It's never a good idea to walk, drive or otherwise deliver medical information other than electronically or by US mail (although that can be risky....), but unless your employee specifically disclosed this patient's healthcare information to someone else, she hasn't really violated HIPAA. You may want an office policy with regards to how your surgical instructions should be communicated to patients, so that people aren't driving records all over town. Depending on what's in the surgical instructions, she may not have even delivered PHI...PHI is defined as
demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care. So if none of that was on the surgical instructions, she didn't even have PHI in her posession.
Remember the incident in Boston a few years back when a billing manager left a folder of claims and bililing reports on the subway? That's the kind of issue that's a HIPAA violation.