Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed on February 15, 2022 have been fully considered but they are not persuasive the prior arts in record and place the claims and the application in condition for allowance.
In the response, the applicant’s argument with regarding claim 1, stated as follows: None of the cited documents, alone or in combination, teaches or suggests the following features. For instance, in the rejection of claim 2 at p. 7, the Office Action relies on Vesper as describing "remove, after an elapse of a time threshold, the data file from the web interface." This is incorrect. At most, Vesper describes transferring patient information promptly and deleting it when no longer needed. Para. [0101]. Vesper further describes holding a copy of an image for a predetermined time period. Para. [0312]. However, nothing in Vesper, or any of the cited documents, teaches or suggests remove, after an elapse of a time threshold, the data file (e.g., including the attribute identifier) from the web interface, as recited in claim 1. Stated differently, nothing in Vesper, or any of the cited documents, teaches or suggests removing the alleged attribute identifier after an elapse of a time threshold. 

The examiner respectfully disagrees with the applicant’s argument which asserts none of the cited documents, alone or in combination, teaches or suggests "remove, after an elapse of a time threshold, the data file from the web interface." During examination, the examiner gave BRI consideration to claim languages and terms and considered “removing the data file” recited from the only paragraphs of the applicant’s description as follows: [0005] Providing the data file may include removing, after an elapse of a time threshold, the data file from the web interface. [0039] Multi-dimensional API computing platform 110 may generate, based on the attribute of the user, or based on the updated API_Table, a data file comprising an attribute identifier associated with the attribute of the user. For example, the data file may be a record that includes the search results, such as, for example, multi-dimensional attributes such as the individual identifier, the household identifier, the name and address, the telephone number, the electronic mail address, and so forth. [0045] Also, for example, a second dimension may be indicative of a number of data files in a batch (e.g., a size of a batch) may be transferred via web interface 225. As another example, a third dimension may be indicative of a length of time that the data attributes persist in web interface 225, before being removed, and/or deleted.
The examiner notes that, user’s record or data is removed from record database or at least removed form viewing web interface for data protection after a defined period. In general, it is well understood and widely available mechanisms exit in operating systems and Web browser tools.  The examiner further notes that, the above feature is disclosed by Vesper in paragraph [0101] as follows: When the patient's information (PHI) is requested, it is always transferred in a secure fashion and promptly and completely deleted when it is no longer needed. Furthermore, this information is never written to a local file or stored in any way outside the secure boundaries of the Central Server. Vesper elaborate in detail how this can be implemented in web services, secured both from SSL as well as session ID tokens that change over a given period of time through user interface (UI) and a web cache retrievable images and further through GET, PUT, POST and DELETE commands used for HTTP services.
Vesper discloses [0100] In order to meet HIPAA regulations while working with PHI, the treatment of the DICOM files and their private information is monitored carefully across the network and always transmitted in a secure fashion using industry standards such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI). Security is also paramount when transmitting files to a desktop of a physician so he can view them without waiting for a download to complete. At this point, no private information is stored with the DICOM file. Only with direct privilege of a physician login can the private healthcare information for a patient be viewed together with the medical image or study. [0107] One embodiment of the disclosed system is shown in more detail in FIG. 3. In this embodiment, central network or central server 14 comprises one or more main server types, including website server 26, storage server 28, security server 30, application server 32, P2P server 34, and database server 36. Website server 26 hosts both the main website for patients as well as the web service layer that supports the P2P network for the viewing application, discussed below. These web services are secured both from SSL as well as session ID tokens that change over a given period of time. Website server 26 can be any suitable machine known in the art running any suitable software. For example, website server 26 is a Windows 2003 server running IIS 6.0.
Vesper discloses [0372] FIG. 42B present communications between a user interface (UI) and a web cache to retrieve images. Initially, the user, through the UI, can make a request for a study to the web cache. The web cache, in turn, can look up in cached memory the location of the study. If the study cannot be found in the cache, the web cache can begin staging of the study while returning its own node identification and NODE_ID in a URI. When the study is located within the cache, the web cache returns the NODE_ID of the cache node with the study. A response is provided with the URI including the Cache NODE_ID to the UI. 
Vesper continues to disclose [0405] While five collaborative functions for the consumer 3004 are shown, those skilled in the relevant art will appreciate that numerous features can be provided through the protocols that are provided herein. It should be noted that the functions described herein are for purposes of illustration and do not limit the present application. The GET, PUT, POST and DELETE commands used herein can be combined to form other features. Particularly, The DELETE /study/{id}/image/{id}/annotation/{id}.json command can delete annotations from a medical record, while the DELETE /study/{id}/report/{id}.json command can delete a radiological report from an image study.

