Hi,
my name is Will and I a software engineer.
I see the most critical part is the communication between the doctor and the patient. Have you thought about SMS verification. The user asks a question, enters their mobile number. My script would then be notified and would post the question (all anonymous of course) to the doctors-only part of the site where doctors can choose to answer it (or emails it to a doctor directly if the user chose that option).
When a doctor answers the question, the patient is notificed via SMS and receives two codes, one to login anonymoously, and another to view the answer (two codes reduces the changes of a hack).
This system means that the patient only pays when there is an answer waiting. Otherwise, if they pay beforehand and nobody answers their question, how do you issue a refund or resolve other disputes in a completely anonymous system. So, this way means that they only pay once the answer is there. They log in with their bespoke user ID sent via SMS, and their message ID, sent in the same SMS. The doctor will never know who asked the question, you will never know who asked the question, and the patient will not have any identifable info on the server, as the phone number they entered when asking the question is not saved after they submit their question.
SMS packages are fairly cheap and you would only pay the few cents per mesage once the patient pays you.
We can chat more if you like?
Kind regards,
Will