I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance of a business associate role.
Your response to a previous inquiry (https://hipaaqsportal.hhs.gov/a/idea-v2/166157) seems to indicate that a CSP that unwittingly receives and persists PHI disclosed by individuals, in violation of terms, is still a business associate. That's a very slippery slope!
Since business associates can be held directly liable under the Security Rule, even in the absence of a BAA, the CSPs who do not wish to fulfill business associate duties are anxious for clarification on this matter.
I urge you to consider this carefully, given the ramifications.
Voting on Ideas
Vote for your favorite ideas by clicking on the up arrow.To undo an upvote, simply click the arrow again. This second click removes your vote.