Digitization: Enabling Biobanks Navigate Through Regulatory Challenges

Advertisement img

Over the past two decades, there has been an increased need for collecting, curating, storing, and distributing biological specimens to gain specific information into the genetic makeup of diseases [1]. This has sparked the demand for biobanking.

Genetic and biomedical research generates a multitude of information that is personal and sensitive, bringing about a wide spectrum of legal and ethical concerns. Consequently, there is a great need for regulations to ensure that human rights are upheld and the medical profession does not fall into disrepute.

Should biobanks comply with these regulations?

Featured Partners

All biobanks, whether it is a human, animal or plant, that store biospecimens are subject to ethics and regulations. These regulations are varied and fluid; it’s the prerogative of the biobank to remain updated and compliant at all times. Failure to do so may attract hefty penalties. In some cases, restitution may even be demanded for parties that are affected when regulations have been breached.

It is important for biobanks to have a grasp of the different regulations that affect them and devise strategies to ensure that they remain compliant. Technological advancements and digitization can help streamline efforts geared towards this objective.

Figure 1: A schematic representation of key biobanking regulations across the globe (Figure courtesy of CloudLIMS)

Here is a breakdown of the most notable regulations that should be considered by all biobanks.


The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law, signed by President Clinton in 1996, that seeks to protect sensitive protected health information (PHI) belonging to patients [2]. To achieve this, some safeguards (technical, physical, and administrative) must be put in place. The HIPAA law encompasses “covered entities” and their business associates.

HIPAA covered entities include biobank staff and their business associates:

HIPAA has three major components:

  • HIPAA privacy rules
  • HIPAA security rules
  • HIPAA breach notification rules

What is a HIPAA Violation?

A HIPAA violation occurs when a covered entity fails to comply with one or more aspects of the HIPAA law. It also includes the failure to put in place adequate safeguards for protected health information.

HIPAA violations may include the following:

  • Failing to encrypt data
  • Holding unsecured data
  • Loss of devices containing patient information
  • Hacking
  • Unauthorized access to PHI
  • Employees gossiping
  • 3rd party disclosures without donor consent
  • Improper disposal of patient records

If you break HIPAA rules, you are likely to be penalized. The nature of the penalty varies based on the severity of the penalty and whether the violation was a result of willful neglect or whether it happened due to circumstances that were beyond your control. Criminal violations may also attract a maximum of 10 years imprisonment.

ISO 20387:2018 

ISO (International Organization for Standardization) is a regulatory body that was founded in 1947 with a mandate to set international standards for technical, industrial, and commercial fields. The advent of multi-omics analysis in research has created the need for establishing standards of quality for the high number of biosamples and their associated data [3]. This is the first ISO standard that is specific for biobanks. Although not mandatory, biobanks can rely on the guidelines laid down by ISO 20387 to standardize their operations and maintain high-quality, fit-for-purpose samples.

ISO 20387 sets the standards for the competence and impartiality of biobanks. It also sets the standard for quality for biological materials that are held by the biobank. The standard is used by researchers and regulatory bodies to establish the competence of a biobank.

ISO 20387 addresses both the operational and the competence of the biobank. To get this accreditation, a biobank needs to carry out the following:

(1)  Define organization structure, goals and objectives

(2) Create SOPs (standard operating procedures), staff training & equipment maintenance

(3) Layout procedures for control of documents and records of performance

(4) Carry out an internal audit for competence in carrying out specific biobanking tasks.

ISO accreditation is performed by a third-party organization that certifies that biobank processes are performed according to the QMS and there is adequate infrastructure to support the process [3].

ISBER Best Practices 

The International Society for Biological and Environmental Repositories (ISBER) sets the standards for the best practices for managing (collection, handling, storage, retrieval, and distribution) of biological materials that are held in biobanks. This is a voluntary standard that plays a key role in ensuring that biobanks store samples that meet a fit-for-purpose standard for the present and future research [4].

ISBER guides biobanking practices including:

  • The collection, storage, and shipping of biospecimens
  • Patient consent management
  • The tracking and retrieval of specimens
  • Management of equipment
  • Storage of SOPs and documents
  • Staff training

NCI Best Practices 

The National Cancer Institute (NCI) has set best practices to safeguard the quality of biological materials that are used for cancer research [5]. This standard was created after extensive research and with expert opinions.

Principles of the NCI Best Practices include:

  • Defining science-backed biospecimen resource practices
  • Promoting biospecimen and data quality
  • Supporting adherence to bioethics and legal requirements

The NCI Best Practices guide the procedures developed by biospecimen resource centers. They are adapted to suit the scientific needs of biobanks. These standards are updated regularly. The end goal is to optimize biospecimens for cancer research.