With regard to claim 5, the applicant continues to argue that, nothing in Vesper, or any of the cited documents, teaches or suggests receiving, via the web interface, a second query including an encryption key. The applicant further argues that, nothing in Vesper teaches or suggests retrieving a secure link to the attribute, causing the secure link to be provided to the second computing device or causing the secure link to be displayed by the second computing device.
The examiner respectfully disagrees with the applicant because Vesper discloses [0175]: During the harvesting process, new records are identified, an encryption key is associated with the study and the PHI 70 and the record are then copied to the local storage node 52. FIG. 18 illustrates the different components of a record 300 as it is harvested, including PHI 70, body 72, Harvester Tag 306, and Encryption Key 308. [0178] The PHI 70 is then encrypted and a Key or Encryption Key 308 is added to the PHI 70. The PHI 70 plus Key 308 are then sent to the Central Index 38.  Each image is individually indexed and stored in a cloud where they can be conveniently queried and retrieved at a later date by the consumers 3004.  The examiner notes when PHI plus key are index, they are searchable through query and provided over secure link (e. g. SSH) to computing devices. 

Vesper further discloses [0261-0262] DICOM record was split into personal information and non-personal information. The personal information and the non-personal information included an identifier to link the personal information to the non-personal information. Splits within the DICOM data can be performed by the producer 3002, and more specifically the harvester 3114....The producer 3002 can encrypt the personal information and add an encryption key. The record can then be stored into the medical information network 3000 having an electronic address, the record including the personal information and the non-personal information. The personal health information and the anonymized DICOM image can be transported over the Internet or other network using known protocols. As shown in FIG. 31, the personal health information from each of the producers 3002 can be provided to a study metadata database 3102. The database 3102 can include fields for storing the personal information, encryption key and electronic address of the source node on which the record is stored. The study metadata database 3102 can be at one location or distributed among different sites. 
Vesper further discloses for secure link or communication in [0100] In order to meet HIPAA regulations while working with PHI, the treatment of the DICOM files and their private information is monitored carefully across the network and always transmitted in a secure fashion using industry standards such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI). Security is also paramount when transmitting files to a desktop of a physician so he can view them without waiting for a download to complete. At this point, no private information is stored with the DICOM file. Only with direct privilege of a physician login can the private healthcare information for a patient be viewed together with the medical image or study.
For at least the same reason proved above, the applicant’s arguments are not persuasive to overcome the prior arts in record and place claims 13 and 21 in condition for allowance. Therefore, the rejection of claims 1, 3-20 under 35 U.S.C. 103 as being unpatentable over Vesper in view of LaFever are maintained. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vesper et al. (Hereinafter referred to as Vesper, US 20110153351 A1) in view of LaFever et al. (Hereinafter referred to as LaFever, US. Pub. No.: US 20190332807 A1).

As per claim 1:
Vesper discloses a computing platform, comprising:
at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor (Figure 1A, 1B: Record Consumer 15, 18 and Central Network 14), cause the computing platform to:
submit, via a first computing device, a query for data associated with a user ([0129-0130: Header manager interfaces with search manager to search the headers or personal information; Search manager to search the headers or personal information, allows a search to be performed on a patient, physician and/or a facility, only searches publicly available patient information. the header search may provide three different fixed criteria: (1) Central or System ID, (2) Local ID, or (3) Last Name, First Name, Date of Birth and Birth City. The patient search function allows record consumers to search for header information with which the record consumer has a trusted relationship);
receive, via the first computing device, a search result comprising an attribute of the user ([0125-0126]: Header manager administers the access and storage of the header or PHI information in the database; the header, PHI or personal information is encrypted in the database to prevent any unauthorized database access from viewing the data. Header manager 150 is comprised of header retriever and header sender. The header manager only returns header information to a trusted session. Header manager encrypts the header information before loading it onto the database, and decrypts it before sending it to a calling function. The system encrypts search criteria for patient information and identifies encrypted data in the database using an encryption indicator in the tables. Header manager manages searches from calling applications);
generate, based on the attribute of the user, a data file comprising an attribute identifier with the attribute of the user ([0073]: a DICOM file, is composed of two major components: 1) the actual body of the record, for example, the image data, and 2) the image header information, which contains the personal or patient-identifying information; the header contains personal identifying information, also known as personal information, Protected Health Information, or PHI. Without the PHI header, record data, including image data, is anonymous and does not contain any unique patient identifying information. Therefore, the non-personal or anonymous data portion of a record is referred to herein as the Body; [0175]);
upload, via a web interface and to a second computing device, the data file comprising the attribute identifier ([0177-0178] Loading of records can also occur when records are restored on the system, from direct loading from a file system, either single or multiple files, or CD import of records for directly uploading to the Central Server. Each file uses the Local System ID and Node ID to determine a match. Verification here occurs both when a record is uploaded and when a record is restored on the system; [0257]: The DICOM image was split into protected healthcare information and anonymous DICOM imaging data and joined by the consumer 3004. The split data was stored in different locations, for example, the protected healthcare information was stored in one area of the network while the imaging data was stored in another part);
receive, via the web interface and from the second computing device, an encryption key corresponding to the attribute identifier ([0175]: The harvesting process is completed at the server level. During the harvesting process, new records are identified, an encryption key is associated with the study and the PHI and the record are then copied to the local storage node. A copy of the PHI is also sent to the Central Index. The PHI and body of the record are linked using a unique identifier, referred to herein as the Tag or Harvester Tag. This identifier or tag is not an encryption key, but only the link between the PHI and the body of the record. The different components of a record as it is harvested, including PHI, body, Harvester Tag, and Encryption Key); and
store, via the first computing device and in a database, an association between the attribute, the attribute identifier, and the encryption key ([0178]: store the record, split by the record harvester into its two main parts: PHI and body, The PHI 70 is then encrypted and a Key or Encryption Key is added to the PHI. The PHI plus Key are then sent to the Central Index and stored);
remove, after an elapse of a time threshold, the data file from the web interface ([0101]: When the patient's information (PHI) is requested, it is always transferred in a secure fashion and promptly and completely deleted when it is no longer needed and uploaded image for a user-specified period of time, for instance three months, six months, twelve months, or some other period of time. A timestamp can be placed on each copied image; [0107], [0372]).

