HHS Section 504 Final Rule: What the May 2026 Digital Accessibility Deadline Means for Healthcare Organizations

Quick summary:
Healthcare organizations that receive federal financial assistance from the HHS must bring covered digital properties into alignment with WCAG 2.1 AA under the HHS’ Section 504 Final Rule. For entities with 15 or more employees, the deadline is May 11, 2026. The rule applies broadly to websites, patient portals, kiosks, third-party tools, and future social media content.

The first major compliance deadline under the HHS’ Section 504 Final Rule lands on May 11, 2026. That is the date when WCAG 2.1 Level AA becomes the enforceable digital accessibility standard for every healthcare organization with 15 or more employees that receives federal financial assistance from HHS.

If you accept Medicare or Medicaid, receive any federal grant or subsidy from HHS, or operate a digital health product used in an HHS-funded programme, this rule applies to you. And if you haven't started work yet, you are already behind.

In this post, we break down exactly what the HHS Section 504 Final Rule requires, who it covers, the key deadlines, and the practical steps your organization needs to take right now.

What is the HHS Section 504 Final Rule?

On May 9, 2024, the U.S. Department of Health and Human Services (HHS) published a Final Rule through the Federal Register that updated the regulations implementing Section 504 of the Rehabilitation Act of 1973. The rule took effect on July 8, 2024.

Section 504 has prohibited disability-based discrimination in federally funded programs since 1973. But until this Final Rule, it lacked specific technical standards for digital content. The updated rule closes that gap by requiring covered organizations to conform their websites, mobile applications, and kiosk-based services to WCAG 2.1, Level A and Level AA.

This is a landmark shift for healthcare. As HHS noted in its rulemaking, many healthcare services are now delivered digitally, and many of those tools contain barriers that prevent people with disabilities from accessing care on equal terms. The rule treats digital accessibility as a civil rights obligation, not an optional best practice.

Who is covered by the rule?

The scope is broad. The rule applies to any entity that receives federal financial assistance from HHS, whether directly or indirectly. Because HHS administers more than 100 programmes through which federal funding flows, the range of covered organizations is extensive.

Covered organizations include:

• Hospitals and health systems

• Physician practices and clinics

• Community health centers

• Health insurers and Medicare Advantage organizations

• Medicaid managed care plans

• Long-term care providers and nursing facilities

• Behavioral health providers

• Clinical research institutions and medical schools

• Pharmaceutical and biotech firms receiving federal research funding

• Digital health companies whose products are used in HHS-funded programs

One critical distinction: the threshold of 15 employees determines your compliance deadline, not whether you are covered. A small clinic with eight employees that accepts Medicaid is still subject to this rule. It simply has until May 10, 2027 rather than May 11, 2026. A single Medicare or Medicaid payment can be enough to trigger coverage.

For healthcare organizations already thinking about digital compliance more broadly, this rule sits alongside a growing stack of federal and global requirements. The HHS rule is one piece; the DOJ ADA Title II rule is another. Together, they signal that digital accessibility is now a baseline expectation across publicly funded services.

What are the digital accessibility requirements?

The rule mandates that covered entities make their digital properties conform to WCAG 2.1, Level A and Level AA success criteria. Organizations may also conform to newer versions such as WCAG 2.2, provided the result delivers substantially equivalent or greater accessibility.

Websites and institutional web content

All institutional web content must be accessible. This includes the organization's primary website, patient portals, intranet resources used by programme beneficiaries, mobile applications, online forms, multimedia content, interactive features, and any regularly updated content used for communicating with patients or the public.

Accessibility must be integrated into the design, development, and ongoing maintenance of digital content; this is not a one-time fix that you can apply at launch and forget.

Third-party content and tools

The rule explicitly extends to web content and mobile apps provided or developed by third parties under contract. This includes appointment schedulers, telehealth platforms, payment portals, electronic health record access portals, and any other digital service operated on behalf of your organization.

If a vendor's platform is used by patients or beneficiaries to access your programs, your organization is responsible for ensuring that platform meets the accessibility standard. Vendor contracts should be reviewed and updated to require WCAG 2.1 AA conformance as a standard deliverable.

Kiosks

Kiosks used for check-in, payment, wayfinding, or other patient-facing services must provide people with disabilities equal access, convenience, and confidentiality. If a kiosk is not accessible, the organization must provide an alternative that delivers the same level of access and privacy, not a degraded substitute.

Compliance deadlines at a glance

The deadlines below apply specifically to the WCAG 2.1 AA digital accessibility provisions. Note that general Section 504 obligations have been enforceable since July 8, 2024.

Exceptions to know about

The rule does provide a limited set of exceptions. Importantly, even content that falls under an exception may still need to be made accessible if someone with a disability makes a specific request under existing Section 504 obligations.

The main exceptions are:

• Archived web content: Outdated content maintained solely for reference or recordkeeping, clearly labelled as an archive, and not updated or actively used.

• Pre-existing conventional electronic documents: Legacy PDFs, Word documents, slide decks, or spreadsheets posted before the compliance deadline. This does not cover documents that are currently used to apply for, gain access to, or participate in covered programs.

• Third-party content not under entity control: Public forum posts or files uploaded by users who are not under contract with the covered entity.

• Individualized password-protected documents: Secure, individualized records such as lab results delivered to a single user. Broadly applicable or public-facing content does not qualify.

• Pre-existing social media posts: Content posted before the applicable compliance date. New social media posts from the compliance date forward must be accessible.

