An important HIPAA requirement is to set up Business Associate Agreements (BAA) with vendors who will have access to a plan’s Protected Health Information (PHI). The BAA basically ensures that the vendor handle PHI in a manner consistent with the requirements of the HIPAA Privacy and Security Rules, as well as with your privacy and security policies.
Note that the carriers of your organization’s fully-insured group plans are NOT considered a Business Associates. Therefore, no BAA is needed for them. However, any third party administrator (or other vendor) helping administer your health FSA will need to sign your organization’s BAA.