Vesper does not explicitly disclose generating the attribute identifier associated with the attribute of the user. LaFever, in analogous art however, discloses generating the attribute identifier associated with the attribute of the user ([0020]: unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”), and/or an action, activity, process and/or trait pertaining to a Data Subject, for a temporally unique period of time, thereby enabling the Data Subject to operate in a “dynamically anonymous” manner; [0024]: Each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait, the combination of a DDID and any data elements associated with the DDID for a temporally unique period of time are referred to as a temporal data representation, or a “TDR.” For purposes hereof, if no data is associated with a DDID, then a DDID and its temporal data representation (or “TDR”) are identical; [0040]: an attribute or combination of data attributes may identify a Data Subject but are not themselves the Data Subject—the person or legal entity identified by an attribute or combination of data attributes may be the subject of said attribute or combination of data attributes and considered a related party with regard thereto since he/she/it has an interest in or association with said attribute or combination of data attributes; [0054]: In accordance with one aspect of one embodiment of the present invention, disclosed herein is a computer-implemented method of providing controlled distribution of electronic information. In one example, the method may include the steps or operations of receiving, at a computing device, data; identifying one or more attributes of the data; selecting, through the computing device, a DDID; associating the selected DDID with one or more of the data attributes; and creating a temporally unique data representation (TDR) from at least the selected DDID and the one or more data attributes; [0358]: a data attribute may refer to any data element that can be used, independently or in combination with other data elements, to identify a Data Subject, such as a person, place or thing, and/or associated actions, activities, processes or traits; [0794]: dynamically created, changeable and re-assignable TDRs (comprised of dynamically changing and re-assignable DDIDs and the PII/PHI information) could be used to protect the confidentiality and privacy/anonymity of PII/PHI contained in patient medical records;  Multiple levels of abstraction establishes “rings of privacy” such that only the level of identifying information necessary to perform a desired service or permitted function is provided; Temporally unique and purpose limited data representations (TDRs) may be used to protect the confidentiality and privacy/anonymity of user and patient personally identifiable information (PII) and/or personal health information (PHI). 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the attribute of the user file disclosed by LaFever to include to generate the attribute identifier associated with the attribute of the user. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide improve data privacy and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired and to the extent that is desired as suggested by LaFever (0019-0020).

As per claim 3:
Vesper discloses wherein the instructions to store the association comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: modify, based on the search result, a table storing the attribute of the user ([0227-0228]: The tracking of changes of data in the database is also key to the security of the disclosed system. The auditing capabilities of the system database provides the requirements for each component and module to track data through the system. All tables will have four standard columns to track when records are created and updated. The tables will have two columns to denote the user and the time the record was created and two columns to denote the user and the time the record was last updated. Tables that track changes of its records that occur incorporate triggers to retain a copy of the record before the update occurs. The update trigger for the table inserts before a record in an audit table associated with the designated table. All actions and events that occur between the main entities in the database are logged, as described above. An event record will contain the time the event occurred, the IDs of the entities involved in the event, the type of event and the elapsed time of the event… User and node access to the system is logged to track overall activity of the system and to keep track of usage and growth. When a user or node is authorized on the system, a record is created containing the user ID or node ID, the IP address and the time access occurred. A second record is created when the user or node disconnects from the system; [0312]: Each gateway device contains sufficient local storage to hold a copy of each registered).

As per claim 4:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, via the first computing device and over a secured network, a second query comprising the attribute identifier; match, via the first computing device and in the database, the attribute identifier with the attribute associated with the user; retrieve, via the first computing device and from the database, the attribute; and provide, based on the second query and over the secured network, the attribute ([0337]: The DICOM images can be stored in a flat namespace and users can query for the images via strongly authenticated web services. DICOM tags can be within each DICOM image file and can be queried for. An image study can be dynamically assembled by querying the DICOM metadata, for example, facility, patient identifier, UID, and study type. [0338]: The image repository can expose the rich metadata of each image and allows a user to dynamically query the data most relevant to that user, without the opaque and artificial confines of an image study; [0350]: Key images can be directly queried from the Internet resident DICOM image and metadata repository by constraining the query with DICOM key image identifiers as defined by the DICOM standard. The mechanism for these queries can be strongly authenticated web services).