The EU General Data Protection Regulation (GDPR) is a standard that was set by the EU Convention on Human Rights to safeguard the right to personal privacy. It covers all members of the EU and any entity storing or using EU citizens’ data, regardless of where they are located [6]. Consequently, all entities dealing with data that involves EU citizens must adhere to this standard. When there is a violation of the GDPR, the involved parties may be liable to pay hefty fines which in some cases may run into millions of euros. It is regarded as “the toughest privacy and security law in the world.”

The following 7 principles of the EU GDPR stipulate how data should be collected, stored, or processed.

  1. Lawfulness, fairness and transparency: These values should be upheld with regards to personal data.
  2. Purpose limitation: Data should be processed only for the purposes for which it was collected.
  3. Data minimization: Biobanks should process only as much data as is necessary to achieve the intended objective.
  4. Accuracy: Biobanks must ensure that data accuracy is maintained at all times.
  5. Storage limitation: Personal data should be stored only for the duration for which it is necessary.
  6. Integrity and confidentiality: These values should be upheld concerning personal data.
  7. Accountability: The controller of a biobank must be able to demonstrate that the biobank complies with the EU GDPR through appropriate records and measures.

21 CFR Part 11 

21 CFR Part 11 is an FDA-issued standard that directs the handling of medical records that are held in electronic form. While supporting the wide use of electronic data, this standard safeguards against the misuse or abuse of PHI stored in this form. This involves having various checks and controls in place to restrict access to computers and electronic gadgets that are holding protected health information.

  • Assigning unique signature, fingerprinting, and signing-in passwords
  • Generating activity metadata; signature, time, activity
  • Carrying out regular device checks to limit unauthorized access
  • Instituting measures to detect invalid or altered records
  • Limiting systems access to authorized parties

Biospecimen Management System: A Turnkey Solution  

Biobanks are turning to Laboratory Information Management Systems (LIMS), also known as biospecimen management systems, to navigate through the regulatory challenges. A biospecimen management system supports workflows by automating processes throughout the entire lifecycle of specimens and generating relevant metadata.

A biospecimen management system can:

  • Manage biospecimens from collection to disposal
  • Manage documents and SOPs
  • Track samples while maintaining a chain of custody
  • Manage and protect sensitive patient data
  • Limit access to personal data by restricting access
  • Manage informed consent
  • Maintain a secure audit trail of all activities
Figure 2: A biospecimen management system to safeguard PHI of sample donors (Figure courtesy of CloudLIMS)

The capabilities of a biospecimen management system are geared towards ensuring that compliance standards are adhered to in a timely and efficient manner. With a cloud-based biospecimen management system, biobanks can easily navigate through regulatory hurdles without having to break a sweat.

Author: Shonali Paul, Chief Operating Officer, CloudLIMS.com
Email: shonali@cloudlims.com


  1. Eder, J., Gottweis, H., & Zatloukal, K. (2012). IT solutions for privacy protection in biobanking. Public health genomics, 15(5), 254–262. https://doi.org/10.1159/000336663
  2. Kulynych J. (2008). HIPAA Compliance in Clinical Trials. Journal of oncology practice, 4(1), 9–10. https://doi.org/10.1200/JOP.0812505
  3. De Blasio, P.; Biunno, I. (2021). New Challenges for Biobanks: Accreditation to the New ISO 20387:2018 Standard Specific for Biobanks. BioTech. https://doi.org/10.3390/biotech10030013
  4. Campbell, L. D., Astrin, J. J., DeSouza, Y., Giri, J., Patel, A. A., Rawley-Payne, M., Rush, A., & Sieffert, N. (2018). The 2018 Revision of the ISBER Best Practices: Summary of Changes and the Editorial Team’s Development Process. Biopreservation and biobanking, 16(1), 3–6. https://doi.org/10.1089/bio.2018.0001
  5. NCI, NIH, BBRB, UDHHS (2016). NCI Best Practices for Biospecimen Resources. https://biospecimens.cancer.gov/bestpractices/2016-NCIBestPractices.pdf
  6. Slokenberga, S., Tzortzatou, O., Reichel, J. (2021). GDPR & Biobanking. Law, governance, and technology series 43. https://link.springer.com/content/pdf/10.1007%2F978-3-030-49388-2.pdf
  7. Dixit, S., Lyncia D’Almeida, P., Vaz, M., and Naik, S. (2021). Issue Brief: Biobanking policies in India. Takshashila Issue Brief. Vol 10. https://takshashila.org.in/wp-content/uploads/2021/09/TIB_Biobanking-policies_SD_PLA_MZ_SN_Sep21.pdf