This guide is part of our series on HHS 45 CFR Part 84 digital accessibility compliance. It focuses specifically on the obligations, risks, and action steps for hospitals and health systems.
Are Hospitals Covered by the HHS Section 504 Rule?
Yes — virtually every hospital and health system in the United States is covered. The rule under 45 CFR Part 84 applies to any entity receiving federal financial assistance from HHS, and that threshold is met the moment your organization accepts a single payment from Medicare (Parts A through D) or Medicaid. For hospitals, this means coverage is nearly universal.
The rule was updated via a final rule published on May 9, 2024, titled Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance — the first substantive revision to Section 504 regulations in nearly 50 years. The compliance deadline for organizations with 15 or more employees is May 11, 2027, following a one-year extension announced on May 7, 2026.
What Hospitals Must Make Accessible
Under 45 C.F.R. § 84.84, hospitals must ensure that all web content and mobile apps made available to patients, caregivers, and the public conform to WCAG 2.1 Level AA. For a large hospital or health system, the scope of covered digital assets is substantial:
Patient-Facing Digital Properties
- Main hospital website and all department or service-line microsites
- Patient portal (including EHR vendor-provided portals such as MyChart or FollowMyHealth)
- Online appointment scheduling and registration flows
- Telehealth and virtual visit platforms
- Online bill pay and financial assistance applications
- Mobile apps for patients, including condition management and post-discharge tools
- Patient education content: videos, PDFs used in active workflows, interactive tools
- Self-service check-in kiosks
Third-Party Vendor Responsibility
One of the most significant compliance risks for large health systems is third-party digital services. Under § 84.84(a), you are responsible for the accessibility of any digital service you provide to patients — regardless of whether you built it or a vendor did. This means your EHR vendor’s patient portal, your telehealth platform provider, your revenue cycle management system, and your scheduling software are all your compliance responsibility.
Most vendor contracts signed before May 2024 contain no WCAG 2.1 AA conformance language, no remediation commitments, and no audit rights. Renegotiating or updating these contracts is an urgent operational priority — and one that the extra year before the May 2027 deadline makes possible.
Compliance Deadline for Hospitals
| Requirement | Deadline |
|---|---|
| WCAG 2.1 AA for web and mobile (15+ employees) | May 11, 2027 |
| Accessible examination table and weight scale (at least one each) | July 8, 2027 |
| General Section 504 nondiscrimination obligations (in effect) | Since July 8, 2024 |
Enforcement Risk for Hospitals
HHS’s Office for Civil Rights (OCR) enforces Section 504 and can investigate proactively — without a complaint being filed. Hospitals, as the highest-profile recipients of federal healthcare funding, face elevated scrutiny. The technical deadline of May 11, 2027 does not postpone OCR’s authority to investigate complaints about digital inaccessibility under the rule’s broader nondiscrimination provisions, which have applied since July 8, 2024.
A phone hotline is no longer an acceptable workaround. The 2024 final rule explicitly closed the “staffed phone line substitute” argument. Digital services must be accessible by default.
Hospital Compliance Action Plan
- Designate a Section 504 Coordinator. Larger hospitals are required to appoint a responsible employee and make their contact information publicly available.
- Conduct a full digital inventory. Map every patient-facing website, portal, app, and kiosk — including those operated by vendors under contract.
- Run a WCAG 2.1 AA baseline audit. Combine automated scanning with manual expert testing. Automated tools alone catch roughly 30–40% of issues. Focus on high-traffic journeys: portal login, scheduling, bill pay, and telehealth.
- Prioritize remediation by patient impact. Barriers in scheduling, billing, and clinical communication carry the highest legal and patient-safety risk. Address these first.
- Update vendor contracts. Add explicit WCAG 2.1 AA conformance requirements, audit rights, remediation timelines, and Voluntary Product Accessibility Templates (VPATs) to all digital service contracts.
- Build accessibility into your SDLC. Add accessibility checkpoints into design reviews, development sprints, and QA processes so that new digital content is accessible by default.
- Document everything. OCR expects documented remediation plans, grievance procedures, and evidence of good-faith compliance efforts.
Continue Reading
Return to the main HHS ADA compliance guide for a full overview of the rule, all affected groups, and key compliance dates. Or navigate to the guide for another affected group:
- Physicians, Clinics & Private Practices
- Health Insurers & Managed Care Organizations
- Social Services & Community Organizations
This article is for informational purposes only and does not constitute legal advice.