Building HIPAA and GDPR-aligned telemedicine for African markets.

Auto-generated and lightly edited. Let us know about errors.

Akua Mensah: Today we're going to talk about telemedicine architecture for regulated African markets. Tunde, you lead our healthtech practice — give us the lay of the land. Dr Tunde Bakare: The African healthtech landscape changed dramatically in the last three years. Pre-pandemic, telemedicine was a fringe service. Now it's mainstream — and that means regulators have caught up. Nigeria passed the NDPR in 2019, South Africa has POPIA, Kenya has the Data Protection Act. And if you operate cross-border, or if you serve diaspora customers in the EU or the US, you're also dealing with GDPR and HIPAA. Akua Mensah: And the platform has to satisfy all of them simultaneously, because you can't fork the codebase per jurisdiction. So you design for the strictest requirements and you parameterize the differences. Dr Tunde Bakare: Let's talk about three controls that come up in every audit. First: audit logging. Every access to a patient record — every read, every write, every export — has to be attributable to a specific human, with a specific reason, and the log has to be queryable for at least seven years. We use a separate audit-only datastore, append-only, with cryptographic chaining so tampering is detectable. Akua Mensah: Second: encryption. There's a distinction that comes up a lot — encryption in transit and at rest versus end-to-end encryption. The former is table stakes. The latter is increasingly expected, especially for messaging between patients and clinicians. End-to-end means the platform operator cannot read the message even if compelled. That changes your architecture significantly — key management moves to the client, and certain server-side features like full-text search become much harder. Dr Tunde Bakare: We've taken the position that clinician-patient messaging should be end-to-end encrypted, but clinical records — which the patient consents to share with the clinical team — are encrypted with platform-managed keys with strict access controls. That's a defensible compromise. Akua Mensah: Third: data residency. This is where the country-specific rules diverge. Nigeria's NDPR generally allows cross-border transfer with safeguards. POPIA in South Africa is stricter. Kenya's DPA requires explicit consent for transfer. So our platform stores patient data in the jurisdiction where the patient resides, with a configuration table that tells the platform: for a Nigerian patient, store in Lagos; for a South African patient, store in Cape Town. Dr Tunde Bakare: And consent management is its own subsystem. The patient gives consent for specific uses — clinical care, billing, research, marketing — and the platform has to enforce that consent on every query. We use an attribute-based access control system. The decision is: does this requestor have the right to see this data for this purpose, given this patient's consent state? Akua Mensah: I want to call out one operational thing. Compliance is not a one-time certification. It's a continuous program. The audit happens once a year, but the controls run every day. We use OPA — Open Policy Agent — to evaluate access decisions in production, and we generate compliance reports automatically from the audit log. Dr Tunde Bakare: And the team structure matters. You need a clinical lead, a security lead, and an engineering lead in the same room when you're making design decisions. The clinical lead understands the duty of care. The security lead understands the regulatory regime. The engineer understands what's actually possible to build. If you're missing any of those three, you'll build the wrong thing.