First, HIPAA’s security rule does not absolutely require encryption in this case. This is an addressable specification, and each organization must determine whether encryption is an appropriate tool to mitigate risk. (Additionally, the rule does not specify what encryption algorithms to use and their minimum key lengths, but government Web sites such as csrc.nist.gov provide guidance.) However, I recommend using encryption in this case since a CD can easily fall into the wrong hands.
Second, if the two organizations routinely exchange confidential information via CDs, they should agree in advance and in writing on the selected encryption tool(s) and the method for exchanging keys. There are many products available for symmetric file encryption using widely accepted algorithms such as 3DES and AES.