DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims

In the amendment filed on 26 November 2021, the following changes have been made: amendments to claims 1-5, 7, 9-12, 16, and 18-20. Claims 8 and 15 are cancelled.
Claims 1-7, 9-14, and 16-20 are currently pending and have been examined.

Information Disclosure Statement
The information disclosure statements (IDS) were submitted on 12/14/2021. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement has been considered by the examiner.


Notice to Applicant
In light of the specification [0076], report is interpreted to also mean message.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-7, 9-14, and 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  
The claim(s) recite(s) subject matter within a statutory category as a process (claims 1-7 and 9-10), machine (claims 11-14 and 16-17), and article of manufacture (claims 18-20) which recite steps of monitoring, using an artificial intelligence learning module stored in memory and executed by a processor, a plurality of access events to a health information of a user by one or more devices at a health information exchange server implemented over a blockchain network; identifying one or more criteria associated with a typical access pattern to the health information exchange server based on the plurality of access events; comparing a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior corresponding to malicious attempts to breach the health information; and transmitting an encrypted report to the user in response to the unusual access behavior, wherein the encrypted report is includes information derived from the new access request.

Step 2A Prong 1

Dependent claims recite additional subject matter which further narrows or defines the abstract idea embodied in the claims (such as claims 2-7, 9-10, 12-14, 16-17, and 19-20, reciting particular aspects enhancing security of data in a health care network such as user’s health information comprising blood pressure, heart rate, and the number of steps moved per day, monitoring the plurality of access events by parsing a data request, comparing the access event with a datum stored in an insecure behavior database, providing a datum in the access request to a securer module when the datum has no match in an insecure behavior database, requesting an additional encrypted key when the access request is not a typical access pattern, storing the access request in an insecure behavior database for comparing with a another access request, stripping a user information from the access request and sending an alert with 

Step 2A Prong 2
This judicial exception is not integrated into a practical application. In particular, the additional elements do not integrate the abstract idea into a practical application, other than the abstract idea per se, because the additional elements amount to no more than limitations which:
amount to mere instructions to apply an exception (such transmitting an encrypted report to the user in response to the unusual access behavior amounts to invoking computers as a tool to perform the abstract idea, see applicant’s specification [0027] to [0080], see MPEP 2106.05(f))
add insignificant extra-solution activity to the abstract idea (such as recitation of comparing a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior amounts to selecting a particular data source or type of data to be manipulated, and recitation of monitoring, using an artificial intelligence learning module amounts to insignificant application, see MPEP 2106.05(g))
claims 2-7, 9-10, 12-14, 16-17, and 19-20 recite additional subject matter which amount to limitations consistent with the additional elements in the independent claims (such as claims 5, 7, 10, 12-14, 17, and 20 additional limitations which amount to invoking computers as a tool to perform the abstract idea, claims 2, 6, and 13 additional limitations which add insignificant extra-solution activity to the abstract idea which amounts to mere data gathering, and claims 3-4, 9, 16, and 19 , additional limitations which add insignificant extra-solution activity to the abstract idea by selecting a particular data source or type of data to be manipulated). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology.  Their collective functions merely provide conventional computer implementation and do not impose a meaningful limit to integrate the abstract idea into a practical application.

Step 2B
The claim(s) 
amount to elements that have been recognized as well-understood, routine, and conventional activity in particular fields such as transmitting an encrypted report to the user in response to the unusual access behavior, e.g., receiving or transmitting data over a network, Symantec, MPEP 2106.05(d)(II)(i); comparing a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior, e.g., performing repetitive calculations, Flook, MPEP 2106.05(d)(II)(ii); monitoring, using an artificial intelligence learning module, see Saxena et al. [0032] “Cognitive systems achieve these abilities by combining various aspects of artificial intelligence…..” [0316] “In certain embodiments, a notification message is then sent to various healthcare-related caregivers as a result of the generation of a healthcare-related, blockchain-associated cognitive insight 1302 for improving patient services 1308. As an example, various caregivers associated with a patient may receive notification that one or more EHRs corresponding to the patient have been accessed by another caregiver”, US20180165588A1, MPEP 2106.05(d).
Dependent claims recite additional subject matter which, as discussed above with respect to integration of the abstract idea into a practical application, amount to invoking computers as a tool to perform the abstract idea.  Dependent claims recite additional subject matter which amount to limitations consistent with the additional elements in the independent claims. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 and 3-7, 9-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bulliet et al. (US20180060496A1) in view of Saxena et al. (US20180165588A1). 
Regarding claim 1, Bulliet discloses identifying one or more criteria associated with a typical access pattern to the health information exchange server based on the plurality of access events ([0051] “The environment 100, as described herein, allows for secure and standardized access to HIRs, as well as a mechanism for HIR providers, such as the entities that control the resource system(s) 150 to offload liability associated with the management of the HIRs. Such an environment 100 with standardized access and liability management of HIRs, allows for the development of customized healthcare applications, such as by the application developer(s) 130.”)
comparing a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior corresponding to malicious attempts to breach the health information ([0076] “The independent authority system(s) 170 may compare information elements in the body of personal information about the user 102 to corresponding elements in the personal identification information of the user 102, as received from value-added certificate authorization 


