ADA Compliance for Healthcare Websites

Healthcare organizations carry the most complicated web accessibility liability profile in the US. A single inaccessible patient portal can trigger three separate legal mechanisms: a private lawsuit under ADA Title III, a complaint to HHS's Office for Civil Rights under Section 1557 of the Affordable Care Act, and in some states a complaint under state medical practice laws. Settlements routinely run two to three times higher than ecommerce equivalents because plaintiffs can argue denial of essential medical services, not just commercial inconvenience.

This page is informational and is not legal advice. ADA, federal regulations, and state-law obligations vary by jurisdiction and business type — consult qualified counsel for case-specific guidance.

The three legal mechanisms healthcare sites face

ADA Title III private lawsuits work the same way they do for ecommerce. A plaintiff with a covered disability claims they could not access services through the healthcare provider's website, and demands settlement plus remediation. Settlements in this lane typically run $25,000- $75,000 plus attorney's fees.

Section 1557 of the Affordable Care Act is healthcare-specific and significantly more aggressive. Section 1557 prohibits discrimination on the basis of disability in any health program receiving federal financial assistance. The implementing regulations were updated in 2024 to explicitly address electronic information technology, requiring it to conform to WCAG 2.1 AA. HHS OCR enforces Section 1557 through voluntary resolution agreements that frequently include multi- year monitoring and substantial corrective action obligations. Settlements with HHS often exceed $100,000 in actual remediation costs even when no cash penalty is paid, because the resolution agreement requires complete WCAG 2.1 AA conformance across the entire web presence on a strict timeline.

State medical board and consumer protection actions add a third layer. Several state attorneys general (notably California, New York, and Massachusetts) have opened investigations into healthcare website accessibility independently of federal action, often as part of broader consumer protection sweeps.

Patient portals: the highest-risk surface

Patient portals are where healthcare ADA litigation lives. The major commercial portal platforms — Epic MyChart, Cerner HealtheLife, athenahealth Communicator, eClinicalWorks Patient Portal — each have well-documented accessibility issues that providers inherit. Even with the vendor's most current release, portals fail accessibility audits because hospitals customize the templates, embed third-party widgets, and host patient education content that is not WCAG conformant.

The specific failure points cited in actual healthcare complaints include:

• Login forms with missing labels and inaccessible CAPTCHA challenges that lock out blind users.
• Appointment scheduling calendars built as visual grids without keyboard navigation or screen reader support.
• Lab result tables presented as images of formatted text or as untagged PDFs, leaving screen reader users unable to read their own results.
• Medication lists displayed in custom JavaScript components that do not announce drug names, doses, or schedules.
• Secure messaging interfaces where the message thread cannot be navigated with a screen reader and new-message alerts are not announced via ARIA live regions.
• Bill payment screens where amount fields, payment method selectors, and confirmation messages lack proper labels.

Telehealth: the post-COVID exposure that did not go away

Telehealth utilization surged during 2020 and never returned to pre-pandemic levels. The accessibility gap that opened during the rapid rollout of video visit platforms also did not fully close. The major telehealth platforms — Doxy.me, Teladoc, Amwell, Zoom for Healthcare — have improved their accessibility in successive releases, but the actual patient experience depends on how a provider integrates them.

HHS guidance issued in 2022 and updated in 2024 explicitly requires that providers offering telehealth ensure the sessions are accessible to patients with sensory and motor disabilities. That includes captioning for patients who are deaf or hard of hearing, screen reader-compatible interfaces for patients with vision impairments, and the ability to use alternative input devices. Practical compliance also requires that the patient be able to schedule, join, and follow up on the visit — meaning the entire workflow, not just the video session itself, has to meet WCAG 2.1 AA.

Document accessibility: the invisible failure

Healthcare websites tend to host enormous PDF libraries — patient education materials, consent forms, intake paperwork, insurance information, post-visit summaries. Almost none of them are accessible. Most are scanned images of paper documents with no embedded text layer. Many that were generated digitally are missing tag structure, reading order, and alt text on diagrams.

HHS OCR resolution agreements increasingly cite document accessibility specifically. The path forward is to convert high-traffic patient documents to HTML wherever possible, and properly tag the PDFs that have to remain in PDF form (consent forms with legal weight, official forms required by payers). For organizations with thousands of legacy PDFs, the practical approach is to inventory the documents, prioritize by traffic and clinical importance, and remediate the top 5-10 percent that account for most actual patient usage.

HIPAA does not exempt you from the ADA

One persistent misconception in healthcare IT is that HIPAA security requirements somehow conflict with or supersede ADA accessibility requirements. They do not. HIPAA governs how you protect health information; the ADA and Section 1557 govern whether disabled patients can access services at all. A well-designed system meets both standards simultaneously.

The most common HIPAA-related accessibility excuse — that we cannot label form fields with descriptive text because it would expose PHI — is incorrect. WCAG accessibility requirements apply to the form structure and interaction, not the data displayed within. A label that says "Date of birth (mm/dd/yyyy)" does not expose any patient information; it just makes the field usable for a screen reader. Authenticated portal pages can and should be fully accessible.

Realistic remediation plan for healthcare organizations

Healthcare web ecosystems are larger and more fragmented than other industries. A typical hospital has a marketing site, a patient portal (EHR vendor-supplied), a physician finder, a scheduling layer, a bill pay system, sometimes a separate telehealth platform, and a long tail of department-specific sub-sites and microsites. Trying to remediate everything at once usually fails.

A practical six-month sequence:

1. Months 1-2: Audit and triage. Run automated scans on every web property, document the violations, and rank them by patient impact and legal exposure. The portal login flow and any page where a patient takes an action (schedule, pay, message, refill) are top priority.
2. Months 2-3: Remediate the patient-facing transactional flows first. Login, scheduling, bill pay, messaging. These are where lawsuits originate.
3. Months 3-4: Address the marketing site and physician finder. Lower legal risk but high traffic and the most common entry point for patients.
4. Months 4-5: Document remediation. Convert top patient education PDFs to accessible HTML; tag the PDFs that must remain.
5. Months 5-6: Telehealth and EHR vendor coordination. Push your portal vendor for accessibility features and create workflow documentation for staff so new content stays compliant.

Working with EHR and portal vendors

Most healthcare organizations cannot directly modify their patient portal code. What you can do is hold your vendor accountable. Every major EHR vendor publishes a Voluntary Product Accessibility Template (VPAT) that documents their compliance against WCAG 2.1 AA. Request the current VPAT from your account team, identify the criteria marked "Partially Supports" or "Does Not Support", and ask for a roadmap.

HHS OCR resolution agreements have started naming specific vendor accessibility gaps as obligations the healthcare organization must address. That means "our vendor will not fix it" is not a defense. If your vendor cannot or will not remediate, your organization is on the hook to either pressure them, find a workaround (alternative format on request), or migrate platforms.

What to do today

Audit your patient portal login flow, your appointment scheduling page, and your top patient education resource this week. These three surfaces drive the bulk of healthcare ADA exposure. If automated scanning surfaces violations, those are the same things plaintiff attorneys and HHS OCR investigators will find. Real remediation is technically straightforward; the hard part is operationalizing it across a fragmented healthcare web ecosystem and holding vendors accountable for the components you do not directly control.