Private Hospitals

Health data and accessibility: KVKK Article 6 and WCAG 2.2 on a single platform.

Explicit consent for special-category health data and accessibility for patients with disabilities on your online appointment, patient portal and doctor profile pages are now managed with the same embed code. Deadline 21 June 2026.

Free site scan Request a hospital demo

Legal basis: Presidential Circular 2025/10 (Official Gazette 32933) · Law No. 5378 · KVKK Article 6 · WCAG 2.2 A

The sector's four critical problems

Why do hospital websites carry high risk?

In terms of cookie and accessibility compliance, the health sector faces two overlapping legal obligations: KVKK Article 6 special-category data and the Circular 2025/10 accessibility requirement.

KVKK Article 6: Special-Category Health Data

The online appointment form, test result page or patient portal login screen are moments where the visitor comes into contact with health data. On these pages, any analytics or marketing script collected via cookies that runs without explicit consent creates a risk of aggravated penalties under KVKK Article 6. A standard general privacy notice is not considered sufficient.

Explicit consent: must be separate, freely given, specific and informed
The consent log must be recorded with a timestamp before appointment confirmation
The burden of proof lies with the data controller; if the log is deleted, the penalty can double

Online Appointment Accessibility

A patient who is visually impaired or has motor difficulties must be able to book an appointment independently. A calendar widget that can't be navigated by keyboard, a mouse-focused doctor selection list and silent form errors create WCAG 2.1.1 and 4.1.2 violations. If the module belongs to an external provider, the responsibility still stays with the hospital.

A calendar module without keyboard access is a critical violation (WCAG 2.1.1)
If error messages are shown by color only, the screen reader can't detect them
The violation report can be used as a vendor brief, requesting changes

Patient Portal and Test Results

Lab results and imaging reports are mostly provided as untagged PDFs. Color-only value coding (high/normal/low red-green) falls under a WCAG 1.4.1 violation. Without header labels in tables, the screen reader reads the values in a meaningless order.

A violation report is needed to request results in tagged PDF or HTML format
Alongside a color-only indicator, an icon or text description is required
The cerez.io report serves as a technical brief for the HIS update

Accessibility Statement Requirement

Organizations covered by Circular 2025/10 are required to publish an up-to-date accessibility statement on their websites. The statement must include the compliance level, known shortcomings and a feedback channel for users with disabilities. A missing or outdated statement is a direct cause for penalty.

The cerez.io statement generator fills in the Circular format automatically
A footer link and feedback channel are included
When the scan result is updated, the statement version is updated too

Product mapping

Two layers specific to hospitals.

The cookie consent layer produces the KVKK Article 6 log; the accessibility layer measures WCAG 2.2 violations and provides assistive tools for patients with disabilities. The two come with a single embed code.

Explicit consent and proof log on health pages.

Users visiting the appointment form, patient login or test result page receive a separate category notice in line with Article 6 requirements. Consent is recorded with a timestamp; it meets the burden of proof in an audit. Analytics and marketing scripts don't run before approval.

Separate, explicit and revocable consent on pages that touch health data
A timestamped consent log, stored in a Turkey data center
Integrated with Google Consent Mode v2 and IAB TCF 2.3

Try the cookie scanner

hastaneniz.com.tr

Manage your cookie preferencesHealthcare pages fall under special-category data.

Necessary

Analytics

Marketing

Save selectionReject all

A patient with a disability must be able to book an appointment independently.

Elderly, visually impaired or motor-impaired patient profiles access assistive tools on appointment, result and information pages: screen reader, magnifier, high contrast, stop animations, seizure-safe mode. In the background, a real WCAG 2.2 scanner prioritizes violations and generates an EAA statement.

10+ ready-made profiles including elderly patient, seizure safe and visually impaired
0-100 WCAG 2.2 compliance score + prioritized violation report
An accessibility statement in the Circular format, ready for the footer

Create an accessibility statement

hastaneniz.com.tr

Accessibility menu

Elderly profile

Contrast +

Enlarge text

Seizure safe

Honest positioning

Overlay tools don't protect your hospital.

Tools that claim "instant compliance" with a single-line script neither produce a KVKK Article 6 consent log nor actually measure WCAG violations. For hospitals, that difference means legal risk.

Overlay / plugin approach

One script, big promise, empty proof.

Doesn't produce an explicit consent log specific to health pages
Does it count WCAG violations? No report is visible
No document can be presented in an audit or Ministry inspection
Cookies and accessibility as separate tools, separate invoices

"We added a script, so the site became compliant for people with disabilities" doesn't hold up legally.

cerez.io approach

Measurable compliance, real documentation, a single platform.

A timestamped consent log in the KVKK Article 6 format
A real WCAG 2.2 scan: 0-100 score and violation report
An accessibility statement generator in the Circular format
Consent logs in a Turkey data center, KVKK compliant

We say it plainly: full compliance requires source code fixes. We produce the evidence and shorten the path.

Real scan output

A measurable violation report for appointments and the patient portal.

The WCAG 2.2 scanner analyzes hospital pages and prioritizes critical violations. The table below shows a sample output.

