Version: WCAG Edition
Date: June 2026
Product: CarePaths EHR - Institutional
Version Evaluated: 19.11
Vendor: CarePaths, Inc.
Contact: support@carepaths.com
This VPAT was prepared by CarePaths engineering staff through manual code review of HTML structure, form elements, ARIA usage, and JavaScript interaction patterns across the clinician, patient portal, and public-facing interfaces of CarePaths EHR. Evaluation included review of rendered ERB templates, inline HTML within Ruby presenters, and JavaScript event handling.
Evaluation scope: Public/unauthenticated pages (sign-in, sign-up, password reset), patient portal (member-role interface), and staff/clinician interface.
Testing methods used:
Testing not performed:
Organizations requiring independent third-party audit or AT-assisted testing should contact CarePaths to discuss a more comprehensive evaluation engagement.
This report covers the following standards/guidelines:
| Standard / Guideline | Included in Report |
|---|---|
| Web Content Accessibility Guidelines 2.1, Level A and Level AA | Yes |
The following terms are used throughout this document:
| Term | Definition |
|---|---|
| Supports | The functionality of the product has at least one method that meets the criterion without known defects or meets with equivalent facilitation. |
| Partially Supports | Some functionality of the product does not meet the criterion. |
| Does Not Support | The majority of product functionality does not meet the criterion. |
| Not Applicable | The criterion is not relevant to the product. |
| Not Evaluated | The product has not been evaluated against the criterion. This can only be used in WCAG 2.x Level AAA. |
| Criteria | Conformance Level | Remarks and Explanations |
|---|---|---|
| 1.1.1 Non-text Content | Partially Supports | Most images rendered via Rails image_tag helper include descriptive alt text (e.g., page illustrations, the CarePaths logo). Several images in clinical, claims, and patient dashboard views are missing alt attributes — including alert icons, insurance card thumbnails, and a welcome illustration. These require alt attributes or alt="" for decorative images. |
| 1.2.1 Audio-only and Video-only (Prerecorded) | Not Applicable | CarePaths EHR does not include prerecorded audio-only or video-only content in the evaluated interfaces. Teletherapy sessions are live video and not subject to this criterion. |
| 1.2.2 Captions (Prerecorded) | Not Applicable | No prerecorded video with audio is present in the evaluated scope. |
| 1.2.3 Audio Description or Media Alternative (Prerecorded) | Not Applicable | No prerecorded synchronized media present in evaluated scope. |
| 1.3.1 Info and Relationships | Partially Supports | Public sign-up, sign-in, and password reset forms use properly associated <label> elements with for/id pairing, aria-required, and autocomplete attributes. Navigation uses role="navigation". Page content is wrapped in <main id="main-content">. Data tables include <th scope="col"> and <caption> elements where audited. Clinical form fields throughout the document editing interface historically used <strong> elements for visual labels without programmatic association — fixed in July 2026 to use <label for="service_data_q{n}"> for all editable and pending-status form items. The signature password field also lacked a label — fixed with an sr-only label. Remaining: complex clinical forms (grouped checkboxes, radio lists) may benefit from additional <fieldset>/<legend> grouping. |
| 1.3.2 Meaningful Sequence | Supports | Page content follows a logical reading order consistent with the visual layout. No CSS-only reordering or floating that would disrupt sequence was identified in the evaluated flows. |
| 1.3.3 Sensory Characteristics | Partially Supports | Some inline instructional text and status messages reference visual position or color cues without programmatic alternatives. Form validation errors in the sign-up flow reference “highlighted” fields without naming the specific field. |
| 1.4.1 Use of Color | Partially Supports | Form field error states in the sign-up flow appear to rely on the jQuery Validation plugin’s default red border highlight without an additional non-color indicator (e.g., icon or text prefix). Other status indicators have not been fully evaluated. |
| 1.4.2 Audio Control | Not Applicable | No audio plays automatically in the evaluated interface. |
| 2.1.1 Keyboard | Partially Supports | Native form elements (inputs, buttons, links with href) are keyboard accessible throughout. Remediated: patient dashboard table rows converted to <a> links; accordion widgets use <button> with Escape key support; mobile navbar toggle converted to <button>; the patient chart Quick Add modal fully rewritten to use <button> elements for all interactive items (close, menu items, service items, flag items, show-more toggle), with keyboard focus trap and Escape key support. Sign-information tooltip rewritten to respond to focus/blur in addition to mouse events. Remaining: complex custom interactions not yet individually audited. |
