The regulatory landscape for healthcare website accessibility is more complex than for most industries. ADA Title III, Section 1557 of the ACA, HHS guidance, OCR enforcement, and state-level rules all overlap. This post walks through what each actually requires, where the requirements are firm, and where they're being interpreted.

This is descriptive, not legal advice. Healthcare compliance is fact-specific. Work with healthcare counsel for your situation.

ADA Title III — public accommodations

ADA Title III prohibits discrimination on the basis of disability by places of public accommodation. The Department of Justice has long held that healthcare practice websites are public accommodations, and federal courts have largely concurred — though circuits vary on whether the website must be tied to a physical location.

In practice: assume your practice website falls under ADA Title III.

What ADA Title III requires for a website: meaningful access. The standard isn't named in the statute, but courts and DOJ have consistently referenced WCAG (now version 2.1, Level AA) as the working benchmark.

What ADA Title III demands you do specifically: the statute doesn't enumerate technical requirements. Courts and settlements typically require remediation to WCAG 2.1 AA, ongoing monitoring, staff training, and accessibility statements.

Section 1557 of the Affordable Care Act

Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in any health program or activity that receives federal financial assistance. HHS regulations have extended this to digital programs and patient-facing websites for covered entities.

Who's covered: any practice receiving Medicare or Medicaid reimbursement, plus most hospitals and health systems. In practice, virtually any practice that bills public payers.

What Section 1557 adds beyond ADA: more explicit language about digital health programs (e.g., online patient portals, telehealth platforms), and an OCR enforcement mechanism that operates separately from private ADA litigation.

Practical implication: a practice website that's inaccessible has two layers of risk — private ADA Title III litigation and OCR-led Section 1557 enforcement.

HHS Office for Civil Rights enforcement

OCR enforces Section 1557 administratively. They accept complaints, conduct investigations, and can require remediation as a condition of continued federal funding.

OCR enforcement against website accessibility specifically has been periodic but consistent. The remediation pattern is similar to ADA settlements: WCAG 2.1 AA conformance for public-facing pages, accessibility policy, ongoing monitoring.

What Section 1557 does NOT require

Things this regulation does not require, despite occasional vendor claims:

  • WCAG 2.2 AAA. The standard most consistently referenced is WCAG 2.1 AA, not the more stringent 2.2 or AAA.
  • Specific technologies. No regulation mandates a specific overlay, scanner, or platform.
  • Authentication of every patient. Public-facing pages are in scope; private patient portals are addressed through other regulatory frameworks.

What about HIPAA?

HIPAA addresses protected health information (PHI) and how it's handled, stored, and transmitted. HIPAA is not an accessibility regulation. A site can be perfectly HIPAA compliant and completely inaccessible.

Conversely, an accessibility scanner doesn't make a site HIPAA compliant. We say this explicitly because the question comes up.

State-level rules

A handful of states have enacted explicit digital accessibility requirements for healthcare:

  • California: Unruh Act parallels ADA Title III, often cited in California complaints.
  • New York: state-level enforcement, particularly active for hospitals.
  • Massachusetts, Illinois, Washington, Texas: varying levels of state-level activity.

Multi-state practices need to evaluate the highest-bar state in their footprint.

What this means in practice

For a typical multi-location healthcare practice:

  1. Scope: every public-facing page is in scope. Patient portal/EHR-integrated pages are out of scope for this discussion (different regulatory framework).
  2. Standard: WCAG 2.1 AA.
  3. Monitoring: continuous, with documented logs.
  4. Remediation timeline: critical issues within 30 days; others within 90.
  5. Manual audit: annual or biannual.
  6. Documentation: written policy, accessibility statement on the site, remediation log.

SEO Score API's healthcare vertical is built for the monitoring component specifically. Audit logs are timestamped and exportable.

The accessibility statement

Most healthcare sites should have a public accessibility statement. A good statement:

  • States the institution's commitment to accessibility.
  • Names the standard (WCAG 2.1 AA).
  • Explains how to report accessibility issues (email, phone, form).
  • Acknowledges that accessibility is ongoing.
  • Is dated and reviewed annually.

The statement itself doesn't fix any issues but signals good-faith engagement and is referenced positively in nearly every successful ADA defense we've seen described.

The minimum reasonable program

Three components, mirroring ADA Title III best practice:

  1. Continuous automated scanning of public-facing pages.
  2. Annual or biannual manual audit.
  3. Documented remediation workflow with logs.

Plus, for healthcare specifically: 4. Accessibility statement on the site. 5. Vendor documentation (VPATs) for material third-party widgets.

What about telehealth platforms?

Telehealth platforms are covered by both ADA and Section 1557 to the extent they're patient-facing. Most major platforms (Doxy, Zoom for Healthcare, Teladoc) have their own accessibility programs. Verify the platform's posture before deploying it; vendor accessibility issues often become your accessibility issues.

What if our practice receives an OCR complaint?

Engage healthcare counsel immediately. OCR investigations are administrative, not litigation, and have specific procedures. Documentation of an existing accessibility program is materially helpful at this stage. The same audit-log evidence that helps in ADA defense helps here too.

How does the SEO Score API help specifically?

We scan public-facing healthcare pages for WCAG 2.1 AA conformance plus SEO and Core Web Vitals. We do not access patient portals or any authenticated content. The audit log is exactly the artifact your compliance team and (if needed) your defense counsel would want.

We do not certify HIPAA compliance, do not certify Section 1557 conformance, and do not provide legal advice. We are a scanning and monitoring tool. That's the right scope; anything else would be vendor over-promising.

Free scan of one location's public site →