$35K–$55K , time-and-materials with a not-to-exceed cap. Compact tier: $35K–$42K (single portal surface, single BAA) Standard tier: $42K–$48K (multi-flow portal, EHR integration in scope) Complex tier: $48K–$55K (multi-locale, telehealth, or AI-mediated feature) We invoice hours actually worked, never more than the cap. PHI-aware engagement controls are included in the cap; they are not an add-on line item.

Healthcare-vertical engagement

A WCAG 2.2 AA audit of your patient portal. Run under PHI-aware doctrine.

Four to six weeks. BAA before any access. Findings calibrated to OCR enforcement themes — Section 1557, the 2024 HHS web accessibility rule, ADA Title II / III. Designed for portals under enforcement scrutiny, EHR-integration releases, and payer-portal procurement deadlines.

Schedule a 30-min scoping call

Read a sample report

$35,000–$55,000 Four to six weeks · T&M with cap · BAA before access

Patient portals are where a11y findings, PHI handling, and OCR enforcement collide.

A patient portal landed an OCR complaint. Or your health system is releasing a new MyChart-shape surface, or migrating off one. Or a payer portal RFP just asked for your accessibility posture and the deadline is real. The surface in question carries protected health information, serves cohorts with vision, motor, cognitive, and auditory impairments at higher base rates than the general population, and is governed by an enforcement regime — Section 1557 effective communication, the 2024 HHS web accessibility rule, ADA Title II / III, and OCR investigative authority — that is more aggressive than the procurement context most a11y firms are calibrated to.

The market response is uneven. Generic a11y firms run an axe-core dump and refuse to touch PHI; some will not sign a BAA at all. Some healthcare consultancies will sign the BAA but their accessibility methodology is shallow — interviews, not engineering judgment, no component file:line citation. Either way, the artifact you receive is not the artifact your privacy officer, patient-experience lead, and counsel can all act on at the same time.

G1 is the patient-portal a11y audit run from healthcare-credentialed engineering doctrine. The same operator who built HELiX — our open-source healthcare component library shipping at WCAG 2.1 AA — leads the audit. The BAA is countersigned through Clarity House LLC before any access. Recordings are captured, redacted, and stored under PHI-aware engineering controls. Findings cite WCAG 2.2 SC, component file:line, and where the fix touches a HIPAA-sensitive flow. The executive summary is calibrated to OCR enforcement themes. The deliverable is one report your privacy officer, patient-experience lead, engineering team, and counsel can act on without a translation pass.

WCAG 2.2 AA findings — patient-portal calibrated

Findings cite the specific WCAG 2.2 success criterion, the page or template, the element, and (where the consumer is built on a known component library) the component file:line. Calibrated to the surfaces patient cohorts actually use — login, dashboard, lab results, secure messaging, scheduling, telehealth entry — and to the OCR enforcement themes attached to those surfaces.
Severity-rated remediation roadmap

Findings ranked by severity (blocker / serious / moderate / cosmetic), ordered for sequenced remediation, sized in engineering effort, and tagged where the fix touches a HIPAA-sensitive flow versus a non-PHI flow. Slottable into a sprint without a translation pass.
PHI-aware assistive-tech matrix evidence

Screen-reader, keyboard-only, zoom, and (where in scope) speech-input evidence captured against the patient-portal surface. NVDA / JAWS / VoiceOver / TalkBack as scoped. Recordings captured, redacted, and stored under PHI-aware engineering controls — per-recording consent, PHI scrub on persistence, encrypted at rest, accessible only to the engagement principal and BST internal counsel.
Executive summary — OCR-calibrated

One page, plain language, calibrated to the OCR enforcement themes attached to patient-facing surfaces — Section 1557 effective communication framing, ADA Title II / III where applicable, and the 2024 HHS web accessibility rule for covered entities. Counsel-readable, board-readable, privacy-officer-readable.
Signed audit report

Signed under principal-engineer attestation through Clarity House LLC. The artifact your counterparty receives. Note: this is principal-engineer attestation, not the regulatory third-party-assessor designation; we will tell you up front when your enforcement context requires the latter.
90-minute findings walkthrough

Engineering, design, patient-experience lead, privacy officer, and (where present) counsel attend; we walk every finding with the BST principal who did the work. Questions answered, follow-up scope identified, BAA chain implications surfaced.

