Documents and Data
DocuSign eSignature is for legitimate VCU business only: it is not for personal use. All standard VCU policies apply to your use of your VCU DocuSign account. Additionally, the storage, processing and transmission of documents or data applicable to the following are NOT permitted in the DocuSign Standard site:
- Code of Federal Regulations Title 21 Part 11 (FDA CFR 11); Permitted in the **Part 11 site
- Controlled Unclassified Information (CUI)
- Covered Defense Information (CDI)
- Export Administration Regulations (EAR)
- Federal Information Security Management Act (FISMA)
- International Traffic in Arms Regulations (ITAR)
- Payment Card Industry Data (PCI)
If you have questions about the classification of your data, please visit the Data Management System at https://dms.vcu.edu or contact the VCU Information Security Office at infosec@vcu.edu. If you are interested in using a segmented DocuSign site for one of these prohibited data types, please contact the VCU Docusign support team at docusign@vcu.edu.
Please remember that all University policies involving computer use, university resources, and work time also apply to your use of your VCU DocuSign account.
Generic Accounts
Health Insurance Portability and Accountability Act (HIPAA) security rule, among other regulations, requires unique user identification. This is relevant to you if:
- your department is one of VCU's HIPAA covered entities,
- your form is collecting/sharing protected health information (PHI), or
- you are collecting and executing forms containing Category I data in general.
If the generic account is assigned to an individual and not shared with a group, then this may be OK, as we can still associate DocuSign activity from this account to a unique individual. However, the generic account cannot be a shared account.
If the account is shared and the DocuSign form has HIPAA-related or other Category I data, acceptable uses are:
- as the initial Sender of envelopes to send on behalf of your department
- as the designated Sender account of PowerForms
- as the owner of templates
- capturing the completed document into another system for long-term storage
- API integrations
If the account is shared and the DocuSign form has HIPAA-related or Category I data, prohibited actions are:
- monitoring envelope status
- correcting, approving or voiding envelopes
- accessing or downloading PowerForm data
Generic eID owners are able to grant individuals shared access to the generic account to fulfill many of these actions directly from their individual DocuSign accounts using the Shared Access feature. Envelopes sent via Shared Access do record the user account performing the actions in the envelope's History.
For more information about VCU's HIPAA covered entities and requirements, please visit:
https://research.vcu.edu/human-research/hrppirb/hrpp-policies-and-guidance/
For more about Category I data, please see page 8 of the Information Security data handling and storage standard:
https://ts.vcu.edu/media/technology-services/assets/content-assets/university-resources/ts-groups/information-security/DataHandlingAndStorageStandard.pdf; or use the VCU Data Classification Tool at https://go.vcu.edu/dataclassification.