0/ 100 compliance score

WCAG 2.2 A/AA · 18 pages scanned

Appointments + portal + doctor profiles

Average +11 points after the widget

Hospital violation examplesSample findings

Critical The appointment calendar can't be accessed by keyboardDate selection is mouse-focused, no Tab navigation · WCAG 2.1.1 Vendor brief

Critical Form error message is color-onlyRequired field shown in red, no text description · WCAG 1.4.1 Guide

Serious Doctor photos without alt text12 images are not read by the screen reader · WCAG 1.1.1 AI suggestion

Serious Test PDF is untaggedLab result PDF is unstructured · WCAG 1.3.1 Guide

Moderate Mobile touch target is smallDoctor card button is 20x20 px, minimum 24x24 required · WCAG 2.5.5 Auto-fix

Automated scanning catches a significant portion of violations; full WCAG compliance requires source code fixes and manual review. If the appointment module belongs to an external provider, our violation report can be used as a vendor brief. AI alt-text suggestions require human review.

Legal framework

Overlapping obligations for private hospitals.

Two separate legal obligations can collide on the same web page. Both require documentation, logging and transparency.

Scope of KVKK Article 6

Health data is considered special-category personal data
Explicit consent: separate, freely given, informed
The burden of proof lies with the data controller
In a violation, twice the standard penalty can be applied
Deleting the consent log constitutes an independent violation

Scope of Circular 2025/10

All private hospitals are in the one-year compliance group
Deadline: 21 June 2026
Standard: WCAG 2.2 Level A
Statement required: footer link and feedback channel
5.000-25.000 TL administrative fine (annual cap 500.000 TL)

Roadmap

Starting compliance in 5 steps.

Typical steps a private hospital starting from scratch can take before 21 June 2026.

Free scan of the homepage and appointment module

Public pages and the online appointment entry flow are scanned. The first Critical/Serious violation report arrives as a PDF. The appointment vendor is briefed.

Widget integration (5 minutes)

A single-line script is added to the hospital site. Elderly, visually impaired and seizure-safe profiles become active immediately. The existing HIS interface is not broken.

KVKK explicit consent banner setup for health pages

A separate consent category under Article 6 is added to the appointment form and patient portal pages. The consent log is recorded with a timestamp on a Turkey server.

Publishing the accessibility statement

The statement generator fills in the Circular format automatically; a footer link and feedback channel are included. The Patient Rights Unit contact details are added to the statement.

Continuous scanning and logo application

The score is monitored with weekly or monthly automatic scanning. Once WCAG A is met, you can apply for the Ministry of Family and Social Services accessibility logo.

Recommended plan

The right package for your hospital.

Pro Package for a single hospital; Enterprise for a hospital chain or hospital group.

SINGLE HOSPITAL

Pro Package

Cookie Pro + Accessibility Pro. TCF 2.3, EAA statement, weekly scan, Turkish support.

KVKK Article 6 consent log
WCAG 2.2 weekly scan
Accessibility statement + 10+ profiles

See pricing

HOSPITAL GROUP

Enterprise

Unlimited domains, SLA, dedicated account manager, white-label option.

Daily scan + VPAT / ACR
Hospital chain multi-domain
SSO + Turkey hosting + SLA

Request a demo

FAQ

Frequently asked questions from private hospitals

Is our private hospital covered by Circular 2025/10?

Yes. All private hospitals and medical centers are in the one-year compliance period group. The deadline is 21 June 2026. Healthcare institutions already carry a disability accessibility obligation under Law No. 5378; the Circular extends this to web and mobile platforms as well.

Our appointment module is from an external provider, who is responsible?

Legal responsibility lies with the hospital that owns the website. You need to request a WCAG 2.2 A compliant version from the appointment vendor. The cerez.io violation report can be passed to the vendor as a technical brief. The widget's elderly patient profile and keyboard support provide temporary help until a full fix arrives.

On which pages is separate consent required for KVKK Article 6?

On pages where health data is touched, such as the online appointment form, patient login, test result page or doctor recommendations, a general privacy notice is not considered sufficient. On these pages, explicit consent must be separate, freely given, specific and informed, and must be logged with a timestamp. For full coverage, we recommend following the KVKK Board decisions and consulting your legal advisor; cerez.io provides the technical infrastructure and does not give legal advice.

How do you create the accessibility statement and where do you add it?

The cerez.io statement generator fills in the Circular-compliant template automatically with your scan result. The compliance level, known shortcomings and feedback channel are included. You copy the statement into the footer or your accessibility policy page and keep it up to date through the panel.

Does our mobile patient app fall within scope?

For native iOS and Android apps, platform criteria apply (Apple HIG, Android Accessibility) and WCAG is not directly applicable. WebView modules inside the app fall under WCAG 2.2 A; you can scan these modules via cerez.io.

How long does setup take, and will it break the HBYS interface?

A single line of embed code loads both the cookie banner and the accessibility widget. The widget runs on a Shadow DOM architecture, so it does not affect the existing CSS/JS of your HBYS or CMS interface. If you have concerns about a technical conflict, we can run an environment test during the demo.