Process

How it works

BAA & Access
Week 1

Deliverable Executed BAA, access provisioned under PHI-aware engineering controls

Business Associate Agreement executed through Clarity House LLC before any PHI access. Engagement environment stood up — encrypted recording storage, PHI scrub on persistence, per-recording consent capture for assistive-tech matrix evidence, audit-log retention. Scope locked: surfaces in audit boundary, EHR integration scope, locale coverage, AI-mediated features in scope. We do not begin technical work until the BAA is countersigned and the engagement environment is verified.
Audit pass
Weeks 2–3

Deliverable WCAG 2.2 AA findings against the scoped patient-portal surface

Every page or template walked against WCAG 2.2 AA, with assistive-tech evidence captured under PHI-aware doctrine. axe-core and Pa11y are part of the toolchain; they are not the audit. The audit is engineering judgment applied to a patient-facing surface, with OCR enforcement themes and HIPAA-sensitive-flow tagging running in parallel.
Severity & roadmap
Weeks 3–4

Deliverable Severity-rated findings, remediation roadmap, executive summary draft

Findings rated and sequenced. Roadmap drafted with engineering effort sized per finding and PHI-touching flows tagged. Executive summary calibrated to OCR enforcement themes — Section 1557 effective communication, the 2024 HHS web accessibility rule, ADA Title II / III as applicable. Internal QA pass before the report goes out.
Walkthrough & delivery
Weeks 4–6

Deliverable Walkthrough call + signed report + evidence destruction certificate

Walkthrough with engineering, design, patient-experience lead, privacy officer, and (where present) counsel. Revisions incorporated. Signed report delivered under principal-engineer attestation. Recorded evidence destroyed per BAA / engagement protocols, with destruction certificate provided.

$35,000 – $55,000 Four to six weeks · T&M with cap · BAA before any PHI access

Engagement model Time & materials with not-to-exceed cap

Compact tier (single patient-portal surface, single locale, single integration boundary, single BAA in scope) lands at $35K–$42K / 4 weeks. Standard tier (multi-flow portal — dashboard, lab results, secure messaging, scheduling — with EHR integration in the audit boundary) lands at $42K–$48K / 4–5 weeks. Complex tier (multi-locale portal, telehealth surface in scope, or AI-mediated feature on the portal — e.g. visit-note summarization or symptom-checker — folded into the audit) lands at $48K–$55K / 5–6 weeks. Time-and-materials with a not-to-exceed cap. PHI-aware engagement controls — BAA execution, encrypted recording storage, PHI scrub on persistence, per-recording consent capture, evidence destruction certificate at close — are included in the cap, not an add-on line item.

Request a scoping call

Anchor pricing reflects typical engagement ranges. Actual fees are scoped per engagement under time-and-materials with a not-to-exceed cap. Pricing shown does not constitute a binding offer.

FAQ

Frequently asked questions

How long does this take?

Four to six weeks from executed BAA to delivered report, depending on tier. Compact tier (single portal surface, single integration boundary) ships in four weeks; complex tier with multi-locale, telehealth, or AI-mediated features extends to six.

What does this cost?

$35K–$55K, time-and-materials with a not-to-exceed cap.

Compact tier: $35K–$42K (single portal surface, single BAA)
Standard tier: $42K–$48K (multi-flow portal, EHR integration in scope)
Complex tier: $48K–$55K (multi-locale, telehealth, or AI-mediated feature)

We invoice hours actually worked, never more than the cap. PHI-aware engagement controls are included in the cap; they are not an add-on line item.

