Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's response with amendments filed 06/30/2022 have been received and entered. Applicant has amended claims 1, 4-8, 11, 12, and 14, cancelled claims 2, 3, 9, 10, and 13, and added new claim 15. Amended claims have been examined on the merits.
Applicant’s arguments, see Applicant Arguments pages 6-7, with respect to the rejection(s) under 35 U.S.C. 101 have been fully considered and are not persuasive. Therefore, the rejection has been maintained.
3.	Applicant’s arguments, see Applicant Arguments page 7, with respect to the rejection(s) under 35 U.S.C. 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn.
Applicant’s arguments, see Applicant Arguments pages 7-10, with respect to the rejection(s) of the independent claims 1, and 12 under 35 U.S.C. 103 have been fully considered and are persuasive.
 Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Yao et al. (US 20210366106), hereinafter Yao.
	The rest of applicant’s arguments are moot in view of new grounds of rejection set forth above.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-15 rejected under 35 U.S.C. 101 because under its broadest reasonable interpretation, covers performance of the limitations in the mind that falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
	Regarding Claims 1 and 12, The claimed invention is directed to abstract idea without significantly more. The claim recites the limitation of “generating, by a processor, first interim result by applying a first de-identification process to initial data”, “generating, by the processor, a first analysis metric for the first interim result data”, and “generating, by the processor, final result data based on the first interim result data” may be evaluated under its broadest reasonable interpretation, covers performance of the limitation in mind. Nothing in the claim element precludes the step from practically being performed in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
	Claims 4-8, 11, 14, and 15 are rejected under 35 U.S.C. 101 for the reason stated above. Claims 4-8, 11, 14, and 15 depend on claim 1, and claim 13 depend on claim 12; however, they do not add any feature or subject matter that would solve any of the deficiencies of claims 1 and 12.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-8, 11, 12, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over GKOULALAS-DIVANIS (US 20190188292), hereinafter DIVANIS in view of Scaiano et al. (US 20170124351), hereinafter Scaiano in view of Yao et al. (US 20210366106), hereinafter Yao.
	Regarding Claim 1, DIVANIS teaches
	  A method for de-identification for data, the method comprising: generating, by a processor, first interim result data by applying a first de- identification process to initial data, and storing the first interim result data in a memory; (Para [0019] Present invention embodiments pertain to automated, periodic re-evaluation of a data de-identification ruleset over a dataset (or data stream) with respect to an ability of the data de-identification ruleset to offer sufficient data de-identification (compliant with data de-identification requirements of laws, policies, standards, etc.). Present invention embodiments dynamically transit from a current data de-identification ruleset for data de-identification to another (expert-provided) data de-identification ruleset, when the current data de-identification ruleset is no longer offering sufficient privacy protection. Para [0021] A present invention embodiment provides a mechanism to continuously (e.g., in real time) or periodically (preferably in short periods of time (e.g., every few weeks, etc.)) monitor a dataset and re-evaluate appropriateness of enforced data de-identification rules toward sufficiently protecting privacy of individuals represented in the dataset. This mechanism automatically (and dynamically) changes the data de-identification ruleset that is applied to the dataset in order to adapt to new conditions that invalidate the effectiveness of the prior data de-identification ruleset)
	generating, by the processor, final result data based on the first interim result data, when the first analysis metric satisfies a first de-identification criterion, and storing the final result data in the memory (Para [0028] Client systems 114 enable users to interact with server systems 110 to perform desired actions, such as data de-identification. The server systems include an evaluation module 116 to monitor compliance of changing data with a current or active data de-identification ruleset, and a rule module 120 to dynamically modify the data de-identification ruleset based on the evaluation. … The client systems may present a graphical user (e.g., GUI, etc.) or other interface (e.g., command line prompts, menu screens, etc.) to solicit information from users pertaining to the analysis, and may provide reports including analysis results [i.e. final result] (e.g., recommended data de-identification rulesets, de-identified datasets, invalid conditions, data de-identification ruleset evaluation results, etc.).  Para [0048] Once each condition of active data de-identification ruleset 225 has been processed, the presence of an invalid condition is determined at step 335. When each condition [i.e. de-identification criterion] is satisfied, active data de-identification ruleset 225 is maintained at step 340. If at least one condition is indicated as invalid, active data de-identification ruleset 225 is provided to rule module 120 for modification or replacement at step 345);
	generating, by the processor, second interim result data by applying a second de- identification process to the first interim result data, when the first analysis metric does not satisfy the first de-identification criterion, and storing the second interim result data in the memory (Para [0055] When a new data de-identification ruleset is to be identified to replace the active data de-identification ruleset as determined at step 410, the group of predetermined (or user-provided) data de-identification rulesets is examined to identify a new data de-identification ruleset at step 425. This may be accomplished by initially determining statistics and/or characteristics of new dataset 220 [i.e. second interim data] and external datasets to provide a state of the new dataset. These characteristics and/or statistics may include those described above for the evaluation. Data de-identification rulesets with more relaxed requirements of the invalid conditions may be identified based on the determined state, and the conditions of the identified data de-identification ruleset is evaluated against dataset 220 at step 430. Alternatively, each of the data de-identification rulesets in the group may be evaluated (e.g., by evaluation module 116) against the new dataset (and determined state) at step 430 as described above to identify a data de-identification ruleset with each condition satisfied);
	DIVANIS does not explicitly teach generating, by the processor, a first analysis metric for the first interim result data, and storing the first analysis metric in the memory; generating, by the processor, a second analysis metric for the second interim result data, and storing the second analysis metric in the memory; and generating, by the processor, final result data based on the second interim result data, when the second analysis metric satisfies a second de-identification criterion, and storing the final result data in the memory.