Note: if the verification is less than 90% this can correspond to malicious attempts to breach the user's health information.
and transmitting an encrypted report to the user in response to the unusual access behavior ([0074] “If the personal identification information could not be verified by the independent identity authority system(s) 170, then registration of the user for access to the healthcare blockchain may cease and value-added certificate authorization system(s) 160 may notify the user 102 of the same, such as via his or her client system 104.”) 
wherein the encrypted report is includes information derived from the new access request ([0106] “For example, if permissions are extended, revoked, and/or conditions modified, for a second CSI, and the user 102 associated with that CSI, then the client system 104 associated with that CSI, and the healthcare applications operating thereon, may be notified of any permission changes pertaining to the second CSI.”)


Bulliet does not explicitly disclose however Saxena teaches monitoring, using an artificial intelligence learning module stored in memory and executed by a processor, a plurality of access events to a health information of a user by one or more devices at a health information exchange server implemented over a blockchain network ([0032] “Cognitive systems achieve these abilities by combining various aspects of artificial intelligence…..” [0029] “The information processing system 100 includes a processor (e.g., central processor unit or “CPU”) 102, ….The information processing system 100 likewise includes system memory 112…” [0152] “In these embodiments, the implementation of such a blockchain exchange allows the hosted 904 cognitive platform access data associated with one or more private 932 blockchains, and conversely, the private 924 cognitive platform to access data associated with one or more public 912 blockchains.” [0316] “In certain embodiments, a notification message is then sent to various healthcare-related caregivers as a result of the generation of a healthcare-related, blockchain-associated cognitive insight 1302 for improving patient services 1308. As an example, various caregivers associated with a patient may receive notification that one or more EHRs corresponding to the patient have been accessed by another caregiver.”)

Therefore, it would have obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to expand Bulliet’s techniques for securing health information with Saxena’s techniques to utilize artificial intelligence in the healthcare network. The motivation for the combination of prior art elements is to extract insights by uncovering difficult-to-discover patterns and connections (See Saxena, Background).
Regarding claim 3, Bulliet does not explicitly disclose however Saxena teaches wherein monitoring the plurality of access events to the health information of the user includes parsing a data request to determine a relevant data based on a predefined criterion ([0118] “In these embodiments, the source streams 504 are dynamically ingested in real-time during the perceive 506 phase, and based upon a predetermined context, extraction, parsing, and tagging operations are performed on language, text and images contained in the source streams 504.”)
and sending the relevant data to a historical activity database ([0099] “Such EMR systems typically collect a variety of healthcare information, much of it the same, yet it may be collected, stored and provided in different ways. In this example, the custom destination agents 446 allow such EMR systems to receive cognitive insight data in a form they can use.”)


