How do you handle HIPAA violations internally in an IT company