Here you go, for starters:
http://privacy.med.miami.edu/glossary/xd_business_associate.htm DHHS has taken the position that covered entities are not liable for the privacy violations of business associates. However, if a covered entity becomes aware of a pattern of activity or practice by a business associate that constitutes a material breach, it must:
take reasonable steps to remedy the situation;
if such steps are not successful, terminate the contract or arrangement;
or if termination is not feasible, report the problem to DHHS.
Notwithstanding these provisions, failure to execute a business associate contract with "satisfactory assurances," or to take these corrective actions when the assurances are not met, could result in liability.
Thanks. I didn't think it would jibe with your ". . . whenever customer data goes offshore, it's by statute no longer subject to the privacy and security laws of the United States, e.g., HIPAA regs no longer apply."