How do compliance audits differ from vulnerability scans in HIPAA