Are biobanks covered under HIPAA?

Biobanks, which store different types of tissue for research purposes, may be covered by HIPAA if they handle protected health information (PHI) as part of a healthcare provider or function as a business associate. However, independent biobanks that solely store de-identified samples may not be covered by HIPAA regulations.

What is HIPAA and who does it cover?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law designed to protect individuals’ protected health information (PHI). 

According to the U.S. Department of Health and Human Services (HHS), “HIPAA applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (e.g., billing a health plan). These are known as covered entities...In addition, HIPAA protects PHI held by business associates, such as billing services and others, hired by covered entities to perform services or functions that involve access to PHI.

Both covered entities and business associates are legally required to follow HIPAA’s Privacy and Security Rules, which govern the use, disclosure, and protection of PHI.

Read also: Can you be a covered entity and a business associate?

How biobanks fit into the HIPAA framework

Biobanks can operate in different contexts:

• Affiliated with covered entities: If a biobank is part of a hospital, clinic, or healthcare system that electronically transmits health information, it is considered part of a covered entity. In this case, the biobank must comply with HIPAA regulations.
• Business associate of covered entities: A biobank may contract with a hospital or healthcare provider to store or process samples and their associated health data. If it handles PHI on behalf of a covered entity, the biobank is a business associate and must follow HIPAA rules, usually formalized through a business associate agreement (BAA).
• Independent biobanks: Some biobanks operate independently from healthcare providers and do not receive identifiable health information. These biobanks may only handle de-identified or anonymized samples and data.

When are biobanks covered by HIPAA?

The key factor in determining whether HIPAA applies to a biobank is whether it handles identifiable protected health information. This includes any biological samples linked to information that can identify the individual donor, such as names, dates of birth, medical record numbers, or genetic data tied to an individual.

If a biobank:

• Stores or transmits PHI as part of a healthcare provider or health system, or
• Receives PHI from covered entities and processes or maintains it, 

then HIPAA regulations apply. This means the biobank must implement safeguards to protect PHI, control access, and report any breaches as required by law.

When are biobanks not covered by HIPAA?

If a biobank only collects or stores biological samples that have been de-identified according to HIPAA standards (meaning all identifying information is removed), then HIPAA does not apply because the information is no longer considered PHI.

Independent biobanks that do not receive PHI from covered entities and work exclusively with de-identified or anonymized samples generally fall outside HIPAA’s regulatory scope. However, they may still be subject to:

• Ethical guidelines for research involving human subjects (e.g., the Common Rule),
• Institutional review board (IRB) oversight,
• State privacy laws may offer additional protections.

Best practices for biobanks

• Assess HIPAA applicability: Determine if the biobank is a covered entity or business associate; identify if data includes PHI.
• Implement data security: Use encryption, secure physical storage, and backup systems.
• Control access: Restrict PHI access to authorized staff; use role-based permissions and audit logs.
• Maintain documentation: Keep records of procedures, consent forms, and compliance efforts.
• Train staff regularly: Educate employees on HIPAA rules and privacy policies; update training as needed.
• Stay updated: Follow changes in HIPAA, state laws, and ethical guidelines; engage with professional organizations.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What counts as protected health information (PHI) in a biobank?

PHI includes any information linked to a donor’s identity, such as name, medical record number, genetic data tied to the individual, or any other identifiers.

Why is it important for biobanks to comply with HIPAA or other privacy regulations?

Compliance protects donor privacy, helps avoid legal penalties, and builds public trust essential for continued research participation.