March 22, 2026·10 min read

ADA Compliance for Healthcare Websites: When HIPAA Meets Accessibility

The Dual Compliance Burden Healthcare Websites Face

If you run a medical practice, dental office, physical therapy clinic, or any other healthcare business, your website isn't just a marketing tool — it's a patient access point. That means it's subject to not one, but two overlapping federal compliance frameworks:

The Americans with Disabilities Act (ADA), which requires your website to be accessible to people with disabilities
The Health Insurance Portability and Accountability Act (HIPAA), which governs how you handle protected health information (PHI)

Neither law explicitly says "your website must do X." Both have been interpreted through enforcement actions, court rulings, and agency guidance. And both come with serious financial consequences for violations.

In 2025, healthcare was among the top five industries targeted by ADA website accessibility lawsuits. Meanwhile, the HHS Office for Civil Rights (OCR) issued updated HIPAA digital access guidance in 2024 requiring covered entities to provide accessible patient communication channels.

This guide explains what both standards require from healthcare websites, where they overlap, and how to get compliant without hiring a separate legal team for each regulation.

Who This Applies To

ADA Title III covers "places of public accommodation" — and courts have consistently held that healthcare providers qualify. If you have patients, you have ADA obligations. This includes:

Medical and dental practices (all sizes)
Mental health and behavioral health providers
Physical therapy and rehabilitation clinics
Urgent care centers
Pharmacies and specialty health retailers
Telehealth platforms
Health insurance company websites

HIPAA applies to "covered entities" — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. If you bill insurance, HIPAA applies.

The overlap: If you're a covered entity, you're almost certainly also a place of public accommodation. Both laws apply. You can't choose one.

What ADA Requires for Healthcare Websites

The ADA requires your website to be accessible to people with visual, hearing, motor, and cognitive disabilities. The Department of Justice's 2024 final rule established WCAG 2.1 Level AA as the technical standard for state and local government entities, and courts regularly apply the same standard to private healthcare businesses.

High-Priority Accessibility Requirements for Healthcare Sites

1. Patient Portals Must Be Fully Accessible

Patient portals where patients can view test results, request refills, or message providers are held to the highest standard. If a blind patient cannot navigate your portal with a screen reader, that's an ADA violation — and potentially a HIPAA violation if it impairs their access to their own health records.

Common failures: Unlabeled form fields, inaccessible CAPTCHA, PDF lab results with no text alternatives.

2. Appointment Scheduling Systems

Online scheduling widgets (Zocdoc, Acuity, custom-built) must be keyboard-navigable and screen-reader compatible. A user who cannot book an appointment online — and has no accessible alternative — has experienced discrimination under ADA Title III.

Quick test: Try booking an appointment using only your keyboard (no mouse). If you get stuck, so will your patients with motor disabilities.

3. Contact Forms and Communication Channels

Emergency contact forms, prescription refill requests, and general inquiries must be accessible. This includes proper label/input associations, clear error messages, and no time-out sessions that trap users with cognitive or motor disabilities.

4. PDFs and Downloadable Health Documents

Patient intake forms, after-visit summaries, and health education materials are often distributed as PDFs. Scanned or image-based PDFs are completely inaccessible to screen readers. All PDFs must be tagged, structured, and searchable.

2025 data: PDF accessibility failures appear in 64% of healthcare website audits, second only to missing alt text on medical images.

5. Video Content (Telehealth Recordings, Health Education)

Any video content must have accurate captions. Auto-generated captions from YouTube or Zoom don't meet the standard — they must be reviewed and corrected. Audio descriptions are required when video contains meaningful visual information not conveyed by speech.

6. Medical Images and Diagrams

Anatomical diagrams, X-ray images used in patient education, and procedure illustrations need descriptive alt text. "Image of knee anatomy" is not sufficient. A meaningful description serves both screen reader users and patients with cognitive differences who benefit from text reinforcement.

Where HIPAA Comes In

HIPAA doesn't directly regulate website accessibility — but it interacts with ADA in two important ways.

1. Right of Access and Accessible Formats

HIPAA's Privacy Rule gives patients the right to access their own health records. The OCR's 2024 guidance clarified that when a patient requests records in an accessible format (large print, audio, screen-reader-compatible PDF), covered entities must accommodate that request within reason.

If your patient portal is inaccessible and a patient can't retrieve their records independently, you may have a HIPAA right-of-access problem on top of an ADA problem.

2. Online Forms and PHI Security

If you use online contact forms that collect PHI (symptoms, insurance information, appointment details), those forms need to be both:

Accessible (ADA): Properly labeled, keyboard-navigable
Secure (HIPAA): Transmitted over encrypted connections, stored with appropriate safeguards

Using a standard HTML form that submits to a non-encrypted email inbox violates HIPAA. Using an inaccessible form that screen reader users can't complete violates ADA. You need both.

Compliant options: Secure healthcare form platforms like Jotform HIPAA, FormStack Healthcare, or built-in patient portal messaging — confirmed accessible and encrypted.

3. Telehealth Platform Accessibility

If you offer telehealth services, the platform itself must be accessible. Video conferencing interfaces must support keyboard navigation, screen readers, and real-time captioning. HIPAA requires your telehealth platform to have a Business Associate Agreement (BAA). ADA requires it to be accessible. Most major telehealth platforms (Doxy.me, SimplePractice, Zoom for Healthcare) now support both — but verify before signing.

