CMS’ Stage 2 Electronic Health Record Incentive Programs Final Rule and CMS MU stage 2 guidance explain that eligible professionals or hospitals must conduct or review a security risk analysis that includes addressing the encryption/security of data stored in certified EHR technology.
ONC’s 2014 Edition Standards and Certification Criteria explains that if data is locally stored on a mobile device that is a certified EHR technology, the EHR technology must be designed to encrypt the locally stored electronic health information by default.