Documents and Data
The storage, processing and transmission of documents or data applicable to the following are NOT permitted in the DocuSign Standard site:
- Code of Federal Regulations Title 21 Part 11 (FDA CFR 11); Permitted in the **Part 11 site
- Controlled Unclassified Information (CUI)
- Covered Defense Information (CDI)
- Export Administration Regulations (EAR)
- Federal Information Security Management Act (FISMA)
- International Traffic in Arms Regulations (ITAR)
- Payment Card Industry Data (PCI)
If you have questions about the classification of your data, please visit the Data Management System at https://dms.vcu.edu or contact the VCU Information Security Office at infosec@vcu.edu. If you are interested in using a segmented DocuSign site for one of these prohibited data types, please contact the VCU Docusign support team at docusign@vcu.edu.
Generic Accounts
Health Insurance Portability and Accountability Act (HIPAA) security rule, among other regulations, requires unique user identification. This is relevant to you if:
- your department is one of VCU's HIPAA covered entities,
- your form is collecting/sharing protected health information (PHI), or
- you are collecting and executing forms containing Category I data in general.
If the generic account is assigned to an individual and not shared with a group, then this may be OK, as we can still associate DocuSign activity from this account to a unique individual. However, the generic account cannot be a shared account.
If the account is shared and the DocuSign form has HIPAA-related or other Category I data, acceptable uses are:
- as the initial Sender of envelopes to send on behalf of your department
- as the designated Sender account of PowerForms
- as the owner of templates
- capturing the completed document into another system for long-term storage
- API integrations
If the account is shared and the DocuSign form has HIPAA-related or Category I data, prohibited actions are:
- monitoring envelope status
- correcting, approving or voiding envelopes
- accessing or downloading PowerForm data
The VCU DocuSign team can grant individuals shared access to the generic account to fulfill many of these actions under your individual DocuSign account.
For more information about VCU's HIPAA covered entities and requirements, please visit:
https://research.vcu.edu/human-research/hrppirb/hrpp-policies-and-guidance/
For more about Category I data, please see page 8 of the Information Security data handling and storage standard:
https://ts.vcu.edu/media/technology-services/assets/content-assets/university-resources/ts-groups/information-security/DataHandlingAndStorageStandard.pdf; or use the VCU Data Classification Tool at https://go.vcu.edu/dataclassification.