Background

To promote access to healthcare for individuals with disabilities, HHS, through its Office for Civil Rights (OCR), published a final rule on May 9, 2024, creating various digital accessibility requirements under Section 504 of the Rehabilitation Act of 1973 and Title II of the Americans with Disabilities Act of 1990 (ADA). HHS implemented these new requirements because it determined that many healthcare-related services are provided through websites and mobile applications that are not accessible to individuals with disabilities. Examples of these accessibility issues include images, graphics, and maps that cannot be read or understood by blind patients using screen readers, as well as videos that lack captions for individuals who are deaf or hard of hearing.

HHS’s 2024 rule applies digital accessibility standards to all facilities, programs, and activities that receive federal funds or financial assistance, or that are conducted by a federal agency. Federal financial assistance for entities receiving funds from HHS includes credits, subsidies, and insurance contracts, such as Medicare Parts A, C and D; Medicaid; Children’s Health Insurance Program; Temporary Assistance for Needy Families; HeadStart; Supplemental Nutrition Assistance Program; child welfare programs; and clinical research. Therefore, this rule will affect a wide range of healthcare facilities and entities that benefit from these programs, including hospitals, health clinics, dental and vision providers, long-term care facilities, and mental health treatment centers.

Website/mobile app accessibility and exceptions

The rule’s accessibility requirements apply to a healthcare company’s website and mobile applications, including those operated by third parties on the company’s behalf (e.g., electronic medical record vendors). Third-party tools, such as appointment schedulers, patient registration platforms, bill pay portals, and telehealth platforms must also comply with these requirements.

However, certain types of content are exempt from these requirements. The exceptions include:

• Archived web content.
• Preexisting conventional electronic documents.
• Content posted by a third party acting independently (i.e., not under any contractual, licensing, or other arrangement with the healthcare company).
• Individualized password-protected documents.
• Preexisting social media posts.

Although these exceptions may appear broad at first glance, their scope is limited in certain respects. For example, the exception for “archived web content” does not include older web content that remains in use for reasons other than reference, research, or recordkeeping; such content that is still widely and consistently used must comply with the rule’s accessibility requirements. Similarly, the exception for “preexisting conventional electronic documents” does not include any documents currently used to apply for, access, or participate in a company’s programs or activities.

If content falls under an applicable exception, a company may still be required under existing Section 504 obligations to make that content accessible if the company receives a specific request from an individual with a disability. An entity will not be deemed as violating the rule if it can demonstrate that noncompliance has only a minimal impact on the ability of an individual with a disability to access content in a manner that provides substantially equivalent timeliness, confidentiality, independence, and ease of use.

Making websites and mobile apps accessible through the provision of auxiliary aids and services constitutes providing an accommodation under the ADA. Accordingly, the requirement to do so may be subject to the ADA’s fundamental alteration and undue burden defenses.

Technical standard (WCAG 2.1)

To ensure website and mobile accessibility, the rule applies a widely used and recognized technical standard based on the Web Content Accessibility Guidelines (WCAG). Websites and mobile apps must comply with WCAG 2.1 Levels A and AA (WCAG 2.1 AA), which include extensive and highly technical criteria.

Companies may also conform with the rule’s requirements by complying with WCAG 2.2 AA or AAA standards (which became an official standard in October 2023) or by adopting an alternative standard that results in substantially equivalent or greater accessibility than WCAG 2.1 AA, which has now become the legal floor under this rule.

Kiosk accessibility requirements

The rule imposes accessibility requirements for healthcare programs and activities provided through kiosks. Kiosks are defined as self-service transaction machines designed for independent use by patients or program participants. Common examples include devices patients use on their own to check in, access services, or record vital signs.

Healthcare companies that use kiosks must avoid discrimination on the basis of disability in connection with participation in, or benefits provided through, kiosk-based programs and activities. To comply with these new requirements, healthcare companies can either use kiosks that are accessible to individuals with disabilities or implement alternative procedures to provide access without the use of a kiosk for those unable to use kiosks because of inaccessible features. Any alternative procedures must afford individuals with disabilities the same level of access, confidentiality, and convenience as those who use a kiosk. The rule’s fact sheet provides an illustrative example whereby a company with an inaccessible kiosk may need to offer direct assistance with registration at the front desk as an alternative accommodation for individuals with disabilities.

Timeframe for compliance

Healthcare companies must comply with the rule’s accessibility standards in accordance with the following timeframe:

• Small companies (fewer than 15 employees) must comply by May 10, 2027.
• Larger companies (15 or more employees) must comply by May 11, 2026.

Risks of noncompliance

Failure to comply with the rule may result in serious penalties such as loss of federal funding. OCR can investigate complaints and enforce compliance, conduct a compliance review without a complaint, or refer any complaint of noncompliance to the US Department of Justice to secure compliance with the rule through any other legally authorized means.

In addition to regulatory enforcement, the ADA creates opportunities for plaintiff lawyers to pursue individual claims against healthcare companies whose websites or mobile apps fail to comply with these accessibility standards. In the past year, plaintiffs have filed thousands of lawsuits in federal and state courts, claiming that private businesses have failed to comply with Title III of the ADA (which applies to places of public accommodation), even though no rules had set forth digital accessibility requirements for these private businesses. Trolling plaintiff attorneys can easily use website scanning technologies that identify lack of compliance with WCAG standards, thereby creating a significant litigation risk for healthcare companies that do not comply with the rule.

The rule may also create business risk for healthcare companies. For healthcare companies engaged in government contracts, noncompliance could hinder their ability to secure new contracts or disrupt the maintenance of existing ones.

Best practices

In light of this far-reaching rule and the growing trend of website accessibility litigation, healthcare companies should consider adopting the following best practices:

• Conduct an accessibility audit and identify any noncompliance with WCAG 2.1 AA standards across the company’s website, mobile apps, and patient portals.
• Regularly test website functionality against WCAG criteria using scanning technologies frequently used by plaintiff lawyers, such as WAVE or PowerMapper.
• Collaborate with internal/external technical teams to implement accessibility features and make any required changes.
• Train personnel on accessibility requirements and WCAG standards and incorporate accessibility workflows into the company’s content management system and quality assurance processes.
• Ensure that appropriate contractual arrangements are in place with vendors and that they are aware of the rule’s accessibility standards.
• Develop and publish an accessibility policy outlining the company’s accessibility practices.
• Assess and frequently reevaluate digital and kiosk accessibility practices and ensure any alternative procedures for kiosks afford equal access, convenience, and confidentiality for persons with disabilities.

For more information, please contact the authors or your regular McDermott Will & Schulte lawyer.