Health Insurers and Managed Care Organizations: HHS 45 CFR Part 84 Digital Accessibility Compliance Guide

This guide is part of our series on HHS 45 CFR Part 84 digital accessibility compliance. It is written for health insurance companies, Medicare Advantage plans, Medicaid managed care organizations (MCOs), and other payers that receive federal financial assistance from HHS.

Are Health Insurers Covered by the HHS Section 504 Rule?

Yes. Health insurers and managed care organizations that participate in Medicare Advantage, Medicare Part D, or Medicaid managed care contracts receive federal financial assistance from HHS and are covered by the 45 CFR Part 84 final rule. This applies whether the insurer is a national carrier, a regional nonprofit, or a Medicaid-specific MCO.

The compliance deadline for organizations with 15 or more employees is May 11, 2027, following the one-year extension announced by HHS OCR on May 7, 2026. The original rule was finalized on May 9, 2024 — read the full overview here.

Scope of Covered Digital Properties for Insurers

For a health insurer or managed care organization, the universe of member-facing digital touchpoints subject to WCAG 2.1 Level AA is extensive:

Member-Facing Digital Assets

• Member portal — benefits summaries, claims history, explanation of benefits, prior authorization status
• Plan finder and enrollment tools — tools used to apply for, select, or enroll in coverage
• Provider directory — online search tools for finding in-network providers
• Pharmacy and formulary tools — drug cost estimators, formulary lookup tools
• Mobile applications — member apps for ID cards, claims, and benefits navigation
• Telehealth access portals — any digital entry point to virtual care services offered as part of the benefit
• Prior authorization submission tools — if members or their authorized representatives submit PAs digitally
• Grievance and appeals portals — online tools to file complaints or appeal coverage decisions
• Plan marketing and informational websites — public-facing plan comparison and enrollment pages

Key Compliance Risks for Payers

Legacy Member Portal Technology

Many insurers operate member portals built on legacy platforms that predate modern accessibility standards. Retrofitting these systems to meet WCAG 2.1 Level AA can require significant investment. With the deadline now set for May 2027, organizations that have not yet begun a remediation program are already operating with compressed timelines.

Vendor and Delegated Entity Risk

Insurers frequently delegate digital services — telehealth, pharmacy benefits management (PBM), care management platforms — to third-party vendors and delegated entities. Under § 84.84(a), the insurer retains full Section 504 responsibility for the accessibility of any service it makes available to members. Vendor contracts and delegation agreements should be reviewed and updated to include explicit WCAG 2.1 Level AA conformance obligations.

CMS Overlap and Coordination

Medicare Advantage and Part D plan sponsors are subject to CMS requirements that increasingly incorporate accessibility considerations. HHS 45 CFR Part 84 runs alongside — and in some cases overlaps with — CMS marketing and communication regulations. Compliance teams should coordinate legal, compliance, and digital strategy teams to ensure efforts are aligned and documented efficiently.

Compliance Action Plan for Health Insurers

1. Map all member-facing digital touchpoints — including vendor-hosted tools and delegated entity platforms used by your members.
2. Conduct a WCAG 2.1 AA gap assessment across member portal, enrollment tools, mobile app, and provider directory. Prioritize by member impact and enrollment-critical workflows.
3. Audit vendor and delegation agreements — add WCAG 2.1 AA conformance language, audit rights, and remediation SLAs to all relevant contracts.
4. Establish an accessibility governance structure — assign ownership, define escalation paths, and integrate accessibility into your digital product lifecycle.
5. Test with real users. Automated tools catch only a fraction of accessibility barriers. Manual testing by accessibility specialists and usability testing with members who use assistive technologies is required for a defensible compliance posture.
6. Update member communications. Ensure grievance and appeals information, accessibility statements, and accommodation request processes are prominently available and themselves accessible.
7. Document your compliance program. OCR expects written documentation of your designated coordinator, grievance procedures, remediation plan, and audit results.

Continue Reading

Return to the main HHS ADA compliance guide, or read the guides for other affected groups:

• Hospitals & Health Systems
• Physicians, Clinics & Private Practices
• Social Services & Community Organizations

This article is for informational purposes only and does not constitute legal advice.