Healthcare is one of the highest-stakes industries for web accessibility. Patients with disabilities — vision loss, motor impairments, cognitive disabilities — rely on patient portals, appointment scheduling systems, and telehealth platforms to manage their health. When those systems are inaccessible, the consequences are not merely legal: patients miss appointments, can't access test results, and are excluded from care.
This guide covers the full legal framework (ADA Title III, HHS Section 504, and the HIPAA/ADA intersection), the most common WCAG violations on healthcare websites, code-level remediation examples, and the cost of non-compliance drawn from real DOJ settlements.
See how 321 websites scored →
View the 2026 ReportHealthcare organizations face a three-layer compliance obligation that goes beyond what most industries face:
Hospitals, clinics, pharmacies, and telehealth providers are "places of public accommodation" under ADA Title III. Courts have consistently held that websites and mobile apps of these entities must be accessible to people with disabilities. The Department of Justice (DOJ) finalized WCAG 2.1 AA as the operative standard for government-facing digital content in 2024, and courts apply the same standard to private healthcare entities in Title III litigation.
Any healthcare organization that receives Medicare or Medicaid reimbursement is a recipient of federal financial assistance and must comply with Section 504 of the Rehabilitation Act. This includes virtually every hospital, clinic, and health system in the United States. The HHS Office for Civil Rights (OCR) has enforced Section 504 against healthcare entities for inaccessible websites, patient portals, and communication systems.
Section 1557 of the Affordable Care Act prohibits discrimination on the basis of disability in health programs receiving federal financial assistance. Regulations finalized in 2024 explicitly require covered entities to ensure that electronic patient care communications — including patient portals, appointment systems, and telehealth platforms — are accessible under WCAG 2.1 AA.
Healthcare is not an abstract enforcement risk. Real organizations have paid significant penalties:
The DOJ and CVS reached a landmark agreement covering inaccessible pharmacy kiosks, prescription labeling systems, and digital services. CVS agreed to remediate all customer-facing digital touchpoints and submit to multi-year compliance monitoring. The settlement established that pharmacy chains — including their web and mobile properties — must meet full WCAG 2.1 AA standards.
Following the CVS settlement, Rite Aid entered a consent decree requiring accessible prescription services, kiosks, and digital systems. The pattern suggests that pharmacies and retail healthcare providers are now a priority DOJ enforcement target — and the CVS settlement creates a precedent that plaintiffs routinely cite in private litigation.
HHS OCR investigated a complaint that the hospital's patient portal was inaccessible to blind patients. The resolution agreement required portal remediation and staff training. OCR investigations do not require a lawsuit — a single patient complaint can trigger a federal investigation resulting in a corrective action plan and monitoring.
Patient portals and telehealth interfaces consistently fail on a predictable set of issues. These are the violations our scanner most frequently detects on healthcare websites:
| Violation | WCAG Criterion | Severity |
|---|---|---|
| Appointment scheduling forms with unlabeled or placeholder-only fields | 1.3.1 Info and Relationships / 4.1.2 Name, Role, Value | Critical |
| Lab result tables without proper headers or summary | 1.3.1 Info and Relationships | Critical |
| Low color contrast on alert messages (e.g., "critical result" notifications) | 1.4.3 Contrast (Minimum) | Critical |
| Telehealth video controls not keyboard accessible | 2.1.1 Keyboard | Critical |
| PDF discharge instructions and care plans without tags | 1.1.1 Non-text Content / 1.3.1 Info and Relationships | Serious |
| Medication lists rendered in inaccessible data tables | 1.3.1 Info and Relationships | Serious |
| Missing focus indicators on interactive portal elements | 2.4.7 Focus Visible | Serious |
| Error messages that don't reference the field causing the error | 3.3.1 Error Identification / 3.3.3 Error Suggestion | Serious |
| Insurance card upload buttons without accessible labels | 4.1.2 Name, Role, Value | Serious |
| Session timeout dialogs that don't receive keyboard focus | 2.2.1 Timing Adjustable / 2.1.2 No Keyboard Trap | Serious |
The most common violation. Placeholder text disappears when a user types and is never read by screen readers as a proper label.
Before (inaccessible):
<input type="text" placeholder="Date of Birth" name="dob">After (accessible):
<div class="field-group">
<label for="dob">Date of Birth <span aria-hidden="true">*</span></label>
<input type="text" id="dob" name="dob"
placeholder="MM/DD/YYYY"
aria-required="true"
aria-describedby="dob-hint">
<div id="dob-hint" class="field-hint">Format: MM/DD/YYYY</div>
</div>Data tables in patient portals must use proper <th> scope attributes so screen readers can associate cells with their headers.
