Congress is going to give health care entities an exception to notify people if they get broken in to as long as they use cryptography.
A large percentage of compelled data breach notifications involve accidental data loss - an employee looses their laptop or some backup tapes get misplaced and no one can account for them. If in such cases the data was properly encrypted, it hasn't necessarily been exposed. I think its reasonable for the state to allow entities to forgo notifications in these cases. These kinds of exceptions give these entities a reason to invest in encrypting data at rest and they have motivated large scale adoption of encryption in corporate environments in recent years.
The question is - exactly what kinds of encryption are considered adequate. The Federal Register notification linked through this article says "The guidance specified encryption and destruction as the technologies and methodologies for rendering protected health information, as well as PHR identifiable health
information under section 13407 of the Act and the FTC’s implementing regulation, unusable, unreadable, or indecipherable to unauthorized
individuals such that breach notification is not required. The RFI asked for general comment on this guidance as well as for specific comment on the technologies and methodologies to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals."
If this is something that concerns you'd I'd suggest digging up that guidance and checking to see if you think the requirements are adequate.
RE: Congress needs to get punched in the face!