| 2.1.2 No Keyboard Trap | Supports | No keyboard traps were identified. Modal dialogs close without permanently trapping focus, though focus management after modal close is not fully implemented (see 2.4.3). |
| 2.2.1 Timing Adjustable | Not Applicable | No time limits are set on the content or interactions in the evaluated scope. |
| 2.2.2 Pause, Stop, Hide | Not Applicable | No auto-updating, moving, or auto-advancing content was identified in the evaluated scope. |
| 2.3.1 Three Flashes or Below Threshold | Supports | No flashing content was identified in the evaluated interface. |
| 2.4.1 Bypass Blocks | Does Not Support | No skip navigation link is provided. The page layout does not include a <main> landmark element, so assistive technology landmark-based navigation cannot bypass the header and navigation to reach main content directly. |
| 2.4.2 Page Titled | Supports | All pages have descriptive <title> elements. Public pages include the specific action (e.g., “Acme Therapy Sign In”). Authenticated pages include the feature section and practice name (e.g., “Clinical Document | Acme Therapy”, “Patient Chart | Acme Therapy”) derived from the URL path without ever including patient-identifying information. A duplicate <title> rendering defect in the layout was also fixed. |
| 2.4.3 Focus Order | Partially Supports | DOM order is generally consistent with visual layout, providing a logical tab sequence through forms and navigation. Modal dialogs do not return programmatic focus to the triggering element after close, and do not implement a focus trap during open state. |
| 2.4.4 Link Purpose (In Context) | Partially Supports | Most links have clear descriptive text. Issues identified: “Need help?” links on signup and signin lead to the password reset page, which may be confusing. Multiple links open in new tabs/windows without informing the user. Icon-only links in the header and navigation lack accessible names. |
| 3.1.1 Language of Page | Supports | The root <html> element includes lang="en". |
| 3.2.1 On Focus | Supports | No unexpected context changes are triggered on focus events in the evaluated flows. |
| 3.2.2 On Input | Supports | No automatic context changes occur on data entry. Form submission is initiated by explicit user action (button click or Enter key). |
| 3.3.1 Error Identification | Partially Supports | Client-side validation on the sign-up form identifies errors and shows a count with a general message (“You missed N fields. They have been highlighted”). However, the error container lacks role="alert" or aria-live, so errors are not announced to screen reader users. The sign-in form posts errors to a #status div with no ARIA live region. Specific field names are not always identified in error messages. |
| 3.3.2 Labels or Instructions | Partially Supports | Sign-up form fields have visible, associated labels generated via Rails label helpers. Sign-in, password reset, and certain other forms use placeholder text as the sole label, which disappears on input and does not satisfy this criterion. The EULA checkbox adjacent text is not programmatically associated as a label. |
| 4.1.1 Parsing | Partially Supports | HTML is generated server-side via ERB and Rails helpers which produce well-formed markup. Duplicate IDs were found in the patient chart header: genderDisplay, pronounDisplay, ageDisplay, dobDisplay each appeared twice (once in the full header, once in the collapsed view). Fixed in July 2026 by converting these to class selectors. CSS-hidden honeypot inputs (anti-autocomplete) were accessible to screen readers — fixed by adding aria-hidden="true" and tabindex="-1". Remaining: a systematic duplicate-ID scan across all views has not been performed. |
| 4.1.2 Name, Role, Value | Partially Supports | Native HTML form elements convey name, role, and value correctly. Remediated: accordion buttons have aria-expanded and aria-controls; mobile navbar toggle has aria-label, aria-expanded, aria-controls; icon-only Font Awesome elements are marked aria-hidden="true". Patient chart Quick Add modal rewritten with role="dialog", aria-modal="true", aria-labelledby. Bootstrap 3 tab widgets now receive role="tab", aria-selected, aria-controls, and aria-labelledby via a global JS enhancement. Signature info tooltip has role="button", aria-label, aria-expanded. Remaining: a comprehensive audit of all dynamic widgets has not been completed. |
| Criteria | Conformance Level | Remarks and Explanations |
|---|---|---|
| 1.2.4 Captions (Live) | Not Evaluated | CarePaths EHR includes a live teletherapy video feature. Captioning capability for live sessions has not been evaluated against this criterion. Real-time captioning is not currently provided within the application. |
| 1.2.5 Audio Description (Prerecorded) | Not Applicable | No prerecorded synchronized media with audio in evaluated scope. |