Before (inaccessible):
<table>
<tr><td>Test</td><td>Result</td><td>Range</td><td>Flag</td></tr>
<tr><td>Glucose</td><td>112</td><td>70–100</td><td>HIGH</td></tr>
</table>After (accessible):
<table>
<caption>Lab Results — April 29, 2026</caption>
<thead>
<tr>
<th scope="col">Test</th>
<th scope="col">Result</th>
<th scope="col">Reference Range</th>
<th scope="col">Flag</th>
</tr>
</thead>
<tbody>
<tr>
<td>Glucose</td>
<td>112 mg/dL</td>
<td>70–100 mg/dL</td>
<td><span class="flag-high" aria-label="Above normal range">HIGH</span></td>
</tr>
</tbody>
</table>Patient portals commonly show a "session expiring" warning that fails to receive keyboard focus — leaving keyboard-only users locked out when the session ends without their knowledge.
<div role="alertdialog"
aria-modal="true"
aria-labelledby="timeout-title"
aria-describedby="timeout-desc"
tabindex="-1"
id="timeout-dialog">
<h2 id="timeout-title">Your session is about to expire</h2>
<p id="timeout-desc">You will be logged out in <span id="countdown">60</span> seconds.</p>
<button onclick="extendSession()">Stay logged in</button>
<button onclick="logout()">Log out now</button>
</div>
<script>
function showTimeoutDialog() {
const dialog = document.getElementById('timeout-dialog');
dialog.style.display = 'block';
dialog.focus(); // Move keyboard focus into the dialog
}
</script>Video call controls (mute, camera, end call) built from <div> elements are invisible to keyboard users. Replace with native <button> elements or add proper ARIA roles.
Before (inaccessible):
<div class="mute-btn" onclick="toggleMute()">
<img src="mic.svg">
</div>After (accessible):
<button type="button"
class="mute-btn"
onclick="toggleMute()"
aria-pressed="false"
aria-label="Mute microphone"
id="mute-control">
<img src="mic.svg" alt="" aria-hidden="true">
</button>Healthcare organizations face a unique double exposure that other industries do not:
When a blind patient requests their lab results through a portal and the portal is inaccessible to their screen reader, the healthcare organization may be simultaneously in violation of both HIPAA (failure to provide effective access) and Section 504 (discrimination on the basis of disability). The HHS OCR can and does investigate both frameworks simultaneously.
Run a free WCAG 2.1 AA scan on your patient portal, appointment booking page, or telehealth landing page. Accessalyze uses the same axe-core engine trusted by healthcare IT teams and regulatory consultants — and layers AI on top to generate exact fix code for every violation found.
Scan your patient portal or healthcare site for WCAG 2.1 AA violations in under 60 seconds. No account required. AI-generated fix code included.
Scan My Healthcare Site Free →Yes. Patient portals operated by healthcare organizations that receive federal financial assistance (Medicare, Medicaid) must comply with Section 504 of the Rehabilitation Act, which courts have interpreted to require WCAG 2.1 AA compliance. Section 1557 of the ACA (2024 final rule) explicitly requires WCAG 2.1 AA for covered electronic patient communications. ADA Title III applies independently to private healthcare entities.
HIPAA does not directly mandate WCAG compliance, but HIPAA's Right of Access provision (45 CFR § 164.524) requires that patients be able to access their health information in the format they request when readily producible. If a patient's only accessible format for electronic records is a screen-reader-compatible portal and that portal is inaccessible, the entity may violate both HIPAA and Section 504. The HHS OCR enforces both.
The DOJ Civil Rights Division investigates complaints filed under ADA Title III and Section 504. Any patient can file a complaint — no lawsuit is required. Investigations can result in settlement agreements requiring remediation, compliance monitoring, staff training, and financial penalties. The CVS $13M settlement demonstrates the scale of potential liability for healthcare organizations.
The timeline depends on the portal's complexity and how it was built. Off-the-shelf EHR patient portals (Epic MyChart, Cerner, Athenahealth) have accessibility teams and active WCAG compliance programs — but customizations and third-party integrations often introduce violations. A thorough audit of a typical patient portal reveals 15–40 violations; remediation typically takes 4–8 weeks for a development team working concurrently on other projects. Automated tools like Accessalyze cut audit time from weeks to minutes.
Yes. Telehealth platforms operated by or contracted by covered healthcare entities must be accessible. This includes the video call interface, waiting room, pre-visit intake forms, and any documents shared during the visit. The ADA, Section 504, and Section 1557 all apply. Telehealth vendors should be contractually required to maintain WCAG 2.1 AA compliance, and healthcare organizations bear ultimate compliance responsibility for the full patient experience.
Related resources: Healthcare Accessibility Landing Page · ADA Compliance for Law Firms · Section 508 Compliance Checklist · ADA Website Compliance 2026 · ADA Lawsuit Prevention Guide
Try it yourself
Enter your website URL to get a free accessibility score.