It's hard to say 100%, but it sounds like with the FSA you offer (and any protected health information that's handled as part of it) you might be what is considered a hybrid covered entity. A lot depends upon how you are managing your FSA plan, if you're outsourcing it, etc. I can't say for sure without knowing more about your business. I highly recommend that you get your (or a HIPAA) attorney involved to confirm this for sure.
For more information on this topic, visit these other SearchSecurity.com resources:
Dig Deeper on Information Security Incident Response-Information
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.