Regulatory Requirements for Biobanks—GDPR, HIPAA, 21 CFR Part 11, ISO 20387:2018


Biobanks play an essential role in biomedical research by collecting, storing and distributing biospecimens and associated data. Understandably, there are strict regulations on how biobanks can handle samples and data donated by humans. These regulations vary across different regions around the world, but here are some of the most important laws and standards affecting biobanks and biobank management software.

ISO 20387:2018 General Requirements for Biobanking

ISO (International Organization for Standardization) publishes international standards to help maintain quality, safety, and efficiency across a range of industries. In response to the growing role of biobanks within the life science industry, ISO recently published a new standard, ISO 20387:2018, specifically for biobanks. ISO 20387:2018 covers requirements for all aspects of managing biobanks, including structures, personnel, facilities, processes, and equipment. These standards also cover quality management systems and sample handling, including the collection, preservation, transport, distribution, and traceability of biological material. The choice of biobank management software is an important part of satisfying ISO requirements.


Both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) regulate how companies in the U.S. collect, store, use and disclose any individually identifiable health information, such as electronic health records. Biobanks must encrypt all Protected Health Information and securely store this information in HIPAA and HITECH-compliant data centers, such as biobank management software.

21 CFR Part 11

CFR stands for Code of Federal Regulations. 21 CFR Part 11 regulates the authenticity and confidentiality of electronic records and electronic signatures used by biobanks, and other life science organizations, in the U.S. Requirements include system validations, operational systems checks, limited user access, authority checks and regular audits with complete audit trails. Compliant biobank management software can help companies abide by 21 CFR Part 11.

Common Rule (45 CFR Part 116)

The Federal Policy for Protection of Human Subjects also called the Common Rule, is another part of the U.S. Code of Federal Regulations (45 CFR Part 116). It covers general requirements for informed consent when using identifiable biological specimens or data from human donors. This policy includes information about when it is and is not appropriate to ask for broad consent for multiple research uses. It also specifies the role of Institutional Review Boards (IRBs) in the informed consent process.

CAP Accreditation

The College of American Pathologists (CAP) runs a Laboratory Accreditation Program. The program meets standards from the U.S. Food and Drug Administration (FDA), the Occupational Health and Safety Administration (OSHA) and the Clinical Laboratory Improvement Amendments (CLIA). Therefore, participation can help biobanks ensure they are compliant with necessary regulations.


The General Data Protection Regulation (Regulation 2016/679) regulates how individuals or organizations, such as biobanks, collect and use the personal data of living European Union citizens. Personal data means any data that could be linked with a living person.


Laws and regulations change over time. Therefore it is very important for biobanks to regularly check their compliance. Compliant biobank management software can help biobanks meet regulatory requirements. CloudLIMS is HIPAA, HITECH, and 21 CFR Part 11-compliant and CAP-accredited.

Contact us for more details on how CloudLIMS can help biobanks maintain regulatory