Not sure whether you're sentence parsing or what.
When health care data goes offshore it's by definition "outsourcing", yes? In HIPAA language that would be "Protected Health Information is sent to an [offshore] Business Associate by a Covered Entity."
And under HIPAA regs, that scenario is specifically excluded from HIPAA protection, as I've been repeatedly posting.
Actually, yes I am. My reading of the regulation is that the Business Associate must comply with the regulation, and the Covered Entity is not liable for a BA's violation provided there is no negligence by the CE.