Regarding claim 4, Bulliet discloses comparing the access request with a datum stored in an insecure behavior database ([0084] “To make this determination, value-added certificate authorization system(s) 160 may be configured to compare the user's pseudonymous identity with a list of registered CSI keys stored in a database that have been issued to users 102.”)
and storing the access request in the insecure behavior database when the access request at least partially matches the datum ([0078] “The act of signing the SIC may establish and/or certify the CSI to enable, for the user 102, via his or her client system 104, to access the healthcare blockchain….. The CSI key pair may include a private CSI key that may be stored on the client system 104 associated with the user 102 to whom the CSI key belongs.”)
Regarding claim 5, Bulliet discloses wherein comparing the access request with a typical access pattern includes providing a datum in the access request to a securer module when the datum has no match in an insecure behavior database ([0192] “If it is determined, at block 1506, 
Regarding claim 6, Bulliet discloses requesting an additional encrypted key when the access request is not a typical access pattern ([0056] “When a user asserts a proposed CSI that is to be confirmed by value-added certificate authorization system(s) 160, the independent identity system(s) 170 may be configured to provide personal information about the user 102 to the value-added certificate authorization system(s) 160 for CSI verification.”)
Regarding claim 7, Bulliet discloses storing the access request in an insecure behavior database for comparing with another access request ([0066] “Furthermore, the private CSI key may be stored on the client system 104 associated with the user 102.”)
Regarding claim 9, Bulliet discloses updating an insecure behavior database to include an access event of the plurality of access events 
([0138] “In example embodiments, the blockchain module 822 may include instructions executable by the processor(s) 800 to cooperate with one or more blockchain system(s) 180 to register a newly issued CSI, such as by hashing a public key corresponding to the signed CSI onto the healthcare blockchain. The instructions may also enable permissions for HIRs (e.g., 
when the access event does not fit a typical access pattern ([0191] “If the requested HIR does not belong to the user, then at block 1306, it may be determined whether the user has access to HIRs.”)
Regarding claim 10, Bulliet discloses updating an existing correlation with the new access request when the new access request is identified as an insecure behavior ([0059] “In example embodiments, the blockchain system(s) 180 may receive an authorized CSI to be registered from value-added certificate authorization system(s) 160, such as when a user 102 establishes his or her authority to access the healthcare blockchain. The blockchain system(s) 180 may further receive newly established, and/or updated permissions to HIRs that are contained within EHRs, including PHI, from value-added certificate authorization system(s) 160.”)
Regarding claim 11, Bulliet discloses one or more processors ([0119] “In the illustrated implementation, the client device 104 includes one or more processors 700….”)
a memory communicatively coupled to the one or more processors and storing instructions which, when executed by the one or more processors ([0121] “The computer-readable media 710 may include volatile and nonvolatile memory, removable and non-removable media implemented in any method or technology for 
identify one or more criteria associated with a typical access pattern to the health information exchange server based on the plurality of access events ([0051] “The environment 100, as described herein, allows for secure and standardized access to HIRs, as well as a mechanism for HIR providers, such as the entities that control the resource system(s) 150 to offload liability associated with the management of the HIRs. Such an environment 100 with standardized access and liability management of HIRs, allows for the development of customized healthcare applications, such as by the application developer(s) 130.”)
compare a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior corresponding to malicious attempts to breach the health information ([0076] “The independent authority system(s) 170 may compare information elements in the body of personal information about the user 102 to corresponding elements in the personal identification information of the user 102, as received from value-added certificate authorization system(s) 160. The determination of verification may be based at least in part on this comparison…. For example, if the match is greater 


Note: if the verification is less than 90% this can correspond to malicious attempts to breach the user's health information.
transmit an encrypted report to the user in response to the unusual access behavior ([0074] “If the personal identification information could not be verified by the independent identity authority system(s) 170, then registration of the user for access to the healthcare blockchain may cease and value-added certificate authorization system(s) 160 may notify the user 102 of the same, such as via his or her client system 104.”)
wherein the encrypted report is includes information derived from the new access request ([0106] “For example, if permissions are extended, revoked, and/or conditions modified, for a second CSI, and the user 102 associated with that CSI, then the client system 104 associated with that CSI, and the healthcare applications operating thereon, may be notified of any permission changes pertaining to the second CSI.”)




Bulliet does not explicitly disclose however Saxena teaches monitor a plurality of access events to a health information of a user by one or more devices at a health information exchange server implemented over a blockchain network ([0032] “Cognitive systems achieve these abilities by combining various aspects of artificial intelligence…..” [0029] “The information processing system 100 includes a processor (e.g., central processor unit or “CPU”) 102, ….The information processing system 100 likewise includes system memory 112…” [0152] “In these embodiments, the implementation of such a blockchain exchange allows the hosted 904 cognitive platform access data associated with one or more private 932 blockchains, and conversely, the private 924 cognitive platform to access data associated with one or more public 912 blockchains.” [0316] “In certain embodiments, a notification message is then sent to various healthcare-related caregivers as a result of the generation of a healthcare-related, blockchain-associated cognitive insight 1302 for improving patient services 1308. As an example, various caregivers associated with a patient may receive notification that one or more EHRs corresponding to the patient have been accessed by another caregiver.”)


