First, everything interesting that providers do, they do on the target node. Hiera data, on the other hand, live primarily on the node hosting the catalog builder. Those are the same node when applying catalogs via 'puppet apply', but they are usually different nodes when applying catalogs via 'puppet agent'. It's unclear which is your scenario, but if you're running the agent (== running Puppet as a service) then your provider likely cannot perform hiera lookups because the data are not available to it in the first place.
Second, even if the data were available, if they include both key and encrypted data then you gain very little security, because anyone who can obtain the data can also obtain the key. Same if you transmit the encryption key inside your catalogs or hard-code it into your provider implementation. Encryption just isn't very secure overall without additional secure measures for key storage and / or key generation and exchange.
Overall, I don't see much to be gained. Catalog data are already encrypted on the wire between master and agent (SSL / TLS), with both parties authenticating. This is pretty good protection against data being stolen in transit. As for protecting sensitive data once it reaches target nodes, however, your first and best and perhaps only real protection is the authentication and access control measures of that machine. If you are unwilling to trust those, then only solution is to altogether avoid giving the node sensitive data.
John