The Legal and Financial Risk Picture

ADA exposure:

Serial plaintiffs frequently target healthcare practices, particularly dental offices, physical therapy clinics, and mental health providers
Average settlement: $15,000–$50,000 plus attorney's fees
California's Unruh Act adds $4,000 per violation — a single inaccessible form field can mean $4,000 in statutory damages before any damages are proven

HIPAA exposure:

OCR civil penalties range from $100 to $50,000 per violation category, per year of violation
A patient portal that's been inaccessible for three years isn't one violation — it's three years of violations
State attorneys general can also enforce HIPAA, creating additional exposure

Combined exposure: A class action involving both ADA and HIPAA claims represents the worst-case scenario for healthcare providers. While rare, these cases have settled for seven figures.

The good news: Proactive compliance is dramatically cheaper. A full accessibility audit for a typical healthcare practice website runs $500–$3,000. Remediation of common issues typically costs $1,000–$5,000 for small practices. That's well under 10% of the cost of a single settlement.

A Healthcare-Specific Accessibility Audit Checklist

Use this checklist to identify your highest-risk areas:

Patient-Facing Functionality

[ ] Online appointment booking works with keyboard only
[ ] Patient portal login form has proper field labels (not just placeholder text)
[ ] Test results and records downloadable as accessible PDFs (not image scans)
[ ] Contact/refill request forms have labeled fields and clear error messages
[ ] Session timeouts give users warning and option to extend (especially important for slower users)

Content

[ ] All medical images have descriptive alt text
[ ] Health education videos have accurate captions
[ ] Telehealth instructions are available in text format (not video-only)
[ ] No medical information presented in color alone (e.g., "red = urgent" requires text label too)

Technical

[ ] Color contrast ratio meets 4.5:1 for normal text, 3:1 for large text
[ ] All interactive elements keyboard accessible
[ ] No keyboard traps in modals or popups (common in appointment widgets)
[ ] Online forms transmitted over HTTPS (check for mixed content warnings)

PDFs and Documents

[ ] Intake forms are tagged PDFs, not scanned images
[ ] After-visit summaries are screen-reader compatible
[ ] Downloadable consent forms pass basic PDF accessibility check

Practical Compliance Steps for Healthcare Practices

Step 1: Run an automated scan

Start with CheckMyADA's free scan to identify obvious WCAG 2.1 failures. This gives you a baseline and prioritized list of issues.

Step 2: Audit your patient portal separately

Your patient portal likely requires authentication, so automated scanners can't reach it. Request a accessibility review from your EHR vendor (Epic, athenahealth, Kareo, etc.). Most have accessibility conformance reports available.

Step 3: Fix highest-risk items first

Prioritize: appointment booking, contact forms, patient portal login, and any downloadable forms patients need to complete.

Step 4: Get accessible PDF templates

Replace scanned intake forms with fillable, tagged PDFs. Microsoft Word and Adobe Acrobat both have built-in accessibility checking tools.

Step 5: Document your efforts

Maintain an accessibility statement on your website. Document what you've fixed, when, and your ongoing remediation plan. This documentation is valuable evidence of good faith if a complaint is filed.

Frequently Asked Questions

Does a small private practice have to comply with ADA?

Yes. ADA Title III applies to all "places of public accommodation," and courts have consistently held that medical and healthcare practices qualify — regardless of size. There is no small business exemption.

Is there a HIPAA requirement for website accessibility?

HIPAA doesn't have a specific "accessibility rule," but OCR's 2024 guidance on patient right of access clarifies that covered entities must provide records in accessible formats upon request. If your patient portal is inaccessible and prevents patients from accessing their records, that intersects with HIPAA's right of access provisions.

What if my EHR vendor's patient portal isn't accessible?

You are still responsible for ensuring patient access. Work with your vendor to request accessibility remediation. If they can't or won't provide an accessible portal, you may need to offer an alternative access method (phone, in-office) and document this accommodation. When evaluating EHR vendors, accessibility conformance reports (ACRs) should be part of your RFP process.

Do telehealth video platforms need to be ADA accessible?

Yes. If you offer telehealth, the platform interface used by patients must be accessible. This includes keyboard navigation, screen reader support, and real-time captioning. Most major telehealth platforms have made significant accessibility improvements since 2022 — verify with your vendor's latest ACR.

Can I use an accessibility overlay on my healthcare website?

Overlays (like AccessiBe) don't solve the underlying code problems and have been shown to create new barriers for screen reader users. The FTC fined AccessiBe $1 million in 2024 partially for misleading compliance claims. For healthcare websites, where patients depend on access for their health, overlays are a particularly poor substitute for real remediation. See our full comparison of CheckMyADA vs AccessiBe.

The Bottom Line

Healthcare websites face more compliance pressure than most industries — both from ADA accessibility requirements and HIPAA's patient access obligations. The good news is that fixing real accessibility problems (proper form labels, accessible PDFs, keyboard navigation) simultaneously addresses both regulatory concerns.

The worst outcome is to ignore both. A patient who can't use your portal to access their records, or can't book an appointment online, has both a civil rights claim and potentially a right-of-access complaint. That's expensive territory.

Start with a free scan to understand where you stand, then prioritize fixes based on patient impact and legal exposure.

Run a free accessibility scan of your healthcare website →

This article is for informational purposes only and does not constitute legal or medical compliance advice. Consult a qualified attorney for guidance specific to your practice.