As per claim 5:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, via the first computing device and over the web interface, a second query comprising the encryption key; match, via the first computing device and in the database, the encryption key with the attribute associated with the user; retrieve, via the first computing device and from the database, a secure link to the attribute; and cause, based on the second query, the secure link to the attribute to be provided over an authenticated network to the second computing device and cause the secure link to be displayed by the second computing device ([0175]: FIG. 18 is a more detailed illustration of the digital couriering method, including the harvesting process. The harvesting process is completed at the server level. During the harvesting process, new records are identified, an encryption key is associated with the study and the PHI 70 and the record are then copied to the local storage node 52. A copy of the PHI 70 is also sent to the Central Index 38. The PHI 70 and body 72 of the record are linked using a unique identifier, referred to herein as the Tag or Harvester Tag 306. This identifier or tag is not an encryption key, but only the link between the PHI 70 and the body 72 of the record. FIG. 18 illustrates the different components of a record 300 as it is harvested, including PHI 70, body 72, Harvester Tag 306, and Encryption Key 308; [0261-0262]; [0100] In order to meet HIPAA regulations while working with PHI, the treatment of the DICOM files and their private information is monitored carefully across the network and always transmitted in a secure fashion using industry standards such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI). Security is also paramount when transmitting files to a desktop of a physician so he can view them without waiting for a download to complete. At this point, no private information is stored with the DICOM file. Only with direct privilege of a physician login can the private healthcare information for a patient be viewed together with the medical image or study).

As per claim 6:
Vesper discloses wherein the encryption key is based on a unidirectional hashing algorithm ([0089]: The Harvester Tag may be complementary unique identifiers, complementary hashes or watermarks; [0342]: The images assigned a GUID and fingerprinted using a hashing algorithm like SHA. In turn, the images can be logged into an Internet resident global repository of images and optionally anonymized by removing private health information from the DICOM header. The images can be optionally converted into a canonical DICOM compliant format and optionally encrypted using a symmetric encryption key. The images can be fingerprinted again using a hashing algorithm and uploaded to an Internet based image repository using strongly authenticated web services).

As per claim 7:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: generate the query in JavaScript Object Notation (JSON) format; and validate, based on the JSON format, the search result ([0411-0413]: The applications can provide an image in a web compatible format such as .jpg or .png. The attributes can be returned as a .json file. A JavaScript Object Notation payload, in the form of a .json file, can be returned by the applications).

As per claim 8:
Vesper discloses wherein the database is a Relational Database Management System (RDBMS) ([0378]: The deployment can include at least one relational database management system (RDBMS) and Connected to the RDBMS is the central index; [0382]: The central index can include a primary RDBMS within the data center and a number of storage node systems that store individual DICOM files that are coupled to web caches). 

As per claim 9:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: determine, based on the web interface, a size of a batch comprising a plurality of data files associated with a plurality of users; generate, based on the size, the batch of the plurality of data files; upload, via the web interface and to the second computing device, the batch; and remove, after a time interval, the batch from the web interface ([0177]: The loading of records from the system can occur in a few different ways. For examples, records can be pulled from record producer's computer or from PACS or other local storage systems. Loading of records can also occur when records are restored on the system, from direct loading from a file system, either single or multiple files, or CD import of records for directly uploading to the Central Server. When records are harvested, each record is verified on the system to ensure that duplicates are not created (FIG. 16B, block 234). Each file uses the Local System ID and Node ID to determine a match. Verification here occurs both when a record is uploaded and when a record is restored on the system. [0241]: the producer 3002 can upload medical imaging records and later, retrieve them from the storage facility. [0294] timing sequence for uploading DICOM files to the repository as well as the database. Modalities can be used to provide multiple images in sequential order with each modality being located on a producer. For example, Modality 1 3602 can provide Image 1 followed by Image 2 and Image 3. Modality 2 3602 can provide Image 4, Image 5 and Image 6 and Modality N 3602 can provide Image 7, Image 8 and Image 9. Modalities 1, 2 and N 3602 can upload their images at the same time to agent 3604. [0101]).

As per claim 10:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: determine the size of the batch to minimize the time interval for the batch to remain on the web interface ([0101]: When the patient's information (PHI) is requested, it is always transferred in a secure fashion and promptly and completely deleted when it is no longer needed and uploaded image for a user-specified period of time, for instance three months, six months, twelve months, or some other period of time. A timestamp can be placed on each copied image).

As per claim 11:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, via the web interface, an error message indicative of a failure to upload the batch; and repeat, via the web interface and based on the error message, the upload of the batch ([0142]: P2P sender 274 is responsible for sending files out over the P2P network and making sure that delivery is completed and confirmed. P2P sender 274 receives instructions from the node manager to transmit a given file to a separate node. P2P sender 274 has the ability to send multiple files at the same time to different nodes on the system. P2P sender 274 verifies the file exists on storage manager 52, and locks 284 the file in transient storage 282 for transmission. P2P sender 274 is capable of compressing a record to a temporary location. P2P sender also unlocks the record on the local storage node and reports successful completion to the central network. If an error occurs during transmission, the P2P sender 274 retries, in one embodiment, three times, before reporting a transmission failure to the central network; [0186]: Also within the Central Server is the Network Node Manager. The network node manager is the central controlling point for the Peer-to-Peer Network. All nodes will authenticate or login to the system through this component. The management of record transfer, node status and node errors are handled here).