| 1.3.4 Orientation | Supports | No content was identified that restricts display to a single orientation. |
| 1.3.5 Identify Input Purpose | Partially Supports | Password fields on the sign-up form include autocomplete="new-password". Personal information fields (first name, last name, email, username) do not include WCAG-defined autocomplete attributes (e.g., autocomplete="given-name", autocomplete="email"). |
| 1.4.3 Contrast (Minimum) | Not Evaluated | Color contrast was not verified with automated tooling or measurement. Code review identified the use of color: #999 for small separator text (12px), which is at or near the AA threshold for normal-sized text. Placeholder text contrast is not evaluated. A full contrast audit using tools such as the Colour Contrast Analyser is recommended before asserting conformance. |
| 1.4.4 Resize Text | Not Evaluated | Text resize behavior at 200% zoom was not tested. The application uses Bootstrap’s responsive grid; significant text reflow or overlap issues are not expected but have not been confirmed. |
| 1.4.5 Images of Text | Supports | Text content is rendered as HTML text, not as images. Logos are the only identified image-of-text use, which is a permitted exception under this criterion. |
| 1.4.10 Reflow | Not Evaluated | Responsive behavior at 320px equivalent width was not tested. |
| 1.4.11 Non-text Contrast | Not Evaluated | Icon and UI component contrast against adjacent colors was not measured. Font Awesome icons used in form input groups (fa-user, fa-lock, fa-envelope) are visual indicators whose contrast has not been assessed. |
| 1.4.12 Text Spacing | Not Evaluated | Behavior when letter-spacing, word-spacing, line-height, and paragraph spacing overrides are applied has not been tested. |
| 1.4.13 Content on Hover or Focus | Not Evaluated | Tooltip and hover content patterns (Bootstrap tooltips/popovers) have not been assessed for this criterion. |
| 2.4.5 Multiple Ways | Partially Supports | Navigation is provided via the application’s menu structure. In-app search functionality and a site map or index are not present in all interfaces. Patient-facing and staff interfaces rely on menu navigation and role-specific dashboards without an alternative navigation path (e.g., search). |
| 2.4.6 Headings and Labels | Partially Supports | Page sections use heading elements. A complete heading hierarchy audit was not performed, and heading level skipping may occur in some views. Form labels on the sign-up page are descriptive. Sign-in form labels are absent (placeholder only). |
| 2.4.7 Focus Visible | Partially Supports | Focus visibility relies on browser default outlines. No application-level focus styles were identified in the reviewed CSS. Some browsers’ default focus indicators may be insufficient for WCAG AA, particularly in interfaces with custom styling that suppresses outlines. |
| 3.1.2 Language of Parts | Not Applicable | The application is English-only. No multilingual content was identified that would require lang attribute changes at the element level. |
| 3.2.3 Consistent Navigation | Supports | Navigation structure is consistent across pages within each role context (staff, patient, public). |
| 3.2.4 Consistent Identification | Supports | Components used across multiple pages (sign-in button, navigation icons, form helpers) maintain consistent labels and roles across views. |
| 3.3.3 Error Suggestion | Does Not Support | Form validation error messages identify problems but do not provide suggestions for resolution. For example, password validation failure does not indicate the specific rule violated or how to fix it. |
| 3.3.4 Error Prevention (Legal, Financial, Binding) | Partially Supports | The application handles clinical and financial data. Patient record updates and billing operations use confirmation dialogs in some areas. A comprehensive review of all legal, financial, and data-entry flows for reversibility, confirmability, and correctability has not been performed. |
| 4.1.3 Status Messages | Partially Supports | Sign-in error container has role="alert" aria-live="assertive"; sign-up status container has role="status" aria-live="polite"; clinical form error wells now have role="alert" aria-live="assertive" aria-atomic="true". Remaining: WebSocket toast messages displayed via $cp.status() are not ARIA live regions and will not be announced to screen readers. A targeted fix for the toast notification system is required to fully satisfy this criterion. |
Date: July 2026
Guidelines/Specifications: Web Content Accessibility Guidelines 2.1
Conformance Level: This product does not currently conform to WCAG 2.1 Level AA.
CarePaths EHR has addressed the majority of Level A and Level AA issues identified in the initial audit. Remaining gaps — primarily unconfirmed color contrast, live video captioning, and clinical-interface forms not yet individually audited — prevent a full conformance claim at this time.
