Yes that happens at my work - most workers have a post-it notes on the side of their monitors with various passwords written down - real secure.

Anything requiring permissions, passwords, group policy etc is a complete nightmare. I had this gem when I emailed Information Services this morning.

My email: "XXX has left the company and I've taken over their role Can you please remove them as Owner of the following sharepoint site: YYY and make me the Owner instead."

IS's reply: "Please fill out a trouble ticket *"

I proceed to fill in a digital form 2 hours later I get a terse reply.

"Hi ZZZZ please contact the owner of site YYY and get them to adjust your permission. We are now closing your ticket."

Assuming at least some users are going to write down their passwords, I wonder if it would be appropriate to show them more secure ways to do that. Unfortunately, my "better" way is to stuff the sticky note in my wallet.

If I could find a device (w/ touch or keyboard for input) that fit into my pocket and has no wireless capabilities, then I would probably use that as a password manager.

In this case the people who need to be educated are the sysadmin. You need to make your password policy more inspired by this XKCD https://xkcd.com/936/ than by forcing incredibly hard to remember passwords.

Unfortunately, not having a strict password policy very likely violates HIPAA.

I dont think anyone wants to be the one to reduce the security of the HIPAA requirements.

Also

password policy not strict -> IT manager gets blamed in case of issue

password written down -> sucker who wrote it down gets blamed in case of issue

Person who decides policy is IT manager... Cover your ass politics.