Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 5/8/2019.
Claims 1-4 have been examined.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/8/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.

The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words.  The form and legal phraseology often used in patent claims, such as "means" and "said," should be avoided.  The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.

The language should be clear and concise and should not repeat information given in the title.  It should avoid using phrases which can be implied, such as, "The disclosure concerns," "The disclosure defined by this invention," "The disclosure describes," etc.

The abstract of the disclosure is objected to because the abstract contains phrases which can be implied.  Correction is required.  See MPEP § 608.01(b).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Hare (US Patent Number 8,843,997), and further in view of Raas (US Patent Application Publication Number 2013/0024429), and further in view of Duri et al. (US Patent Application Publication Number 2004/0054918), and further in view of Patrick (US Patent Application Publication Number 2006/0259977). 
Regarding claims 1 and 3, Hare taught a system and a method comprising: 
receiving, by an automated data custodian system, an electronic record or an electronic data stream destined for a receiving system and tagged (Hare Col. 51 Line 45 – Col. 52 Line 18 and Col. 52 Lines 43 – Col. 53 Line 13) which enables automated compliance and enforcement with each of a subject of record authorization, an organizational policy, and a government regulation (Hare Col. 52 Lines 1-25), and sending, by the automated data custodian system, the electronic record or electronic data stream tagged with the security label to the receiving system 
Raas taught a system for tagging records with a security label that enables automated compliance and enforcement of access restrictions (Raas Paragraphs 0007 and 0012).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Raas in the medical record tagging system of Hare by tagging the records with management parameters including access restrictions.  This would have been obvious because the person having ordinary skill in the art at the time of application would have been motivated to ensure consistent compliance with record management requirements.  
Hare and Raas did not teach:
determining, by at least one of the automated data custodian system and the receiving system, and in accordance with the security label of the received electronic record or electronic data stream, whether the receiving system is configured to guarantee the automated compliance and enforcement; 
when the determining determines that the receiving system is configured to guarantee the automated compliance and enforcement, sending, by the automated data custodian system, the electronic record or electronic data stream tagged with the security label to the receiving system;
 when the determining determines that the receiving system is not configured to guarantee the automated compliance and enforcement, modifying, by the automated data custodian system, the received electronic record or electronic data stream to comply with the security label, so that the automated data custodian system thereby guarantees the automated compliance and enforcement by the receiving system, and sending, by the automated data 
Duri taught a privacy policy enforcement system which receives a request for a record, the request including the privacy policy of the requesting device (Duri Paragraphs 0020-0024 and 0046 for example), and the enforcement system determining whether the receiving system is configured to guarantee the automated compliance and enforcement (Duri Paragraphs 0020-0024 and 0046 for example); 
when the determining determines that the receiving system is configured to guarantee the automated compliance and enforcement, sending, by the automated data custodian system, the electronic record or electronic data stream tagged with the security label to the receiving system (Duri Paragraphs 0020-0024 and 0046 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Duri in the privacy protection system of Hare and Raas by utilizing the policy comparison requirement checking method before sending the records to the recipient.  This would have been obvious because the person having ordinary skill in the art would have been motivated to guarantee compliance with the privacy requirements of the records.  
Hare, Raas, and Duri did not explicitly teach when the determining determines that the receiving system is not configured to guarantee the automated compliance and enforcement, modifying, by the automated data custodian system, the received electronic record or electronic data stream to comply with the security label, so that the automated data custodian system thereby guarantees the automated compliance and enforcement by the receiving system, and 
Patrick taught that data redaction can be performed dynamically upon access request based upon information included in the received request (requestor identification) such that data which the requestor is permitted to access is provided and data to which the requestor is not authorized to view is redacted in the response (Patrick Paragraph 0077).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Patrick in the record access system of Hare, Raas, and Duri by dynamically redacting data from the record to which the requestor does not have authorization to view.  This would have been obvious because the person having ordinary skill in the art would have been motivated to only allow viewing of data to which the requestor is authorized to view while protecting the data the requestor is not allowed to view.
Furthermore, it was well known in the art before the effective filing date of the invention for medical records to have access restrictions based upon a subject of record authorization (the patient's authorization), an organization policy (provider policy), and a government regulation (HIPAA or state laws).  This is evidenced throughout the teachings of Hare (Hare Col. 52 Lines 19-25).  As such, it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the medical data redaction system of Hare, Raas, Duri and Patrick to enforce such access restrictions.

