a single source of truth for identifying and tracking WCAG issues across websites, portals, and digital services
  
• AI-powered accessibility for web environments — accessWidget addresses common accessibility barriers across public-facing web properties at scale

If your organization is preparing for the May 2026 deadline, our Section 504 specialists can review your current approach and help identify practical next steps.

Talk to an expert →

Frequently asked questions about Section 504

Q1. Does Section 504 apply to private hospitals and healthcare organizations?
A1. Yes, if they receive federal financial assistance from HHS. This includes organizations that participate in Medicare or Medicaid, which HHS treats as federal financial assistance. The majority of hospitals, clinics, and healthcare providers in the United States fall within this category.

Q2. What is the technical standard under the 2024 Section 504 Final Rule?
A2. HHS has formally adopted the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA as the technical standard for digital accessibility under Section 504. WCAG is the internationally recognized framework developed by the World Wide Web Consortium (W3C) that defines measurable criteria for accessible web content and applications — covering areas including keyboard navigation, color contrast, screen reader compatibility, and form usability. Level AA is the mid-tier conformance level required by most global accessibility regulations.

Q3. What are the compliance deadlines?
A3. Covered entities with 15 or more employees must ensure their web content and mobile applications conform to WCAG 2.1 Level AA by May 11, 2026. Covered entities with fewer than 15 employees have until May 11, 2027.

Q4. Is our patient portal in scope?
A4. Yes, in nearly all cases. Patient portals are digital tools that patients use to participate in their care — scheduling, accessing records, communicating with providers. Under Section 504, any digital tool that patients rely on as part of a covered entity's programs or services must be accessible. This applies whether the portal is built in-house or provided through a vendor like Epic's MyChart.

Q5. Are we responsible for the accessibility of our EHR vendor's patient-facing interface?
A5. Yes. Under 45 C.F.R. § 84.84(a), covered entities are responsible for the accessibility of digital services made available through contractual or licensing arrangements. If your organization provides a patient-facing interface through your EHR vendor, you are responsible for ensuring it meets the WCAG 2.1 AA standard — even if you do not control the underlying code.

Q6. Can we offer a phone number as an alternative to an inaccessible digital service?
A6. No. The 2024 Final Rule explicitly closes the "staffed phone line" substitute argument. Digital services must be accessible by default. A phone workaround does not satisfy the accessibility requirement for covered web content or mobile applications.

Q7. What if we can't fix everything by May 2026?
A7. OCR's enforcement focus is on structured, documented, good-faith progress — not perfection. Organizations that have conducted audits, documented their remediation priorities, assigned ownership, and required accessibility from vendors are in a significantly stronger position than those with no documented program. Begin documenting your progress now, even if full WCAG 2.1 AA conformance is not yet achieved.

Q8. How does Section 504 differ from ADA Title III for healthcare organizations?
A8. ADA Title III applies to private businesses open to the public, including private healthcare providers, and requires accessible facilities and services — but its digital accessibility application has been developed primarily through litigation rather than a specific final rule with a defined technical standard. Section 504 now provides a more explicit digital framework for HHS-funded organizations, with WCAG 2.1 Level AA as the required standard and a defined compliance timeline. Organizations subject to both should understand that the obligations are parallel and reinforcing.