These exceptions are deliberately narrow. For example, older web content that is still widely used for purposes other than reference must be made accessible. Organizations should not treat these exceptions as a blanket shield against compliance obligations.

Enforcement and the risks of non-compliance

The HHS Office for Civil Rights (OCR) has several enforcement tools available. It can investigate individual complaints, conduct compliance reviews without any complaint being filed, and refer matters to the U.S. Department of Justice for further legal action.

The most direct risk is the potential loss of federal funding. For healthcare organizations that depend on Medicare, Medicaid, or other HHS-administered programs, this represents an existential threat.

Section 504 also provides a private right of action. People who have experienced discrimination can bring lawsuits directly against covered entities. The new rule provides a clear, enforceable standard that will likely encourage additional litigation in the healthcare sector, potentially for relatively minor technical barriers.

OCR can investigate proactively, without a complaint being filed. The May 2026 deadline is not the start of enforcement. It is the point at which WCAG 2.1 AA becomes the specific technical benchmark OCR will apply.

How does this connect to the DOJ ADA Title II rule

The HHS Section 504 Final Rule is closely aligned with the Department of Justice's Final Rule updating ADA Title II regulations, which imposes similar WCAG 2.1 AA requirements on state and local governments, public schools, community colleges, and public universities.

The DOJ rule has compliance deadlines of April 24, 2026 (for entities serving populations of 50,000 or more) and April 26, 2027 (for smaller entities). Together, these two rules represent a coordinated federal effort to establish WCAG 2.1 AA as the recognized digital accessibility standard across public and publicly funded services.

For organizations that fall under both rules, the earliest applicable deadline governs. It is worth noting that the DOJ indicated in September 2025 that it planned to issue a notice to reconsider certain provisions of its Title II rule. At the time of this writing no such notice has been issued and the HHS has made no corresponding statement about revising its own rule. Organizations should not delay compliance in anticipation of regulatory changes that have not materialized.

Steps you need to take now

The time for planning has passed for organizations with 15 or more employees. Here is what needs to happen immediately.

1. Conduct a comprehensive accessibility audit. Review all websites, patient portals, mobile apps, and kiosk interfaces for conformance with WCAG 2.1 Level A and AA. Automated scanning can identify many common issues quickly, but a full assessment requires manual testing by qualified reviewers and testing with users who rely on assistive technologies.

2. Remediate identified barriers. Work with your IT team and development vendors to address deficiencies. Prioritize issues with the greatest impact on patient access: inaccessible appointment scheduling, patient portal login flows, and telehealth platforms.

3. Review and update vendor contracts. Require WCAG 2.1 AA conformance in all digital deliverables provided or operated by third-party vendors. Request accessibility conformance documentation as part of your procurement and renewal processes.

4. Designate a responsible employee and adopt grievance procedures. The rule requires covered entities to have a designated employee for Section 504 compliance and established procedures for handling disability-related grievances.

5. Train your staff. Content creators, developers, designers, and programme administrators all need to understand WCAG standards and how to maintain accessible digital content as part of their everyday workflows.

6. Monitor and test regularly. Accessibility is not a one-time project. Every new piece of content, every platform update, and every vendor change must be evaluated for conformance. Build accessibility testing into your quality assurance and content publishing workflows.

7. Document your compliance posture. Maintain records of audits, remediation efforts, vendor conformance documentation, and staff training. If your organization ever needs to demonstrate good-faith compliance or claim undue burden, documentation is essential.

How Clym can support your digital accessibility program

Running a compliance program that covers the WCAG, the ADA, or the European Accessibility Act, as well as a growing list of other global regulations, is a significant operational burden. Clym's platform is designed to reduce that burden across data privacy, accessibility, and corporate transparency requirements in one place.

For healthcare organizations working toward the HHS Section 504 digital accessibility requirements, Clym provides several relevant capabilities:

• The accessibility widget lets website visitors manage their accessibility preferences directly on your site, including display adjustments, contrast settings, and text size. This supports equitable access without requiring back-end changes for every user scenario.

• The accessibility issue reporting solution gives patients and users a structured way to flag accessibility barriers directly on your website. This creates an auditable record of reported issues and your responses, which supports the grievance procedure requirement under the rule.

• Publishing a public accessibility statement is a meaningful signal of accountability and gives users a resource to report barriers. Clym helps you generate and maintain an up-to-date statement that reflects your current compliance posture.

• Open-source accessibility tools support testing, remediation guidance, and reporting across your digital estate, giving your team actionable findings rather than raw compliance data.

Clym facilitates WCAG, ADA, and the European Accessibility Act (EAA), as well as other international accessibility standards. For organizations that also need to manage HIPAA-aligned cookie consent, data subject requests, and privacy policy generation alongside their accessibility work, Clym's ReadyCompliance^® platform handles all of it within one single integration.

Conclusion

The HHS Section 504 Final Rule makes digital accessibility a clear requirement for healthcare organizations that receive federal financial assistance from HHS.

By May 11, 2026, covered entities with 15 or more employees need to align their websites, patient portals, third-party tools, kiosks, and future social media content with WCAG 2.1 AA. Enforcement began in July 2024, but the May deadline sets the technical standard HHS OCR will use.

If you have not started, now is the time. Review your digital properties, validate them against WCAG 2.1 AA, document your work, update vendor contracts, and make accessibility part of your ongoing operations.

The path is clearer now. The next step is making sure your organization is ready.