s 2 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Hare, Raas, Duri and Patrick as applied to claims 1 and 3 above, and further in view of Cook et al. (US Patent Number 8,726,009).
While Hare, Raas, Duri, and Patrick taught when the determining determines that the receiving system is configured to guarantee the automated compliance and enforcement, and prior to the automated data custodian system sending the electronic record or electronic data stream tagged with the security label to the receiving system, 
encrypting the electronic record or electronic data stream tagged with the security label, wherein the sending, by the automated data custodian system, the electronic record or electronic data stream tagged with the security label to the receiving system, sends the encrypted electronic record or electronic data stream tagged with the security label (Hare Col. 22 Lines 36-42), and 
when the determining determines that the receiving system is not configured to guarantee the automated compliance and enforcement, and prior to the automated data custodian system sending the modified electronic record to data stream to the receiving system,
encrypting the modified electronic record or electronic data stream, wherein the sending, by the automated data custodian, the modified electronic record or electronic data stream, sends the encrypted, modified electronic record or electronic data stream (Hare Col. 22 Lines 36-42),
but did not explicitly teach  
determining, by the automated data custodian system in accordance with at least one of the subject of record authorization, the organizational policy, and the government regulation, whether the electronic record or electronic data stream tagged with the 
when the determining determines that the receiving system is not configured to guarantee the automated compliance and enforcement, and prior to the automated data custodian system sending the modified electronic record to data stream to the receiving system, determining, by the automated data custodian system in accordance with at least one of the subject of record authorization, the organizational policy, and the government regulation, whether the modified electronic record or electronic data stream is to be encrypted, and when the automated data custodian system determines that the modified electronic record or electronic data stream is to be encrypted, encrypting the modified electronic record or electronic data stream, wherein the sending, by the automated data custodian, the modified electronic record or electronic data stream, sends the encrypted, modified electronic record or electronic data stream, and when the automated data custodian system determines that the modified electronic record or electronic data stream is not to be encrypted, the sending, by the automated data custodian, the modified electronic record or electronic data stream, sends the unencrypted, modified electronic record or electronic data stream to the receiving system.
Cook taught that prior to sending a message, based upon policies, the system can determine whether or not encryption is required, and when encryption is required by the policies, 
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Cook in the privacy protection system of Hare, Raas, Duri and Patrick by including encryption requirements in the policies, and encrypting the data for transmission when encryption was required by the policies and sending the data unencrypted when encryption was not required by the policies.  This would have been obvious because the person having ordinary skill in the art would have been motivated to ensure that private information being transmitted is protected from illicit access, while not wasting processing resources through encrypting data that does not require the privacy afforded by encryption.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 and 3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 3 and 4 of U.S. Patent No. 9,800,582. Although the claims at issue are not identical, they are not patentably distinct from each other because the instant claims are essentially anticipated by the patent claims.

Cook taught that prior to sending a message, based upon policies, the system can determine whether or not encryption is required, and when encryption is required by the policies, encrypting the message and then sending the encrypted message, and when encryption is not required, sending the message unencrypted (Cook Col. 6 Line 47 – Col. 7 Line 2).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Cook the patent system by including encryption requirements in the policies, and encrypting the data for transmission when encryption was required by the policies and sending the data unencrypted when encryption was not required by the policies.  This would have been obvious because the person having ordinary skill in the art would have been motivated to ensure that private information being transmitted is protected from illicit access, while not wasting processing resources through encrypting data that does not require the privacy afforded by encryption.

Conclusion
Claims 1-4 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2010/0024037 taught a system in which a policy enforcer determined whether or not encryption would be required and then acting accordingly.
US 2003/0088520 taught a system in which a requesting entity’s policies would be compared to policy requirements for data and if the requesting entity’s policies did not meet the requirements, for a piece of data, the data would be omitted from the requested response.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790.  The examiner can normally be reached on Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.