Can an IT company be held liable for HIPAA violations