On May 9, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), issued a sweeping final rule, Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance, updating the regulations implementing Section 504 of the Rehabilitation Act of 1973. The first comprehensive update to HHS’s Section 504 regulations in nearly 50 years, the rule expanded nondiscrimination obligations for certain recipients of HHS funds, including health care providers, payers, and other entities that receive payments under Medicare and Medicaid, fully rewriting 45 C.F.R. Part 84.
Among these updates, HHS has, for the first time, established specific technical standards to improve accessibility to self-service kiosks, web content, and content available on mobile applications for individuals with disabilities, including those with physical, visual, auditory, speech, language, learning, cognitive, and neurological disabilities. Recipients must comply with these technical standards to make digital content more perceivable, operable, understandable, and robust—or POUR, the core acronym defining the four pillars of digital accessibility under the Web Content Accessibility Guidelines (WCAG).
While the rule became effective July 8, 2024, the deadlines for compliance with the digital accessibility technical standards for content available on websites and mobile apps are fast approaching:
- Recipients with 15 or more employees must comply by May 11, 2026.
- Recipients with fewer than 15 employees must comply by May 10, 2027.
Who Is a Recipient?
Section 504 applies broadly to any program or activity receiving federal financial assistance from HHS, including most hospitals, physician practices, federally qualified health centers, long‑term care facilities, health plans, research institutions, medical schools, and human services programs. Notably, the OCR clarified that Medicare Part B reimbursement alone triggers coverage, aligning Section 504 applicability with recent interpretations under Section 1557 of the Affordable Care Act.
The Technical Standards
Recipients must ensure that digital content available on their websites and mobile apps conforms to WCAG 2.1, Levels A and AA success criteria. These standards apply broadly to digital content made available through the recipient’s website, mobile apps, social media accounts, patient portals, and telehealth platforms, whether developed internally or provided by a third‑party vendor.
There are five limited exceptions certain web and mobile app content does not need to comply with under the new digital accessibility requirements.
1. Archived web content
This exception is intended to capture unaltered archived content that is maintained for reference, research, or recordkeeping purposes. Archived web content does not need to comply with the technical standards if it meets these conditions:
- The archived web content was created, or reproduces paper documents or contents of other physical media created, before the recipient’s compliance deadline.
- The content is retained exclusively for reference, research, or recordkeeping purposes.
- The content is not altered or updated after the date of archiving.
- The content is organized and stored in a dedicated area clearly identified as being archived.
2. Preexisting conventional electronic documents
Conventional electronic documents made available on a recipient’s web or mobile app before the recipient’s compliance deadline are exempt. The regulation defines conventional electronic documents as portable document formats (PDFs) or word processor, presentation, or spreadsheet files.
3. Individualized password-protected documents or otherwise secured conventional electronic documents
Conventional electronic documents that pertain to a specific individual, their property, or their account—and that are password-protected or otherwise secured—are exempt from compliance with the technical requirements. Individualized conventional electronic documents include medical records, notes about a specific patient, or receipts for purchase (like a purchase for durable medical equipment). Content that is broadly applicable or available to the general public is not covered by this exception. Even so, recipients must ensure that individuals with disabilities can access information in documents that pertain specifically to them.
4. Preexisting social media posts
Social media posts that were posted before the recipient’s compliance deadline are exempt from compliance with the technical requirements. Going forward, recipients must ensure that social media posts are accessible, potentially requiring meaningful training and policies for those handling social media accounts on behalf of health care providers. Note, however, that recipients are not responsible for ensuring that the actual social media platforms themselves conform to WCAG 2.1 Level AA.
5. Content posted by a third party
This exception applies to all content independently posted by a third party, such as public comments on a recipient’s social media page. However, if the content is from a third party posting due to contractual, licensing, or other arrangements with a recipient (e.g., the recipient links to online payment processing websites offered by third parties to accept the payment of fees or to pay for any recipient services), the exception does not apply.
But if there is a specific request from an individual with a disability, the recipient may still have to provide the digital content to the individual in an accessible format to comply with other Section 504 obligations, including:
- Making reasonable modifications in policies, practices, or procedures.
