If you are asking about encryption during Health Data Exchange, NDHM protocols use DF Key Change where HIUs would create keys and send over to HIP during data flow and HIP would use the key materials, (in combination of its own keys) and send over to the HIU as keymaterial, which HIU can use to decrypt. Please refer to the sandbox documentation for details
The documentation provides examples in Java and C#
Once the data is received at HIU, and decrypted - its upto the HIU to figure out means of keeping the data safe and secure. HIU should use its own means/keys. We strongly advise that you keep data in a secure and encrypted storage - e.g. encrypted databases, encrypted files, even secure manage the key itself. As per consent given, the HIU is obligated to keep the data secure and accessible for intended purpose and target users, and also remove the data when expiry as per consent happens or when consent is revoked by patient.