Questions about federal accessibility compliance.

Three federal frameworks govern digital accessibility for the entities AccessMark serves. Each has a distinct coverage definition:

• ADA Title II — state and local government entities, without regard to federal funding status. Governed by 28 CFR §35.200.
• HHS Section 504 — recipients of HHS financial assistance, including hospitals, health plans, federally qualified health centers, state Medicaid programs, and research institutions. Governed by 45 CFR Part 84. The 15-employee threshold determines the compliance date, not coverage.
• CMS Price Transparency — hospitals offering services paid under Medicare, per 45 CFR §180.50.

Read the full coverage breakdown →

WCAG 2.1 Level AA — the June 2018 version published by the W3C — is the standard incorporated by reference in both the DOJ ADA Title II rule and the HHS Section 504 rule. Newer versions (WCAG 2.2, WCAG 3.0 draft) are not the governing standard under current regulation.

WCAG 2.1 AA comprises 50 success criteria across four principles: Perceivable, Operable, Understandable, and Robust. The AccessMark audit tests against all 50, with findings mapped back to the specific criterion for traceability during enforcement review.

A certification documents four things: that the covered digital properties were independently reviewed against WCAG 2.1 AA, that findings were remediated, that retest confirmed post-remediation conformance, and that the entity is enrolled in continuous monitoring for the certification's twelve-month term.

It is a compliance record — the evidentiary document that an entity presents when asked to demonstrate its accessibility posture during an OCR compliance review, a state audit, a procurement evaluation, or litigation discovery. It is not a legal opinion, does not constitute a safe harbor, and does not guarantee immunity from enforcement or private litigation.

Read about the certification phase →

The audit phase runs four to six weeks for a standard public-sector website, and eight to twelve weeks for integrated health systems with patient portals, telehealth platforms, and mobile applications. The duration scales with scope, not with entity size.

Remediation duration depends on findings volume and the entity's development capacity. Entities with in-house engineering teams typically complete remediation in six to ten weeks after audit delivery. Those relying on external vendors take longer.

Certification is issued upon successful retest. Continuous monitoring begins immediately after certification and runs through the twelve-month term.

No. Automated scanners reliably detect between thirty and forty percent of WCAG conformance failures. The remaining majority — including form labeling errors, focus order issues, meaningful link text, accessible names for custom components, and most keyboard navigation failures — require manual inspection.

The AccessMark audit uses automated scanning to establish a floor and manual review to establish the ceiling. Relying on automated tools alone produces a findings report that fails to document the conformance the regulation actually requires. This has become a pattern flagged in recent OCR investigations.

Vendor attestations are a starting point, not a conclusion. Three factors typically prevent a vendor claim from meeting the entity's regulatory obligation:

• Scope mismatch. A vendor may have tested the product in isolation, while the covered entity's deployment includes custom content, branding, integrations, and authenticated flows that fall outside the vendor's test scope.
• Version drift. An attestation reflects the product at a moment in time. Subsequent releases may introduce regressions that the vendor has not retested.
• Obligation flow-down. Under 28 CFR §35.200 and 45 CFR Part 84, the covered entity is the regulated party. A vendor's nonconformance remains the entity's regulatory exposure.

An independent audit of the vendor's product as-deployed within the entity's environment is the standard practice for closing this gap.

The April 2026 DOJ Interim Final Rule extended the compliance dates for web and mobile accessibility under 28 CFR §35.200 by one year. The underlying substantive obligations are unchanged. Three reasons the extension does not reduce the urgency of remediation work:

• Section 504 was not extended. The May 11, 2026 HHS Section 504 date remains legally operative as of this writing. Entities covered by both frameworks — hospitals, health plans, state health agencies — still face the earlier HHS deadline.
• Private right of action is unchanged. Title II creates a private right of action. Plaintiffs file accessibility complaints without waiting for the regulatory compliance date. Attorney-fee exposure under 42 USC §12205 applies regardless of the DOJ rule's timeline.
• Procurement cycles are largely independent. RFPs increasingly require WCAG 2.1 AA attestations. Vendors and public entities with bid pipelines face commercial consequences before any regulatory deadline arrives.

Read the full regulatory update →

Engagements are priced by scope — the number of covered properties, the complexity of authenticated and transactional flows, and the depth of third-party integrations. A standard public-sector website audit, a hospital patient-portal audit, and a health-plan member-portal audit each produce a different scope of work and a different price.

Continuous monitoring is priced separately as an annual subscription tied to the same scope. Pricing is discussed during the initial consultation once the scope is defined.

Request a scoped proposal →