Follow the Rules or Get Put in the Penalty Box – What you need to know about Biotech Industry Compliance

I’ve watched enough NHL hockey to know that I don’t understand all the rules. Maybe you do, but not me. I grew up playing basketball.

But what I do know is that if you don’t follow the rules of the game you get put into the penalty box.

Now, it’s true, the guys that break the rules and are put into the penalty box have the best seats in the house. They’re right there on the ice and can see the action of the game as it swirls around them.

The problem is, they’re not in the game.

To add insult to injury, while they are in the penalty box the opposing team has a competitive advantage – the POWER PLAY. For as long as the penalty lasts, the opposing team has an extra man on the ice and has a higher chance of scoring.

Failure to meet industry and legislative compliance for your biotechnology company lands you in the same place – the PENALTY BOX.

It’s not a game.

Your company is your livelihood, the jobs your employees depend upon, and the dividends your shareholders expect.

You don’t have time for governmental agencies to hold up your processes in an extensive and invasive audit.

You don’t have any interest in paying exorbitant fines for non-compliance.

And you certainly don’t want your competitors to take advantage of your misfortune – turning any compliance failure troubles you may have into their own competitive power play.


What do you need to know about biotechnology industry compliance?

Let’s start with what you already know.

  • You know that your company manages massive amounts of data.
  • You know that you are required by the FDA or HHS to handle and store that data in ways that are compliant with their guidelines.
  • You know that everything from your WiFi to your computer-based instrumentation must be in line with those guidelines.

What you may not already know about IT compliance for biotech companies like yours is that because technology is constantly evolving, IT compliance is not static. It requires an ongoing risk management strategy.

To leverage a flexible IT compliance strategy requires:

  1. The participation of your entire staff in understanding their role in the process.
  2. A commitment from your staff not to try to do “end runs” around the set protocols – even if a workaround may seem simpler at the time.
  3. IT support professionals – such as KalioTek – who understand the internal workflow of biotechnology companies as well as how to configure your systems to deal with the complexities of IT compliance.
  4. Continuous remote monitoring to ensure that the individual components of the compliance strategy are working as they should moment to moment.

Without these four essential pillars in place, your company will continue to struggle with the issue of compliance and won’t have confidence that you can survive a compliance audit.

What are the governing bodies involved in compliance for biotechnology companies?

The two big ones are the Food and Drug Administration and the U.S. Department of Health and Human Services. Of course, your company may fall under one or both of these governmental agencies depending on whether your work involves food, pharmacological research, or medical research.


The men and women who work at the FDA oversee our country’s food chain along with the development, testing, and approval of drugs. They operate as a control board that strives to safeguard the public.

The FDA has jurisdiction over companies involved in the following:

  • Agriculture and Farming
  • Cosmetics
  • Medical Research
  • Drug and Supplement Manufacturing
  • Veterinary Medicine
  • Development and Manufacture of Vaccinations, Blood, and Tissue Products
  • Any Branch of Biomedicine and Biotechnology
  • Medical Equipment and Devices
  • Equipment or Devices that Emit Radiation

A Manual of Policies and Procedures – as published by a sub-section of the FDA known as the Center for Drug Evaluation and Procedures – delineates the documentation required of your company by the federal government. The documentation your company provides to the FDA outlines your internal policies and provides proof of your adherence to those policies. The documentation must be in alignment with the Federal Food, Drug, and Cosmetic Act other relevant laws enforced by the FDA.

FDA standards for biotech companies are viewed by the government to be the bare minimum that your company should do to protect the public. It is wise to bring in an IT compliance professional to ensure that your systems meet, and preferably, exceed, these “bare minimums.”

The FDA has published a Compliance Program Guidance Manual (CPGM) to serve as a guide for businesses, but the FDA looks more favorably on a process that is overseen by a professional third party — in contrast to compliance oversight by internal IT staffers.


In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. HIPAA is not just one law but a collection of dozens of individual laws requiring – among other things – companies involved in collecting, storing, or using the private health information of individuals to use, store, and secure that data in a way that is compatible with the new law.

Title II, the portion of the laws requiring adherence to these established HIPAA protocols for the transmission of electronic healthcare transactions detail penalties for violations of HIPAA statutes which potentially include civil and/or criminal prosecution.

Any business that handles or has access to private health information of individuals falls under HHS and HIPAA. This includes not only hospitals, clinics, and insurance agencies, but also any company that does business with healthcare companies and has access to this sensitive client data.

Companies that fall under the HIPAA legislation must be aware of these five rules within HIPAA.

  • The Security Rule
  • The Unique Identifiers Rule
  • The Enforcement Rule
  • The Privacy Rule
  • The Transactions and Code Sets Rule

What does it take for a biotech company to become HIPAA compliant?

  • An understanding of the reasons for the HIPAA act, and the education of staff concerning their individual responsibilities as it relates to compliance. To enhance the education and training of their staff, many healthcare leaders are turning to managed IT services teams like KalioTek for support.
  • A proactive approach to compliance strategy, implementation, and monitoring of a company’s IT systems to ensure the safe transmission, storage, and use of data relating to personal health information.

To read more about compliance support for the biotech industry, take a look at some of the outstanding articles on this topic HERE on our blog.

Talk to us