CloudHealth is able to collect KMS encrypted CloudTrail logs. 

To enable collection, the policy for the key need to be configured to grant the CH user/role permission to decrypt. 

Note that this is KMS works and is not specific to CH.  You can find more details described here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

If decrypt permission is not granted, the account will still show healthy but the platform won’t be able to collect the CloudTrail events.