Regarding claim 12, Bulliet discloses wherein to compare the access request with the one or more criteria of access behavior associated with the typical access pattern the one or more processors execute instructions to provide a datum in the access request to a securer module when the datum has no match in an insecure behavior database ([0191] “At block 1502, a request for access verification of an HIR from a client device for a user with a CSI may be received.”  [0192] “If it is determined, at block 1506, that the user does not have access to the HIR, then at block 1508, there may be an indication sent that access is denied.” [0193] “At block 1512, the access token may be sent to the client system 104. At block 1514, the transaction of the access token in the healthcare blockchain may be recorded.”)
Regarding claim 13, the limitations are rejected for the same reasons as stated above for claim 6.
Regarding claim 14
Regarding claim 16, Bulliet discloses wherein the one or more processors further execute instructions to updating an insecure behavior database to include an access event of the plurality of access events ([0138] “In example embodiments, the blockchain module 822 may include instructions executable by the processor(s) 800 to cooperate with one or more blockchain system(s) 180 to register a newly issued CSI, such as by hashing a public key corresponding to the signed CSI onto the healthcare blockchain. The instructions may also enable permissions for HIRs (e.g., EHR, PHI, etc.) to be established and/or updated on the healthcare blockchain.”)
when the access event does not fit the one or more criteria of access behavior associated with the typical access pattern ([0191] “If the requested HIR does not belong to the user, then at block 1306, it may be determined whether the user has access to HIRs.”)
Regarding claim 17, the limitations are rejected for the same reasons as stated above for claim 10.
Regarding claim 18, Bulliet discloses a non-transitory, computer readable medium storing instructions which, when executed by a processor ([0220] “According to example embodiments of the disclosure, there are one or more non-transitory computer-readable media maintaining instructions executable by one or more processors to perform operations….”)
identifying one or more criteria associated with a typical access pattern to the health information exchange server based on the plurality of access events ([0051] “The environment 100, as described herein, allows for secure and standardized access to HIRs, as well as a mechanism for HIR providers, such as the entities that control the resource system(s) 150 to offload liability associated with the management of the HIRs. Such an environment 100 with standardized access and liability management of HIRs, allows for the development of customized healthcare applications, such as by the application developer(s) 130.”)
comparing a new access request from a device to the health information exchange server with the one or more criteria of access behavior associated with the typical access pattern to determine unusual access behavior corresponding to malicious attempts to breach the health information ([0076] “The independent authority system(s) 170 may compare information elements in the body of personal information about the user 102 to corresponding elements in the personal identification information of the user 102, as received from value-added certificate authorization system(s) 160. The determination of verification may be based at least in part on this comparison…. For example, if the match is greater than 90%, it may be determined that the personal identification information is verified.”)


Note: if the verification is less than 90% this can correspond to malicious attempts to breach the user's health information.
transmiting an encrypted report to the user in response to the unusual access behavior ([0074] “If the personal identification information could not be verified by the independent identity authority system(s) 170, then registration of the user for access to the healthcare blockchain may cease and value-added certificate authorization system(s) 160 may notify the user 102 of the same, such as via his or her client system 104.”)
wherein the encrypted report is includes information derived from the new access request ([0106] “For example, if permissions are extended, revoked, and/or conditions modified, for a second CSI, and the user 102 associated with that CSI, then the client system 104 associated with that CSI, and the healthcare applications operating thereon, may be notified of any permission changes pertaining to the second CSI.”)


Bulliet does not explicitly disclose however Saxena teaches monitoring a plurality of access events to a health information of a user by one or more devices at a health information exchange server implemented over a blockchain network ([0032] “Cognitive systems achieve these abilities by combining various aspects of artificial intelligence…..” [0029] “The information processing system 100 includes a processor (e.g., central processor unit or “CPU”) 102, ….The information processing system 100 likewise includes system memory 112…” [0152] “In these embodiments, the implementation of such a blockchain exchange allows the hosted 904 cognitive platform access data associated with one or more private 932 blockchains, and conversely, the private 924 cognitive platform to access data associated with one or more public 912 blockchains.” [0316] “In certain embodiments, a notification message is then sent to various healthcare-related caregivers as a result of the generation of a healthcare-related, blockchain-associated cognitive insight 1302 for improving patient services 1308. As an example, various caregivers associated with a patient may receive notification that one or more EHRs corresponding to the patient have been accessed by another caregiver.”)