As per claim 12:
Vesper discloses wherein the instructions comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: modify the size of the batch based on the error message ([0304-0306]: Generally described, the producer's 3002 nominal state can be waiting for DICOM associations for the modality module 3730; The modality module 3730 associates with the central index 3702 to send a DICOM image. The producer 3002 can commit the DICOM image to disk and begin the processing pipeline. The producer 3002 can then submit an image resource request to the central index 3702 sending the DICOM header information in the request. If a resource exists with the given grid Id, it is returned otherwise an error can be returned).

As per claim 13:
Vesper discloses a method, comprising:
at a computing platform comprising at least one processor, and memory (Figure 1A, 1B: Record Consumer 15, 18 and Central Network 14):
receiving, via a first computing device and over a web interface, a query comprising an encryption key ([0125-0126]: Header manager administers the access and storage of the header or PHI information in the database; the header, PHI or personal information is encrypted in the database to prevent any unauthorized database access from viewing the data. Header manager 150 is comprised of header retriever and header sender. The header manager only returns header information to a trusted session. Header manager encrypts the header information before loading it onto the database, and decrypts it before sending it to a calling function. The system encrypts search criteria for patient information and identifies encrypted data in the database using an encryption indicator in the tables. Header manager manages searches from calling applications; ([0178]: store the record, split by the record harvester into its two main parts: PHI and body, The PHI 70 is then encrypted and a Key or Encryption Key is added to the PHI. The PHI plus Key are then sent to the Central Index and stored);
looking up, via the first computing device and in a database, the encryption key ([0100; 0261-0262]: The database can include fields for storing the personal information, encryption key and electronic address of the source node on which the record is stored. The study metadata database can be at one location or distributed among different sites;);
retrieving, via the first computing device and from the database, a secured link to the attribute ([0222]: Direct access to the tables in the database that contain sensitive and private information is not permitted. Access to these tables is done using views and stored procedures. Using views and procedures permits data to be secured at the record level); and
causing, based on the query, the secured link to the attribute to be provided to an authorized user ([0222]: When a user queries the table's view, the user credentials are determined and automatic filters are applied to the query to prevent any records from returning with higher security levels than the current user).

Vesper does not explicitly disclose identifying, based on the lookup, an attribute associated with the encryption key. LaFever, in analogous art however, discloses identifying, based on the lookup, an attribute associated with the encryption key ([0020]: unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”), and/or an action, activity, process and/or trait pertaining to a Data Subject, for a temporally unique period of time, thereby enabling the Data Subject to operate in a “dynamically anonymous” manner; [0024]: Each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait, the combination of a DDID and any data elements associated with the DDID for a temporally unique period of time are referred to as a temporal data representation, or a “TDR.” For purposes hereof, if no data is associated with a DDID, then a DDID and its temporal data representation (or “TDR”) are identical; [0040]: an attribute or combination of data attributes may identify a Data Subject but are not themselves the Data Subject—the person or legal entity identified by an attribute or combination of data attributes may be the subject of said attribute or combination of data attributes and considered a related party with regard thereto since he/she/it has an interest in or association with said attribute or combination of data attributes; [0052]: TDRs and/or DDIDs contained in TDRs can also be used as advanced keys for known protection techniques such as encrypting, tokenizing, pseudonymizing, eliding or otherwise. The authentication module may be used to withhold the key necessary to unlock protection techniques for the contents of the TDR such as encrypting, tokenizing, pseudonymizing, eliding or otherwise, unless the TDR, DDID, undisclosed associated Data Subject, attribute, attribute combination or related party is confirmed as being authorized to participate with respect to a desired action, activity, process or trait at the specified time and/or place through DDID and/or TDR confirmation and known confirmation techniques such as password confirmation, multi-factor authentication or similar means; [0794]: dynamically created, changeable and re-assignable TDRs (comprised of dynamically changing and re-assignable DDIDs and the PII/PHI information) could be used to protect the confidentiality and privacy/anonymity of PII/PHI contained in patient medical records;  Multiple levels of abstraction establishes “rings of privacy” such that only the level of identifying information necessary to perform a desired service or permitted function is provided; Temporally unique and purpose limited data representations (TDRs) may be used to protect the confidentiality and privacy/anonymity of user and patient personally identifiable information (PII) and/or personal health information (PHI)). 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the database disclosed by LaFever to include identifying, based on the lookup, an attribute associated with the encryption key. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide improve data privacy and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired and to the extent that is desired as suggested by LaFever (0019-0020).

