What are the requirements that a covered organization must take in order to be in compliance with HIPAA?