Therefore, it would have obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to expand Bulliet’s techniques for securing health information with Saxena’s techniques to utilize artificial intelligence in the healthcare network. The motivation for the combination of 
Regarding claim 19, the limitations are rejected for the same reasons as stated above for claim 3.
Regarding claim 20, the limitations are rejected for the same reasons as stated above for claim 5.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Bulliet et al. (US20180060496A1) in view of Saxena et al. (US20180165588A1) and further in view of LaFever et al. (US20180307859A1). 
Regarding claim 2, Bulliet in view of Saxena does not explicitly disclose however LaFever teaches wherein the health information of the user includes blood pressure, heart rate, and number of steps moved per day ([0542] “. In this way, while an A-DDID may be associated with a range (e.g., systolic blood pressure >140 and <160), an A-DDID can also be associated with a particular condition that exists within a notes field in an EMR.” [0058] “For example, assuming a data set contained a value for a data subject's heart rate value of 65 beats per minute…” [0387] “In return for special offers or other concessions proffered by receiving entities, users of the mobile/wearable/portable devices could elect to have non-identifying TDRs shared in an anonymous fashion based on the users' real-time or other distance depending upon the implementation)…..”)


Therefore, it would have obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to expand Bulliet’s techniques for securing health information and Saxena’s techniques to utilize artificial intelligence in the healthcare network with LaFever’s techniques to protect various healthcare data. The motivation for the combination of prior art elements is to distinguish between the types of data being accessed for improving data privacy/anonymity (See LaFever, Background).

Response to Arguments
Applicant’s arguments filed on 26 November 2021 have been considered but are not fully persuasive.
Regarding the claim objections, the applicant has overcome the claim objections by correcting the informalities. Therefore, the claim objections have been withdrawn.
Regarding the 112(b) rejection, the applicant’s amendments have overcome the 112(b) rejection. Therefore, the 112(b) rejection has been withdrawn.
Regarding the 101 rejection, the applicant argues on pages 10 to 11 that under Step 2A Prong 1 the claims do not recite “agreements in the form of contracts; legal (e.g., monitored access events by user devices into another type of data: an encrypted report). Applicant also states the claims cannot be performed in the mind because they do not recite a mental process and that the mind cannot monitor using artificial intelligence a communication between one or more user devices and a server implemented over a blockchain network.

Examiner respectfully disagrees with the applicant’s argument. Examiner asserts that the claims as a whole, especially in light of the present amendments, fall under methods of organizing human activity. Other than reciting steps as performed by the generic computer components, nothing in the claim element precludes the step from performing commercial or legal interactions through the performance of a legal obligation of securing healthcare data. To support the examiner’s argument, examiner points to [0002] and [0005] of the applicant’s specification which discloses the objective of this present invention is to enhance security and protect data. Since the present application deals with healthcare data, the applicant’s invention is performing a legal obligation as required HIPAA law.

On page 12 the applicant argues that the claim elements are integrated into a practical application. The applicant points out that in Enfish the fact that the invention 
Such communication allows "the system [to] continue to learn and enhance the security of the system" and to "notif[y] a user of unusual access behavior regarding their health information through a user device." Specification at [0012], [0013]. The applicant also asserts that the present claims recite the transformation from monitored access events and an access request to an encrypted report to the user in response to the usual access behavior. Such transformation is indicative that the present claims represent an integration into a practical application.

Examiner respectfully disagrees with the applicant’s argument. The MPEP provides that improvements to the functioning of a computer or to any other technology or technical field can signal eligibility, see MPEP 2106.05(a), and provides examples of improvements to computer functionality, MPEP 2106.05(a)(I), and improvements to any other technology of technical field, MPEP 2106.05(a)(I). “In computer-related technologies, the examiner should determine whether the claim purports to improve computer capabilities or, instead, invokes computers merely as a tool”. Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1336, 118 USPQ2d 1684, 1689 (Fed. Cir. 2016). In Enfish, the court evaluated the patent eligibility of claims related to a self-Enfish, the instant claimed invention appears to improve upon a judicial exception rather than a problem in the software arts. Rather than improving a computer's algorithm or the blockchain network to improve data security, the claimed invention purports to improve the security of data in a healthcare network by applying off the shelf blockchain to conventionally monitor, store, and track data & activity. The claimed invention appears similar to the example of improvements that are insufficient to show an improvement in computer-functionality such as arranging transactional information on a graphical user interface in a manner that assists traders in processing information more quickly, Trading Technologies v. IBG LLC, 921 F.3d 1084, 1093-94, 2019 USPQ2d 138290 (Fed. Cir. 2019). See MPEP 2106.05(a)(I)(viii). Additionally, improving efficiency ([0008] of the applicant’s specification) is not sufficient to show an improvement in computer functionality as set forth by the courts in FairWarning IP, LLC v. Iatric Sys., 839 F.3d 1089, 1095, 120 USPQ2d 1293, 1296 (Fed. Cir. 2016); accelerating a process of analyzing audit 

