Documents and Data
The storage, processing and transmission of documents or data applicable to the following are not permitted in the standard DocuSign site:
- Code of Federal Regulations Title 21 Part 11 (FDA CFR 11) *Allowed in Part 11 site.
- Controlled Unclassified Information (CUI)
- Covered Defense Information (CDI)
- Export Administration Regulations (EAR)
- Federal Information Security Management Act (FISMA)
- International Traffic in Arms Regulations (ITAR)
- Payment Card Industry Data (PCI)
If you have questions about the classification of your data, please contact the VCU Information Security Office at firstname.lastname@example.org. If you are interested in using a segmented DocuSign site for one of these prohibited data types, please contact the VCU Docusign support team at email@example.com.
Health Insurance Portability and Accountability Act (HIPAA) security rule, among other regulations, requires unique user identification. This is relevant to you if:
- your department is one of VCU's HIPAA covered entities,
- your form is collecting/sharing protected health information (PHI), or
- you are collecting and executing forms containing Category I data in general.
If the generic account is assigned to an individual and not shared with a group, then this may be OK, as we can still associate DocuSign activity from this account to a unique individual. However, the generic account cannot be a shared account.
If the account is shared and the DocuSign form has HIPAA-related or other Category I data, acceptable uses are:
- as the initial Sender of envelopes to send on behalf of your department
- as the designated Sender account of PowerForms
- as the owner of templates
- capturing the completed document into another system for long-term storage
- API integrations
If the account is shared and the DocuSign form has HIPAA-related or Category I data, prohibited actions are:
- monitoring envelope status
- correcting, approving or voiding envelopes
- accessing or downloading PowerForm data
The VCU DocuSign team can grant individuals shared envelope access to the generic account to fulfill many of these actions under your individual DocuSign account: https://support.docusign.com/en/guides/ndse-user-guide-shared-documents
For more information about VCU's HIPAA covered entities and requirements, please visit:
For more about Category I data, please see page 8 of the Information Security data handling and storage standard:
https://ts.vcu.edu/media/technology-services/assets/content-assets/university-resources/ts-groups/information-security/DataHandlingAndStorageStandard.pdf; or use the VCU Data Classification Tool at https://go.vcu.edu/dataclassification.