As per claim 15:
Vesper discloses receiving, via the first computing device and based on a query for data associated with a user, a search result comprising an attribute of the user ([0125-0126]: Header manager administers the access and storage of the header or PHI information in the database; the header, PHI or personal information is encrypted in the database to prevent any unauthorized database access from viewing the data. Header manager 150 is comprised of header retriever and header sender. The header manager only returns header information to a trusted session. Header manager encrypts the header information before loading it onto the database, and decrypts it before sending it to a calling function. The system encrypts search criteria for patient information and identifies encrypted data in the database using an encryption indicator in the tables. Header manager manages searches from calling applications); 
generating, based on the attribute of the user, a data file ([0073]: a DICOM file, is composed of two major components: 1) the actual body of the record, for example, the image data, and 2) the image header information, which contains the personal or patient-identifying information; the header contains personal identifying information, also known as personal information, Protected Health Information, or PHI. Without the PHI header, record data, including image data, is anonymous and does not contain any unique patient identifying information. Therefore, the non-personal or anonymous data portion of a record is referred to herein as the Body; [0175]);
uploading, via the web interface and to a second computing device, the data file comprising an attribute identifier with the attribute of the user ([0177-0178] Loading of records can also occur when records are restored on the system, from direct loading from a file system, either single or multiple files, or CD import of records for directly uploading to the Central Server. Each file uses the Local System ID and Node ID to determine a match. Verification here occurs both when a record is uploaded and when a record is restored on the system; [0257]: The DICOM image was split into protected healthcare information and anonymous DICOM imaging data and joined by the consumer 3004. The split data was stored in different locations, for example, the protected healthcare information was stored in one area of the network while the imaging data was stored in another part);
receiving, via the web interface and from the second computing device, a second encryption key corresponding to the attribute identifier ([0175]: The harvesting process is completed at the server level. During the harvesting process, new records are identified, an encryption key is associated with the study and the PHI and the record are then copied to the local storage node. A copy of the PHI is also sent to the Central Index. The PHI and body of the record are linked using a unique identifier, referred to herein as the Tag or Harvester Tag. This identifier or tag is not an encryption key, but only the link between the PHI and the body of the record. The different components of a record as it is harvested, including PHI, body, Harvester Tag, and Encryption Key); and
storing, via the first computing device and in the database, an association between the attribute, the attribute identifier, and the encryption key ([0178]: store the record, split by the record harvester into its two main parts: PHI and body, The PHI 70 is then encrypted and a Key or Encryption Key is added to the PHI. The PHI plus Key are then sent to the Central Index and stored).

Vesper does not explicitly disclose generating the attribute identifier associated with the attribute of the user. LaFever, in analogous art however, discloses generating the attribute identifier associated with the attribute of the user ([0020]: unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”), and/or an action, activity, process and/or trait pertaining to a Data Subject, for a temporally unique period of time, thereby enabling the Data Subject to operate in a “dynamically anonymous” manner; [0024]: Each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait, the combination of a DDID and any data elements associated with the DDID for a temporally unique period of time are referred to as a temporal data representation, or a “TDR.” For purposes hereof, if no data is associated with a DDID, then a DDID and its temporal data representation (or “TDR”) are identical; [0040]: an attribute or combination of data attributes may identify a Data Subject but are not themselves the Data Subject—the person or legal entity identified by an attribute or combination of data attributes may be the subject of said attribute or combination of data attributes and considered a related party with regard thereto since he/she/it has an interest in or association with said attribute or combination of data attributes; [0054]: In accordance with one aspect of one embodiment of the present invention, disclosed herein is a computer-implemented method of providing controlled distribution of electronic information. In one example, the method may include the steps or operations of receiving, at a computing device, data; identifying one or more attributes of the data; selecting, through the computing device, a DDID; associating the selected DDID with one or more of the data attributes; and creating a temporally unique data representation (TDR) from at least the selected DDID and the one or more data attributes; [0358]: a data attribute may refer to any data element that can be used, independently or in combination with other data elements, to identify a Data Subject, such as a person, place or thing, and/or associated actions, activities, processes or traits; [0794]: dynamically created, changeable and re-assignable TDRs (comprised of dynamically changing and re-assignable DDIDs and the PII/PHI information) could be used to protect the confidentiality and privacy/anonymity of PII/PHI contained in patient medical records;  Multiple levels of abstraction establishes “rings of privacy” such that only the level of identifying information necessary to perform a desired service or permitted function is provided; Temporally unique and purpose limited data representations (TDRs) may be used to protect the confidentiality and privacy/anonymity of user and patient personally identifiable information (PII) and/or personal health information (PHI). 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the attribute of the user file disclosed by LaFever to include to generate the attribute identifier associated with the attribute of the user. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide improve data privacy and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired and to the extent that is desired as suggested by LaFever (0019-0020).

As per claims 14 and 16-19:
Claims 14 and 16-19 are directed to a method having substantially similar claimed corresponding limitations to claims 6, 2, 4, 9 and 10 respectively and therefore claims 14 and 16-19 are rejected with the same rationale give above to reject corresponding limitations of claims 6, 2, 4, 9 and 10 respectively.