The applicant argues on pages 13 to 14 that under Step 2B applicant’s claims include an inventive concept where the amended portions are not shown by the office action as being well-understood, routine, and conventional under Berkheimer. The applicant requests withdrawal of the 101 rejection. 

Examiner respectfully disagrees with the applicant’s argument. Examiner asserts that Symantec has been cited to the added amendments as still disclosing the transmitting of data. Examiner also points out that Flook and prior art has been cited to show that the limitations of the claims are well-understood, routine, or conventional. The use of a computer or other machinery in its ordinary capacity for economic or other tasks or simply adding a general purpose computer or computer components after the fact to an abstract idea does not provide significantly more. See Affinity Labs v. DirecTV, 838 F.3d 1253, 1262, 120 USPQ2d 1201, 1207 (Fed. Cir. 2016) (cellular telephone); TLI Communications LLC v. AV Auto, LLC, 823 F.3d 607, 613, 118 USPQ2d 1744, 1748 (Fed. Cir. 2016) (computer server and telephone unit). Therefore, the 101 rejection is maintained.
Regarding the 103 rejection, the applicant argues on pages 15 to 16 that Bulleit does not disclose “comparing an access request ... to determine an usual access behavior corresponding to malicious attempt to breach the health information” since the personal identification of Bulleit is not compared to “a typical access pattern to 

Examiner respectfully disagrees with the applicant’s argument. Examiner asserts that the claim language is broad such that it is not clear what is included or excluded from the interpretation of an access pattern or what is even considered to be a typical access pattern. Bulleit is a much narrower interpretation of the applicant’s claims in that Bulleit compares information elements from a new access request to the required criteria in the server to verify whether the access pattern is an unusual access behavior based on the percentage match. 

On page 16 the applicant argues that Bulleit does not disclose “transmitting an encrypted report to the user in response to the unusual access behavior, wherein the encrypted report is transmitted based on information derived from the access request.” Applicant asserts that Bulleit merely discusses that "the client system 104 associated with that CSI, and the healthcare applications operating thereon, may be notified of any permission changes pertaining to the second CSI."

Examiner respectfully disagrees with the applicant’s argument. Examiner asserts that in light of the amendment [0074] Bulleit has been cited which discloses the transmitting or sending a notification under BRI in response to an unusual access or more narrowly in response to the fact that PII could not be verified. Paragraph [0106] is still used to narrowly disclose the information contained in the report such as 

On pages 16 to 17 the applicant states that Saxnena does not cure the deficiencies of Bulleit and LaFever does not cure the deficiencies of Bulleit and Saxena. Hence, all the claims overcome the art rejection. Applicant requests withdrawal of the 103 rejection. 

Examiner respectfully disagrees with the applicant. Examiner asserts that all the references still teach the amended claims. The dependent claims are still rejected under USC 103.


Prior Art Cited but not Relied Upon
The following document(s) were found relevant to the disclosure but not applied:
Zhuang, Y., Sheets, L. R., Chen, Y. W., Shae, Z. Y., Tsai, J. J., & Shyu, C. R. (2018). A patient-centric health information exchange framework using blockchain technology. IEEE journal of biomedical and health informatics, 24(8), 2169-2176.

This reference is relevant since is describes improving Satoshi’s blockchain using smart contracts to resolve and privacy and security vulnerabilities.

Conclusion



 Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WINSTON FURTADO whose telephone number is (571)272-5349. The examiner can normally be reached Monday-Friday 8:00 AM to 4:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.F./Examiner, Art Unit 3626                                                                                                                                                                                                        
/JOSHUA B BLANCHETTE/Primary Examiner, Art Unit 3626