I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance of a business associate role.
Your response to a previous inquiry (https://hipaaqsportal.hhs.gov/a/idea-v2/166157) seems to indicate that a CSP that unwittingly receives and persists PHI disclosed by individuals, in violation of terms, is still a business associate. That's a very slippery slope!
Since business associates can be held directly liable under the Security Rule, even in the absence of a BAA, the CSPs who do not wish to fulfill business associate duties are anxious for clarification on this matter.
I urge you to consider this carefully, given the ramifications.