Do you sign a BAA?

Yes — through Clarity House LLC, before any PHI access. The BAA is a precondition of the G1 sub-product, not an add-on. We do not begin technical work until the BAA is countersigned. We do not run G1 without a BAA in place. Non-PHI single properties route to A1 instead.

How is this different from A1?

A1 is the WCAG 2.2 AA audit for a non-PHI single property. G1 runs under PHI-aware doctrine:

BAA executed before access
Encrypted recording storage with PHI scrub on persistence
Per-recording consent for assistive-tech matrix evidence
Evidence destruction certificate at close

The audit methodology is the same; the engagement protocols, evidence handling, and OCR-calibrated findings framing are different. Patient-portal surfaces should be scoped under G1, not A1.

How is this different from a Healthcare AI Compliance Review?

Different audits, complementary scopes. The Healthcare AI Compliance Review is HIPAA-shaped — Security Rule technical safeguards, BAA chain review, FDA SaMD screening, agentic-attack threat surface. G1 is WCAG-shaped — accessibility findings calibrated to OCR a11y enforcement themes. Most healthcare buyers run them together when the same release needs both signatures. The PHI-aware engagement infrastructure is shared.

Will the report stand up under counsel and OCR scrutiny?

Yes. Findings cite WCAG 2.2 SC, page, element, and component file:line. The executive summary is calibrated to OCR enforcement themes — Section 1557 effective communication, the 2024 HHS web accessibility rule, ADA Title II / III where applicable. The report is signed under principal-engineer attestation through Clarity House LLC. Counsel-defensible, OCR-calibrated, engineer-actionable.

What if you find a reportable breach indicator while auditing?

We stop the audit, escalate to your privacy officer immediately, and document with timestamp and chain-of-custody. The 60-day clock under 45 CFR 164.404 is your privacy officer’s call to act on; our role is to surface the indicator quickly and preserve evidence integrity.

Will you do the remediation work too?

Yes, on a separate SOW. Many clients run G1 as a discovery engagement and fund remediation against the prioritized roadmap, then bring BST back for closeout re-audit. Where the surface is also slated for HIPAA / SaMD review under the Healthcare AI Compliance Review, we typically run remediation across both lenses simultaneously.

What if the portal embeds an AI feature — visit-note summary, symptom checker?

The AI-mediated feature stays in the WCAG audit boundary; we evaluate its accessibility under WCAG 2.2 AA like any other surface element. The HIPAA / BAA / SaMD scrutiny of the AI feature is a Healthcare AI Compliance Review concern. Most buyers in this position run G1 + the Compliance Review together; the engagements share infrastructure and we cap the bundle. For the deeper agentic-attack lens, see the AI Security Review.

Are you a third-party assessor?

BST is an engineering audit firm; we sign deliverables under principal-engineer attestation through Clarity House LLC. Where federal contracting or healthcare insurance procurement requires a regulatory third-party assessor in the strict sense, we can recommend a complementary firm and coordinate.

Ready to audit the portal under doctrine that respects what it carries?

Four to six weeks. BAA before any access. Findings calibrated to OCR enforcement themes. Signed under principal-engineer attestation.

Schedule a 30-min scoping call

Talk to a principal first

A WCAG 2.2 AA audit of your patient portal. Run under PHI-aware doctrine.

Patient portals are where a11y findings, PHI handling, and OCR enforcement collide.

What you get

WCAG 2.2 AA findings — patient-portal calibrated

Severity-rated remediation roadmap

PHI-aware assistive-tech matrix evidence

Executive summary — OCR-calibrated

Signed audit report

90-minute findings walkthrough

How it works

BAA & Access

Audit pass

Severity & roadmap

Walkthrough & delivery

Pricing

Frequently asked questions

Often combined with

Healthcare AI Compliance Review

Single Property Accessibility Audit (A1)

Ready to audit the portal under doctrine that respects what it carries?