Jon,
I was re-reading what I said before and did not mean to imply you are doing anything wrong. My concern is that the agent who becomes the custodian of the records on the thumb drive may inadvertently create a HIPAA breach, by losing it. However, the perceived custodian of the records on hand on the thumb drive or CD, would be you.
However, I think if you have a signed legal document on hand relinquishing you of being the caretaker of the records, in addition encryption of the records with a key to unencrypt once payment received, and a record of the transaction all documented the likelihood of being penalized would be significantly reduced if not nullified.
Also, it sounds like there are CD shredders, like paper shredders, so a CD might be the best device to use to put the records on as there will be a higher likelihood of being shredded once the agent is done with the CD. Also sounds like CD burners are reasonably inexpensive.
Just some further thoughts I had, but also my office manager showed me today where small offices are being targeted for HIPAA violations, and some small office in Idaho just got a 50,000 dollar fine.
So Gene thanks for asking about this as we all can learn from this. Personally, this is all new to me, and maybe I am being too paranoid, but just trying to figure how to best CMOA on this issue.