Vital Stats
Relevant Product Characteristics
- This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.
What Is This Product?
Carbonite is a cloud-based file backup tool that will execute Business Associate Agreements with health care professionals. Carbonite sends copies of files from your computer or computers on their servers, to be retrieved in case of loss of data or your entire computer or drive. They also allow you access to your files remotely via the web.
Our Impressions
Carbonite’s support was responsive to our questions and supplied information which indicated they are well-suited to the risk management needs of mental health professionals.
While Carbonite doesn’t seem to sell its services as something for mental health care professionals, it certainly seems well-suited to the task of creating secure backups of PHI stored on clinic computers.
Caveats
Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.
1) Mac users only: Do not use Carbonite to back up your Mac if you use FileVault Full Disk Encryption
As a result of the compatibility issue with FileVault, do not use Carbonite to backup Macintosh devices. It will successfully backup Macintosh without Filevault Full Disk Encryption enabled, but we strongly advise against having PHI on your Macintosh without utilizing Full Disk Encryption.
There are no known compatibility issues with Windows systems using Bitlocker Full Disk Encryption and Carbonite.
Notes
Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.
1) Purchase a business plan if you need a Business Associate Agreement
The BAA is only obtainable via Carbonite for business plans. It is not available on Carbonite for Home plans. Be sure to select Carbonite for business/office in order to have the requisite BAA available to you.
2) Request your Business Associate Agreement before proceeding to use the service
To obtain and execute the BAA, email [email protected], they will then email you a copy of the BAA to sign and return to them, once they have received your signed BAA they will file it and mark you as a HIPAA customer. Do not perform any backups until you have signed and returned the BAA and confirm that you’ve been marked as a HIPAA customer.
3) Be aware that Carbonite can’t see the contents of your data.
As stated in Section 1(C)ii of the BAA, Carbonite has no knowledge of the nature of PHI that is contained in customer accounts and is therefore, in the event of a security incident or breach, unable to provide information about the identities of who may have been affected, or describe what type of information may have been subject to incident.
This is a good thing; Carbonite encrypts your data and does not know what it contains. As part of the BAA you are agreeing that they aren’t able to provide any such information in the event of a breach.
4) Carbonite does not synchronize files between multiple computers
If you are looking for a tool to synchronize documents between multiple personal or practice computers, this isn’t it. While Carbonite does not perform file synchronization, it does provide remote file access if you’re away from your computer and need to open a document, for example.
5) Confirm that backups are functioning
Remember that HIPAA’s security standards call on us to regularly check our backup systems to make sure they’re working. Be sure to check in the Carbonite app that backups are running.