· Criminal penalties include possible imprisonment of up to one year and fines of up to $50,000 for knowing violations of the HIPAA privacy, security, or breach notification rules, with significantly higher potential penalties if the offense is made under false pretenses or for commercial advantage, personal gain, or malicious harm..