Compliance — HPCSA, SAHPRA, POPIA & NHI

Regulatory Framework

Four Regulators. One Integrated Strategy.

South Africa's health regulatory landscape is complex but navigable. Aafiya's legal, clinical, and technical architecture addresses each regulator's requirements from the ground up.

HPCSA

Health Professions Council — every output physician-signed

SAHPRA

AI device classification — 12–18 month first-mover window

POPIA

Data residency — all patient data on SA-resident cloud

NHI

NHI Act 2024 — accreditation-ready architecture from day one

HPCSA — Health Professions Council of SA

Governing body for all health professionals in South Africa

Booklet 10 (Dec 2021) explicitly permits remote management of new patients via telemedicine — the key regulatory enabler for Aafiya's model
Aafiya as a platform operator does not require HPCSA registration; all clinical acts are performed by registered physicians
Physician-in-the-loop is architecturally mandatory — no AI output reaches patients without physician sign-off
Every prescription carries the signing physician's HPCSA registration number
Automated quarterly re-verification of all active physicians' HPCSA registration status
Real-time monitoring of HPCSA disciplinary notices — automatic offboarding on any adverse finding
Immutable audit trail of every clinical decision for HPCSA inspection readiness

SAHPRA — SA Health Products Regulatory Authority

Regulates medical devices, including AI/ML clinical decision support

Aafiya's diagnostic AI is expected to be classified Class C or D (moderate-high to high risk) under SA Medical Devices regulations
Requires SAHPRA authorisation before market entry + Medical Device Establishment Licence (Section 22C)
Must demonstrate equal performance on SA populations — models trained on non-SA data are specifically flagged
ISO 13485 Quality Management System required — Aafiya targets certification by April 2028
Early-mover window: Call-Up Notices not yet issued as of 2026 — creates 12–18 month competitive head-start for early filers
Post-market surveillance and AI drift monitoring are mandatory — Aafiya's continuous learning pipeline satisfies this requirement
Explainable AI reasoning chains built into every output — meets SAHPRA audit trail requirements

SAHPRA Evidence File — auto-generated from day one: Aafiya's AI pre-consultation triage system stores every triage decision with model version, latency, triage category, and outcome. This produces the triage validation dataset, recall and precision metrics by category, and false-negative rate for EMERGENCY cases that SAHPRA requires for Class C/D AI device registration. Aafiya is building its regulatory dossier with every consultation — not as a post-hoc exercise after a pilot ends.

Prospective Pilot Quality Gates: Four measurable thresholds that Aafiya's pilot must pass before SAHPRA submission:

AI sensitivity ≥92% on red-flag and emergency conditions
EML prescription specificity ≥88% (accurate drug and dosage recommendations)
Physician override rate <15% across all disease categories
Demographic bias parity within 5% across province, language, age, and HIV status

POPIA — Protection of Personal Information Act

SA's primary data privacy legislation, fully operative since July 2021

Health data is classified as special personal information requiring explicit, purpose-specific consent
All patient data stored exclusively on SA-resident infrastructure (AWS Cape Town or Azure SA North) — no cross-border transfers
Four-category granular consent ledger: clinical care, physician review, record aggregation, anonymised AI training
Patients can revoke any consent category independently at any time
Draft 2025 healthcare data regulations require written data processing agreements — Aafiya's consent architecture is compliant
Overseas physician reviewers create cross-border transfer risk — Aafiya's physician network is SA-resident by policy
Information Officer designated; POPIA breach notification procedures in place

DHA National Population Register (in development): SA ID verification against the Department of Home Affairs NPR at patient registration will confirm identity, eliminate fraudulent billing, and meet POPIA's data subject verification requirements. It also enables the SASSA grant verification pathway — ensuring patient identity matches benefit records for NHI capitation billing.

NHI Act — National Health Insurance Act 2024

Establishes SA's single-purchaser universal healthcare system

NHI Act signed May 2024 — establishes NHI Fund as single purchaser of primary healthcare services
260 Contracting Units for Primary Health Care (CUPs) around district hospitals will be the primary contracting mechanism
Accreditation criteria: OHSC certification + HPCSA-registered practitioners + STG adherence + NHI data submission compliance
FHIR R4 is the NHI data standard — Aafiya implements this from day one (no migration required)
HPRS-aligned patient identifiers (SA ID) ensure seamless NHI Fund patient matching
Quality metrics (OHSC indicators, outcome data) instrumented from launch for NHI accreditation evidence
Full NHI Fund implementation: government target 2028, analyst consensus 2032–2035; Aafiya targets CUP accreditation by 2027–2030

Our Approach

Compliance Is Architecture, Not Overhead

Most healthtech startups build a product and then retrofit compliance. Aafiya does the opposite: each regulatory requirement is translated directly into an architectural or operational constraint before a line of code is written.

This approach is harder upfront but creates durable advantages: lower regulatory risk at launch, stronger investor confidence, and an NHI-ready platform that competitors cannot replicate without rebuilding from scratch.

Built-in regulatory compliance — HPCSA, SAHPRA, POPIA, NHI ready.

Regulatory Risk Mitigation

Head of Regulatory Affairs in founding team (not hired after launch)
SAHPRA engagement begins Month 0 — not Month 18
Retrospective + prospective validation before any patient goes live
POPIA data residency built into cloud architecture — cannot be changed later
FHIR R4 from day one — NHI migration cost = zero
HPCSA quarterly re-verification automated — no manual compliance risk
ISO 13485 QMS implementation begins Phase 1

Risk Management

Key Regulatory Risks and Mitigations

Risk	Probability	Impact	Mitigation
SAHPRA classification delays market entry	Medium	High	Early engagement (Month 0), retrospective + prospective evidence, first-mover window exploited
NHI implementation delayed beyond 2032	High	Medium	Dual revenue model — medical aid scheme billing is independently viable at full scale
HPCSA changes telemedicine rules	Low	High	Active HPCSA engagement; Booklet 10 (2021) explicitly enables the model; physician-in-the-loop satisfies all current guidance
POPIA enforcement action on health data	Low	High	SA-resident data, purpose-specific consent architecture, designated Information Officer, regular audits
AI clinical performance below SAHPRA quality gates	Medium	High	Conservative validation timeline (18 months), SA-specific training corpus, deterministic rules engine as safety net

Regulatory Compliance