You do realize that she needs the password to change the password and these are HIPAA protected files that are not so protected at the moment.
As to HIPAA, I see your point, but I think I am also still bound by HIPAA even post-termination? If so, then there is no risk factor here as I would still be held responsible. If not and only the company could be liable, then yeah it's fair to need to plug up that potential leak.