DETAILED ACTION
This communication is a Corrected Notice of Allowance. Before this action, the claims were allowed on 02/18/2021.

Examiner’s amendments
Authorization for these amendments were given in an interview on 03/11/2021 with Zachary Pratt (see attached interview summary). The Application has been amended as follows:

1.	(Previously Amended) A patient information management system for matching a patient with their health records, comprising:
a cloud-based application server, comprising a database having patient demographic records stored thereon, the patient demographic records being linked to one or more electronic medical records (EMRs) on a healthcare entity’s electronic medical record system (EMR system), the cloud-based application server configured to retrieve, over a network, EMRs from one or more EMR systems to a corresponding patient demographic record stored in the database;
a client application interface provided on a healthcare entity computing device, the client application interface being configured to communicate with the cloud-based application server, the healthcare entity computing device being physically located at a client healthcare entity such that EMR systems, other than the EMR systems of the client healthcare entity, being inaccessible by healthcare entity computing device; and 
a mobile security token generated by the cloud-based application server and provided on a patient computing device separate and distinct from the healthcare entity computing device, the mobile security token being configured to communicate with the cloud-based application server, wherein the 
link the patient computing device to the mobile security token in the patient demographic record,
in response to receiving a request for patient authentication for a particular patient from the healthcare entity computing device, generate a one-time verification code for the particular patient, wherein the one-time verification code comprises a dynamic code that changes for each request at the healthcare entity computing device,
send the one-time verification code generated by the cloud-based application server to the healthcare entity computing device,
receive an indication of the one-time verification code and an indication of the mobile security token from the patient computing device, and
in response to receiving the indication of the one-time verification code and the indication of the mobile security token from the patient computing device, determine that the one-time verification code matches the generated one-time verification code and that the mobile security token matches an expected mobile security token stored in the patient demographic record, and thereby authenticate the particular patient.

2.	(Original) The patient information management system of claim 1, wherein, when the patient is authenticated, the cloud-based application service is further configured to:
access the patient’s EMR stored on a healthcare entity’s EMR system, and
release the EMR to at least one of the client application interface or the patient computing device. 



4.	(Original) The patient information management system of claim 3, wherein at least one of the two authenticators is the mobile security token. 

5.	(Previously Amended) The patient information management system of claim 1, wherein the healthcare entity computing device includes a Point-of-Sale (POS) device configured to accept payment from the patient for the healthcare services.

6.	(Previously Amended) The patient information management system of claim 5, wherein the patient computing device is a smartphone configured to read the one-time verification code generated by the cloud-based application server to the healthcare entity computing device.

7.	(Original) The patient information management system of claim 5, wherein the mobile security token corresponds to a unique identifier for each patient.

8.	(Previously Amended) A method of accessing a patient’s information from multiple electronic medical record (EMR) systems, comprising:
providing a patient information management system, comprising:
a cloud-based application server, comprising a database having patient demographic records stored thereon, the cloud-based application server being connected to one or more electronic medical record systems (EMR systems) over a network, each EMR system being inaccessible by other EMR systems,

a mobile security token generated by the cloud-based application server and provided on a patient computing device separate and distinct from the healthcare entity computing device, wherein the mobile security token is unique for each patient in the one or more EMRs;
in response to receiving a request for patient authentication for a particular patient from the healthcare entity computing device, generating, by the cloud-based application server, a one-time verification code for the particular patient, wherein the one-time verification code comprises a dynamic code that changes for each request at the healthcare entity computing device;
sending, from the cloud-based application server, the one-time verification code generated by the cloud-based application server to the healthcare entity computing device;
using the patient computing device to read the one-time verification code sent to the healthcare entity computing device; 
receiving, by the cloud-based application server and from the patient computing device, an indication of the one-time verification code and an indication of the mobile security token;
determining that the one-time verification code matches the generated one-time verification code and that the mobile security token matches an expected mobile security token stored in the patient demographic record; and
authenticating the patient using the linked mobile security token prior to accessing and/or releasing the patient’s EMR from an EMR system.  

9.	(Currently Amended) The method of claim [[9]] 8, further comprising, querying the database to access at least one field of a patient demographic record, after the patient is validated.

9, further comprising, using the at least one field of the patient demographic record to access the patient’s EMR corresponding to the patient demographic record linked to the mobile security token.

11.	(Original) The method of claim 10, wherein the at least one field is a medical record number (MRN).

12.	(Previously Amended) The method of claim 9, wherein, at the one-time verification code sent from the cloud-based application server to the healthcare entity computing device is used to generate a QR code, the QR code comprising encoded data, the encoded data comprising physical location of the healthcare entity computing device and/or time of patient visit. 

13.	(Previously Amended) The method of claim 12, further comprising, reading the QR code displayed on the healthcare entity computing device using the mobile security token.

14.	(Previously Amended) The method of claim 13, further comprising, sending a different QR code to the healthcare entity computing device each time the patient is to be authenticated. 

15.	(Previously Amended) The method of claim 12, further comprising, automatically stop accepting the QR code sent to the healthcare entity computing device as a valid one-time verification code after a predetermined interval of time. 



17.	(Original) The method of claim 12, further comprising, establishing a first communication pathway between the patient computing device and the cloud-based application server.