As per claim 20:
Vesper discloses one or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, and memory, cause the computing platform to:
submit, via a first computing device, a query for data associated with a user ([0129-0130: Header manager interfaces with search manager to search the headers or personal information; Search manager to search the headers or personal information, allows a search to be performed on a patient, physician and/or a facility, only searches publicly available patient information. the header search may provide three different fixed criteria: (1) Central or System ID, (2) Local ID, or (3) Last Name, First Name, Date of Birth and Birth City. The patient search function allows record consumers to search for header information with which the record consumer has a trusted relationship);
receive, via the first computing device, a search result comprising an attribute of the user ([0125-0126]: Header manager administers the access and storage of the header or PHI information in the database; the header, PHI or personal information is encrypted in the database to prevent any unauthorized database access from viewing the data. Header manager 150 is comprised of header retriever and header sender. The header manager only returns header information to a trusted session. Header manager encrypts the header information before loading it onto the database, and decrypts it before sending it to a calling function. The system encrypts search criteria for patient information and identifies encrypted data in the database using an encryption indicator in the tables. Header manager manages searches from calling applications);
generate, based on the plurality of attributes, a plurality of data file comprising a plurality of attribute identifier with the plurality of attribute ([0073]: a DICOM file, is composed of two major components: 1) the actual body of the record, for example, the image data, and 2) the image header information, which contains the personal or patient-identifying information; the header contains personal identifying information, also known as personal information, Protected Health Information, or PHI. Without the PHI header, record data, including image data, is anonymous and does not contain any unique patient identifying information. Therefore, the non-personal or anonymous data portion of a record is referred to herein as the Body; [0175]);
determine, based on a web interface, a size of a batch comprising a sub-plurality of the plurality of data files ([0177]: The loading of records from the system can occur in a few different ways. For examples, records can be pulled from record producer's computer or from PACS or other local storage systems. Loading of records can also occur when records are restored on the system, from direct loading from a file system, either single or multiple files, or CD import of records for directly uploading to the Central Server. When records are harvested, each record is verified on the system to ensure that duplicates are not created (FIG. 16B, block 234). Each file uses the Local System ID and Node ID to determine a match. Verification here occurs both when a record is uploaded and when a record is restored on the system. [0241]: the producer 3002 can upload medical imaging records and later, retrieve them from the storage facility. [0294] timing sequence for uploading DICOM files to the repository as well as the database. Modalities can be used to provide multiple images in sequential order with each modality being located on a producer. For example, Modality 1 3602 can provide Image 1 followed by Image 2 and Image 3. Modality 2 3602 can provide Image 4, Image 5 and Image 6 and Modality N 3602 can provide Image 7, Image 8 and Image 9. Modalities 1, 2 and N 3602 can upload their images at the same time to agent 3604. [0101]);
upload, via a web interface and to a second computing device, the data file comprising the attribute identifier ([0177-0178] Loading of records can also occur when records are restored on the system, from direct loading from a file system, either single or multiple files, or CD import of records for directly uploading to the Central Server. Each file uses the Local System ID and Node ID to determine a match. Verification here occurs both when a record is uploaded and when a record is restored on the system; [0257]: The DICOM image was split into protected healthcare information and anonymous DICOM imaging data and joined by the consumer 3004. The split data was stored in different locations, for example, the protected healthcare information was stored in one area of the network while the imaging data was stored in another part);
receive, via the web interface and from the second computing device, an encryption key corresponding to the sub-plurality of the plurality of data files ([0175]: The harvesting process is completed at the server level. During the harvesting process, new records are identified, an encryption key is associated with the study and the PHI and the record are then copied to the local storage node. A copy of the PHI is also sent to the Central Index. The PHI and body of the record are linked using a unique identifier, referred to herein as the Tag or Harvester Tag. This identifier or tag is not an encryption key, but only the link between the PHI and the body of the record. The different components of a record as it is harvested, including PHI, body, Harvester Tag, and Encryption Key); and
store, via the first computing device and in a database, an association between the encryption key and the sub-plurality of the plurality of data files ([0178]: store the record, split by the record harvester into its two main parts: PHI and body, The PHI 70 is then encrypted and a Key or Encryption Key is added to the PHI. The PHI plus Key are then sent to the Central Index and stored).

Vesper does not explicitly disclose generating the attribute identifier associated with the plurality of attribute of the user. LaFever, in analogous art however, discloses generating the attribute identifier associated with the plurality of attribute of the user ([0020]: unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”), and/or an action, activity, process and/or trait pertaining to a Data Subject, for a temporally unique period of time, thereby enabling the Data Subject to operate in a “dynamically anonymous” manner; [0024]: Each DDID may be associated with any one or more data attributes to facilitate with respect to a specific action, activity, process or trait, the combination of a DDID and any data elements associated with the DDID for a temporally unique period of time are referred to as a temporal data representation, or a “TDR.” For purposes hereof, if no data is associated with a DDID, then a DDID and its temporal data representation (or “TDR”) are identical; [0040]: an attribute or combination of data attributes may identify a Data Subject but are not themselves the Data Subject—the person or legal entity identified by an attribute or combination of data attributes may be the subject of said attribute or combination of data attributes and considered a related party with regard thereto since he/she/it has an interest in or association with said attribute or combination of data attributes; [0054]: In accordance with one aspect of one embodiment of the present invention, disclosed herein is a computer-implemented method of providing controlled distribution of electronic information. In one example, the method may include the steps or operations of receiving, at a computing device, data; identifying one or more attributes of the data; selecting, through the computing device, a DDID; associating the selected DDID with one or more of the data attributes; and creating a temporally unique data representation (TDR) from at least the selected DDID and the one or more data attributes; [0358]: a data attribute may refer to any data element that can be used, independently or in combination with other data elements, to identify a Data Subject, such as a person, place or thing, and/or associated actions, activities, processes or traits; [0794]: dynamically created, changeable and re-assignable TDRs (comprised of dynamically changing and re-assignable DDIDs and the PII/PHI information) could be used to protect the confidentiality and privacy/anonymity of PII/PHI contained in patient medical records;  Multiple levels of abstraction establishes “rings of privacy” such that only the level of identifying information necessary to perform a desired service or permitted function is provided; Temporally unique and purpose limited data representations (TDRs) may be used to protect the confidentiality and privacy/anonymity of user and patient personally identifiable information (PII) and/or personal health information (PHI). 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the plurality of attribute of the user file disclosed by LaFever to include to generate the attribute identifier associated with the attribute of the user. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide improve data privacy and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired and to the extent that is desired as suggested by LaFever (0019-0020).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:

