Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Maybe. Yes for Windows, Android, iPhones and iPads. No for Macintosh computers. Carbonite is a good backup solution for small to large group practices. Read our 4 notes for some details regarding proper use of the product, and for one caveat we have.
# of Caveats: 1 view caveats→
# of Usage Notes: 5 view notes→

Relevant Product Characteristics

  • This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.

What Is This Product?

The words Carbonite Online Backup and a green circle representing the brand.Carbonite is a cloud-based file backup tool that will execute Business Associate Agreements with health care professionals. Carbonite sends copies of files from your computer or computers on their servers, to be retrieved in case of loss of data or your entire computer or drive. They also allow you access to your files remotely via the web.

Our Impressions

Carbonite’s support was responsive to our questions and supplied information which indicated they are well-suited to the risk management needs of mental health professionals.

While Carbonite doesn’t seem to sell its services as something for mental health care professionals, it certainly seems well-suited to the task of creating secure backups of PHI stored on clinic computers.


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) Mac users only: Do not use Carbonite to back up your Mac if you use FileVault Full Disk Encryption

As a result of the compatibility issue with FileVault, do not use Carbonite to backup Macintosh devices. It will successfully backup Macintosh without Filevault Full Disk Encryption enabled, but we strongly advise against having PHI on your Macintosh without utilizing Full Disk Encryption.

There are no known compatibility issues with Windows systems using Bitlocker Full Disk Encryption and Carbonite.


Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Purchase a business plan if you need a Business Associate Agreement

The BAA is only obtainable via Carbonite for business plans. It is not available on Carbonite for Home plans. Be sure to select Carbonite for business/office in order to have the requisite BAA available to you.

2) Request your Business Associate Agreement before proceeding to use the service

To obtain and execute the BAA, email [email protected], they will then email you a copy of the BAA to sign and return to them, once they have received your signed BAA they will file it and mark you as a HIPAA customer. Do not perform any backups until you have signed and returned the BAA and confirm that you’ve been marked as a HIPAA customer.

3) Be aware that Carbonite can’t see the contents of your data.

As stated in Section 1(C)ii of the BAA, Carbonite has no knowledge of the nature of PHI that is contained in customer accounts and is therefore, in the event of a security incident or breach, unable to provide information about the identities of who may have been affected, or describe what type of information may have been subject to incident.

This is a good thing; Carbonite encrypts your data and does not know what it contains. As part of the BAA you are agreeing that they aren’t able to provide any such information in the event of a breach.

4) Carbonite does not synchronize files between multiple computers

If you are looking for a tool to synchronize documents between multiple personal or practice computers, this isn’t it. While Carbonite does not perform file synchronization, it does provide remote file access if you’re away from your computer and need to open a document, for example.

5) Confirm that backups are functioning

Remember that HIPAA’s security standards call on us to regularly check our backup systems to make sure they’re working. Be sure to check in the Carbonite app that backups are running.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss