GUIDE
Biobank Software Compliance: A Practical Guide for Modern Labs
Choosing biobank or specimen tracking software is really a decision about audit defensibility. This guide walks through the compliance frameworks that matter, the questions to ask a vendor, and why cryptographic hash chaining is becoming the default expectation for chain-of-custody systems.
Why biobank software is a compliance decision
A biobank's value is only as strong as the provenance of the specimens it holds. Regulators, sponsors, IRBs, and downstream researchers all need the same thing: evidence that a sample is what the label claims it is, that consent was in force at every step, and that nothing in the record has been quietly edited after the fact. Paper logs, spreadsheets, and even most LIMS deployments leave that evidence to trust. Modern biobank software has to prove it.
The frameworks that actually apply
21 CFR Part 11 — Electronic records & signatures
Applies to any lab whose records may be submitted to the FDA. Requires validated systems, audit trails that capture who/what/when for every change, secure electronic signatures, and controls that prevent (or detect) unauthorized alteration.
HIPAA — Protected health information
Applies whenever specimens are linked to identifiable donor data. Requires access controls, audit logging, encryption in transit and at rest, and a Business Associate Agreement with any vendor storing PHI.
GDPR — EU donor data
Applies to any biobank handling EU residents' data. Requires lawful basis for processing, revocable consent, data minimization, and the ability to export or delete a donor's records on request.
GxP & ISO 20387
Good Practice guidelines and the international biobanking standard focus on traceability, quality management, and the ability to reconstruct the full history of any specimen from acquisition through disposal.
Vendor evaluation checklist
Take this list into any specimen tracking software demo. If a vendor cannot answer any one of these with a concrete technical mechanism, treat it as a gap.
- Tamper evidence. Can the vendor mathematically prove that no custody event has been altered or deleted since it was recorded? A "read-only audit table" is not the same as tamper evidence.
- Independent verifiability. Can an auditor verify the integrity of your export without logging into the vendor's system?
- Dynamic consent. When a donor withdraws or narrows consent, does the system block downstream transfers at the data layer, and record the change in the audit trail?
- Role-based access and single-session enforcement. Can you prevent password sharing and enforce least-privilege for lab staff, PIs, and auditors?
- Signed audit exports. Do PDF and CSV exports carry a cryptographic signature tied to your organization, so a regulator can confirm authenticity offline?
- Data portability. On any plan, can you export the full chain — every event, hash, and signature — and walk away?
- Real-time integrity monitoring. Are integrity checks automatic on every custody event, or only when a human clicks "verify"?
Why hash chaining is the modern baseline
Traditional audit tables record what changed, but they live in the same database as the record itself — anyone with database access can, in principle, edit history. A hash chain closes that gap: every custody event is hashed with SHA-256, and each new hash includes the previous event's hash. Change one event and every subsequent hash breaks. Combined with per-organization Ed25519 signing keys, exports become independently verifiable artifacts that a regulator or sponsor can validate without ever touching your production system.
Every registration, transfer, and consent change is hashed the instant it's recorded.
Each hash embeds the previous one. Tampering with history breaks every link forward.
Exports are signed with your organization's key. Auditors verify offline.
Integrity is re-verified on every custody event, not only when a human clicks 'verify'.
How DNACHAIN maps to the checklist
DNACHAIN was built specifically for biobanks, CROs, and genomics labs that need defensible chain-of-custody without asking staff to learn cryptography. Every requirement in the checklist above is a first-class product feature: hash-chained lineage, Ed25519-signed exports, dynamic consent enforced at the database layer, single-session accounts, and automatic integrity monitoring on every event.
