This brings up the issue of proper data-handling practices. Basically, if the records are digitized, then proper controls must be in place to dictate who can access the information. Maybe that means having proper security set up on file shares. Perhaps these CDs and DVDs should be kept in a safe so they aren't accessible to everyone. Encrypting the data should also be considered, to make sure that even if the data is accessible, it's not readable without the key.
Of course, it is good practice to implement procedures to protect against data corruption and unauthorized changes, so storing the data on write-once media isn't a bad idea. But since you would only be storing a point in time backup (or replication) of the data in question, there is a cost there.
Based on my understanding of HIPAA, these types of storage mechanisms would be acceptable. Yet as with any regulation, that is ultimately going to be a judgment call of the examiner that shows up to assess your organization.
For more information:
This was first published in March 2008