The following issues have been resolved:
| Issue | Criterion | Resolution |
|---|---|---|
Sign-in and password reset forms had no <label> elements |
1.3.1, 3.3.2 | Added visually-hidden labels with correct for/id; added aria-required and autocomplete attributes |
No skip navigation link; no <main> landmark |
2.4.1 | Added skip-to-main link; wrapped workspace in <main id="main-content"> |
| Footer had no landmark | 1.3.1 | Converted .footer div to <footer role="contentinfo"> |
| Form error and status messages not announced to screen readers | 3.3.1, 4.1.3 | Added role="alert" aria-live="assertive" to error containers; role="status" aria-live="polite" to status spans |
Patient dashboard table rows used onclick (keyboard inaccessible) |
2.1.1 | Replaced with <a href> links; added <thead scope="col"> and <caption> |
Accordion widgets lacked aria-expanded and aria-controls |
4.1.2 | Added aria-expanded, aria-controls, unique panel IDs, Escape key handler, and visible focus style |
Mobile navbar toggle was an inaccessible <div> |
2.1.1, 4.1.2 | Replaced with <button aria-label aria-expanded aria-controls> |
| Font Awesome icons in form groups had no accessible name | 4.1.2 | Marked aria-hidden="true"; label now provides the accessible name |
target="_blank" links gave no screen-reader warning |
2.4.4 | Global JS appends SR-only “(opens in new tab)” to all such links; adds rel="noopener noreferrer" |
Password label had wrong for attribute |
1.3.1 | Corrected to match actual input id |
| EULA checkbox text was not associated as a label | 1.3.1, 3.3.2 | Wrapped in <label for="user_eula_acceptance"> |
| Missing alt text on several images | 1.1.1 | Added descriptive alt to teletherapy welcome image and CP Connect screenshot; alt="" aria-hidden="true" on decorative alert icons |
Personal-data fields lacked autocomplete |
1.3.5 | Added autocomplete to all personal-data fields (given-name, family-name, email, username) |
Clinical form fields used <strong> for labels |
1.3.1, 3.3.2 | Changed sanitized_label call sites in Documents::Renderer to produce <label for="service_data_q{n}"> for all editable and pending-mode form items |
| Signature password field had no label | 1.3.1, 3.3.2 | Added sr-only label via label_tag in sig_pass_field |
| Patient chart Quick Add modal not keyboard accessible | 2.1.1, 4.1.2 | Rewrote modal: added role="dialog", aria-modal, aria-labelledby; converted all <div onclick> and <span onclick> to <button> elements; added keyboard focus trap and Escape key handler |
| Duplicate IDs in patient header | 4.1.1 | Converted id="genderDisplay/pronounDisplay/ageDisplay/dobDisplay" to class selectors; updated JS to use querySelectorAll so both full and collapsed headers update on quick-edit |
| CSS-hidden honeypot inputs visible to screen readers | 4.1.1 | Added aria-hidden="true" and tabindex="-1" to all anti-autocomplete stub inputs |
Two <title> elements in layout head; generic title for authenticated views |
2.4.2, 4.1.1 | Removed premature <%= html_window_title %> call; authenticated pages now derive a descriptive section label from URL path segments (e.g., “Clinical Document”, “Patient Chart”, “Scheduling”) combined with the practice name — no patient data ever appears in the title |
| Bootstrap 3 tabs lacked ARIA roles | 4.1.2 | Added global JS in layout: assigns role="tab", aria-selected, aria-controls, aria-labelledby to all tab widgets on DOMContentLoaded and keeps aria-selected in sync on tab change |
| Clinical form error container lacked live region | 4.1.3 | Added role="alert" aria-live="assertive" aria-atomic="true" to .error.well divs |
| Sig-info tooltip mouse-only | 2.1.1 | Added focus/blur handlers and keyboard activation (Enter/Space) to signature info icon; added role="button", aria-label, aria-expanded |
$cp.status() toast messages are not in an ARIA live region<fieldset>/<legend> groupingRemediation status: All critical Level A issues and the majority of Level AA issues identified in the June 2026 audit have been resolved.
Testing limitation: This VPAT is based on code review. Third-party testing with assistive technologies (NVDA, JAWS, VoiceOver) and automated scanning (axe, WAVE) has not been completed. Results may differ when AT-assisted testing is performed.
Scope note: The staff/clinician interface comprises a large and complex application with hundreds of views. This evaluation focused on common workflows (authentication, dashboard, patient records) and may not reflect the accessibility of all features.
This document was prepared by CarePaths engineering staff using the VPAT 2.4 template published by the Information Technology Industry Council (ITI). VPAT is a registered trademark of ITI.