Data: [0035]: Data may include, for example, data associated with demographic information, market segment information (e.g., household income, age group, residential information, lifestyle, date of birth, age, and so forth). In some instances, certain types of data may be protected data. For example, there are more than thirty known types of protected data. These may include protected personal information (e.g., personally identifiable information ("PII")), protected health information ("PHI"), personal credit information protected under the payment card industry data security standard ("PCI"). For example, PII generally refers to any data that may be potentially utilized to identify a particular person. Such data, may include, for example, a full name, a social security number, a driver's license number, a passport number, a bank account number, an electronic mail address, and so forth. PHI may be any health information that may be associated with a name, a geographical identifier, a phone number, a fax number, a social security number, a medical health record number, and so forth. Also, for example, PCI data may be any form of cardholder data, for example, associated with a credit card and/or a debit card.

Attribute Identifier: [0039]: The attribute identifier may be a sequential number. In some instances, the attribute identifier may be predictable. In some embodiments, the attribute identifier may be determined for a user. For example, an individual user may be associated with an individual identifier. In some embodiments, the attribute identifier may be determined for a group that includes the user. For example, the group may be a household, and the household may be associated with a household identifier. [0058]: An attribute identifier such as, PartyID, such as for example, the customer level attribute identifier, IndividualID, or the household customer level attribute such as HouseholdID, may be available within an enterprise organization. The PartyID may be a sequential number that may be predictable.

Remove the Data File: [0005] Providing the data file may include removing, after an elapse of a time threshold, the data file from the web interface. [0039] Multi-dimensional API computing platform 110 may generate, based on the attribute of the user, or based on the updated API_Table, a data file comprising an attribute identifier associated with the attribute of the user. For example, the data file may be a record that includes the search results, such as, for example, multi-dimensional attributes such as the individual identifier, the household identifier, the name and address, the telephone number, the electronic mail address, and so forth. [0045] Also, for example, a second dimension may be indicative of a number of data files in a batch (e.g., a size of a batch) may be transferred via web interface 225. As another example, a third dimension may be indicative of a length of time that the data attributes persist in web interface 225, before being removed, and/or deleted. 

Secure Link:	[0050] As described herein, data files may be transmitted via a secure file transfer protocol (“SFTP”). Generally, the data files may be sent in batches, where size of a batch may depend on a type of web interface 225 available. In some embodiments, a batch may include 50 records or data files, where each record may be associated with a user. [0063] Associating the attribute identifier, the attribute and the encryption key may provide several secure data transmission options. For example, in some embodiments, multi-dimensional API computing platform 110 may receive, via the first computing device (e.g. enterprise user computing device 140) and over a secured network (e.g., private network 160), a second query comprising the attribute identifier. As described herein, the attribute identifier may be available within an enterprise organization. Accordingly, when an enterprise user looks up customer information, the enterprise user may utilize the attribute identifier to directly look up the customer information. For example, an enterprise user may be in a real-time online session with a customer, and the customer may request information related to an account. Accordingly, enterprise user may utilize the attribute identifier to submit a query to directly look up the customer information.
[0069] In some embodiments, multi-dimensional API computing platform 110 may retrieve, via the first computing device (e.g. enterprise user computing device 140) and from the database (e.g., RDMS 235), a link to the attribute. Generally, the attribute itself may not be transmitted outside the enterprise organization. However, a secure link to the attribute may be provided. This may provide an additional layer of security to customer information in general, and protected data in particular. Subsequently, multi-dimensional API computing platform 110 may cause, based on the second query, the link to the attribute to be provided over an authenticated network. For example, multi-dimensional API computing platform 110 may cause second computing device 240 to display the link to the attribute. In some embodiments, multi-dimensional API computing platform 110 may cause second computing device 240 to display the attribute in a chat window associated with a live chat session with a customer. In some instances, the attribute may relate to protected information, and users to view the protected information may be allowed secure access to the protected information via the secured link.
[0074] At step 430, multi-dimensional API computing platform 110 may retrieve, via the first computing device and from the database, a secured link to the attribute. At step 435, multi-dimensional API computing platform 110 may cause, based on the query, the secured link to the attribute to be provided to an authorized user.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494