- Ensuring that communications with people with disabilities are as effective as communications with people without disabilities.
- Providing people with disabilities an equal opportunity to participate in or benefit from the recipient’s programs or activities.
Alternative methods of compliance and permitted noncompliance
In certain situations where compliance with the technical standards is not necessarily feasible, the new regulations provide recipients with alternative, practical options that still enhance digital accessibility of web content for individuals with disabilities.
Recipients may use “conforming alternate versions” of web content or mobile apps if it is not possible to make the content accessible due to technical or legal limitations. Conforming alternate versions are separate versions of content that are accessible and current, contain the same information and functionality as the inaccessible content, and can be reached through a conforming webpage or an accessibility-supported mechanism. Recipients must avoid creating a segregated approach that provides an inferior experience for individuals with disabilities.
Recipients also may use alternative designs, methods, techniques, or standards instead of conforming to WCAG 2.1 Level AA (for example, WCAG 2.2 Levels AA or AAA), so long as the designs, methods, techniques, or standards enable substantially similar or greater accessibility and usability.
Even with these alternative methods available, recipients are not expected to take actions that would fundamentally alter the nature of a program or activity, or that would result in an undue financial and administrative burden. Recipients must, however, take all other actions that would ensure that individuals with disabilities receive the benefits of the services provided by the recipient.
Furthermore, noncompliance with WCAG 2.1 Level AA may be permitted in certain limited circumstances when the recipient can demonstrate that noncompliance has a minimal impact on accessibility. Individuals with disabilities must have access to the same information and must be able to engage in the same interactions, conduct the same transactions, and otherwise participate in or benefit from the same programs or activities as individuals without disabilities in a substantially similar manner in terms of timeliness, privacy, independence, and ease of use. For example, providing a staffed telephone service that is available 24/7 in lieu of providing accessible web content does not provide equal access because websites generally allow users to quickly review large quantities of information with more privacy than a phone call.
Barriers to Implementation
Health care organizations face several practical challenges in implementing changes to comply with the technical standards:
- Technical barriers, such as limitations imposed by legacy IT systems and third‑party platforms that do not meet WCAG 2.1 Levels A and AA success criteria.
- Capital costs associated with system upgrades and other remediation efforts.
- Vendor management issues, such as timeline constraints related to upgrades, or other contractual limitations.
- Increased and distinct burdens small or rural recipients may face.
- Ambiguity in “undue burden” defenses, which the OCR has historically interpreted narrowly.
The OCR would likely be receptive to further comments from recipients about the impact of the technical standards on the health care industry, particularly when recipients can provide specific, detailed information and documented examples of the realities of implementation.
Enforcement
The OCR may enforce noncompliance with Section 504 through investigations and compliance reviews, and noncompliance can ultimately result in suspension or termination from government programs and loss of federal funding. Section 504 also provides a private right of action for individuals; digital content accessibility litigation is already prevalent under Title III of the ADA.
Early planning, cross‑functional coordination, and prioritization of high‑risk areas are essential to mitigate exposure.
Key Takeaways
- Do not treat Section 504 as “new” compliance. Many obligations the OCR views as long-standing are now clarified and enforceable.
- Conduct a digital accessibility audit. Review all website content and content available on mobile apps for compliance with WCAG 2.1 Levels A and AA.
- Begin remediation immediately, particularly for patient‑facing tools, and update vendor contracts to require compliance with the accessibility standards.
- Update policies and train personnel on the expanded Section 504 requirements.
- Consider submitting comments to the OCR about the impact of the technical standards and the implementation challenges your organization is facing.
AlstonHealth State Law Hub
Alston & Bird’s Health Care team highlights state legislation and regulatory actions with direct implications for operations, reimbursement, privacy, and enforcement risk. Designed for in-house counsel, the tracker supports legal teams in proactively managing risk and aligning business strategy with a rapidly evolving state regulatory environment.
Learn more on the AlstonHealth State Law Hub.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.