At the hospital where I work, this would be very serious and could lead to termination. If she gave her password to someone else, it's her fault, and since it was released on her password, there's no proof she isn't really the one who released the information against HIPAA policy. She knows the rules...
Yeah but all she has to do is show it is routine and she'll get $$$$$. The hospital isn't going to let someone die because a technician can't remember a userid/password. Borrowing userid/passwords is fairly common in the functional world. Especially if it took long periods to reset passwords.