18.	(Original) The method of claim 17, further comprising establishing a second communication pathway between the client application interface and the cloud-based application server. 

19.	(Original) The method of claim 18, whereby, the first and second communication pathways are independent of each other. 

20.	(Original) The method of claim 18, wherein the one-time verification code is sent from the cloud-based application server to the client application interface over the second communication pathway.

21.	(Original) The method of claim 20, wherein the one or more authenticators are read by the patient computing device and confirmation thereof is sent to the cloud-based application server using the first communication pathway. 

22.	(Previously Amended) A method of linking a patient’s demographic data stored on a cloud-based application server to an Electronic Medical Record (EMR) system of a client healthcare entity, comprising:

providing a mobile security token, generated by the cloud-based application server, on a patient computing device, wherein the mobile security token is unique for each patient in the EMR;
in response to receiving a request for patient authentication for a particular patient from a healthcare entity computing device separate and distinct from the patient computing device, generating, from a cloud-based application server, a one-time verification code for the particular patient, wherein the one-time verification code comprises a dynamic code that changes for each request at the healthcare entity computing device; 
sending the one-time verification code generated by the cloud-based application server to the healthcare entity computing device located at the client healthcare entity, the healthcare entity computing device being in communication with the cloud-based application server; 
generating a location and/or time of visit encoded QR code based on the one-time verification code;
displaying the QR code using the healthcare entity computing device;
using the patient computing device to read the single-use QR code and to send the one-time verification code and the mobile security token to the cloud-based server, thereby confirming that the patient is physically present at the same location as the healthcare entity computing device; 
performing, using the cloud-based application server, an automated matching exercise to determine if another record exists in the cloud-based application server or another EMR system in communication therewith, that matches patient data captured; and
linking the mobile security token to the patient computing device and a patient record created and stored in the cloud-based application server. 



24. 	(Previously Amended) The method of claim 23, wherein the patient-selected encryption key is received by the cloud-based application server from at least one of the healthcare entity computing device and the patient computing device. 

25.	(Original) The method of claim 23, wherein the patient-selected encryption key is received during a patient’s initial visit to the client healthcare entity.


Reasons for Allowance
Claims 1-25 are allowable over the prior art. The Examiner’s reasons are described below.

The closest prior art is Van de Craen (WO 2014206795 A1), Varadarajan (USP App. Pub. No. 2013/0124855), and Ramesh (“Implementing One Time Password Based Security Mechanism for Securing Personal Health Records in Cloud”). Van de Craen discloses various workflows for managing a personal health record (PHR) including using tokens to permit access (e.g., page 4 lines 26-30). Varadarajan discloses techniques for using a one-time password for authenticating a user (e.g., par. [0042] and [0063]). Ramesh discloses a mechanism for securing personal health records using one time passwords (Abstract).
The instant claims are distinguished from these references because of at least the following limitations: in response to receiving a request for patient authentication for a particular patient from the healthcare entity computing device, generate a one-time verification code for the particular patient, wherein the one-time verification code comprises a dynamic code that changes for each request at the healthcare entity computing device, send the one-time verification code generated by the cloud-based application server to the healthcare entity computing device, [and] receive an indication of the one-time verification code and an indication of the mobile security token from the patient computing device. The claims recite a mobile security token that is distinct from Van de Craen, Varadarajan, or Ramesh because it is created by the server, unique to each patient, and is stored on a patient device and additionally because the server generates a one-time verification code that is unique to the particular authentication request received by the server for the patient device that is sent to a separate client device. Furthermore, unlike Van de Craen, Varadarajan, or Ramesh the patient device is then responsible for sending both an indication of the one-time verification code and the mobile security token back to the server for verification and both the one-time verification code and the mobile security token are generated by the server before sending these objects to the respective computing devices.
These limitations, when viewed in context with the rest of the claim limitations are not taught by the art of record nor would they have been otherwise obvious to one of ordinary skill in the art.

Claims 1-25 recite patent eligible subject matter. The Examiner’s reasons are described below.

The claimed invention recites an abstract idea in Step 2A Prong One because it recites various method of organizing human activity, namely techniques for matching a patient with his or her medical records. However in Step 2A Prong Two, the claimed invention as a whole integrates the idea into a practical application by including steps that go beyond merely applying the judicial exception with a computer, adding significant extra-solution activity, or generally linking the use of the judicial exception to a particular technological environment such as: in response to receiving a request for patient authentication for a particular patient from the healthcare entity computing device, generate a one-time verification code for the particular patient, wherein the one-time verification code comprises a dynamic code that changes for each request at the healthcare entity computing device, send the one-time verification code generated by the cloud-based application server to the healthcare entity computing device, [and] receive an indication of the one-time verification code and an indication of the mobile security token from the patient computing device. These features, in context with the other claims, provide a patient authentication technique that is “more secure relative to traditional security token based systems because [of] multiple modes of authentication” (see the instant Specification par. [0045]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA BLANCHETTE whose telephone number is (571)272-2299. The examiner can normally be reached on Monday - Thursday 7:30AM - 6:00PM, EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Janice Mooneyham can be reached on (571) 272-6805. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-

/JOSHUA B BLANCHETTE/Examiner, Art Unit 3626