	In the same field of endeavor, Scaiano teaches
	generating, by the processor, a first analysis metric for the first interim result data, and storing the first analysis metric in the memory (Para [0083] Embodiments in accordance with the present disclosure use novel risk prediction processes and novel risk measurement processes [i.e. metrics]. Embodiments also provide usage of computer-implemented data structures that are novel in this usage space. The anonymity histogram data structure combined with risk prediction using histograms helps enable selection of a de-identification strategy, including but not limited to the amount of suppression predicted to lower the risk of re-identification to an acceptable level. Embodiments in accordance with the present disclosure address the following problems and include at least the following benefits);
	generating, by the processor, a second analysis metric for the second interim result data, and storing the second analysis metric in the memory (Para [0077] Suppose there is a dataset for which a risk measurement is to be determined. The anonymity histogram summarizes in histogram form every individual's risk score or anonymity, for use in making predictions. … This shift may be applied to the histogram to calculate a new histogram. From the new histogram, embodiments may can calculate what the risk will be from that shifted histogram. Embodiments take the histogram, find an appropriate shift for a generalization, apply the shift, and then calculate a risk estimate associated with the generalization); and
	generating, by the processor, final result data based on the second interim result data, when the second analysis metric satisfies a second de-identification criterion, and storing the final result data in the memory (Para [0094] Step 409 of process 400 determines whether the predicted risk from step 407 is acceptable. If the dataset does not have sufficiently low risk, then control of process 400 returns to step 403, where a new de-identification strategy is generated, and steps 405, 407, 409 are repeated. If the outcome of step 409 is that the dataset using the strategy does have sufficiently low risk, then a solution has been found and control of process 400 transitions to optional step 410. At optional step 410, a transformed dataset may be supplied. For example, the user may apply the strategy, or the strategy may be directly applied to the dataset and a low risk dataset be produced. Thereafter, process 400 transitions to step 411 to wrap up and complete process 400).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by DIVANIS to incorporate the teachings of Scaiano such that the method of DIVANIS includes generating, by the processor, a first analysis metric for the first interim result data, and storing the first analysis metric in the memory; generating, by the processor, a second analysis metric for the second interim result data, and storing the second analysis metric in the memory; and generating, by the processor, final result data based on the second interim result data, when the second analysis metric satisfies a second de-identification criterion, and storing the final result data in the memory. One would have been motivated to make such combination so that the anonymity histogram data structure combined with risk prediction using histograms helps enable selection of a de-identification strategy (Scaiano, Para [0083]).
	The combination of DIVANIS and Scaiano does not explicitly teach wherein the second interim result data is interim result data updated from the first interim result data by adding a result of the second de-identification process with accumulating on the first interim result data.
	In the same field of endeavor, Yao teaches
	wherein the second interim result data is interim result data updated from the first interim result data by adding a result of the second de-identification process with accumulating on the first interim result data (Para [0087] The user profile entry can include usage data 520 which can include identifying information for a plurality of usages by the user in conjunction with using one or more subsystems 101. This can include consumption usage data 521, which can include a listing of, or aggregate data associated with, usages of one or more subsystems by the user, for example, where the user is utilizing the subsystem as a service.  Para [0093] Aggregate performance score data 533 [i.e. second interim result] can be generated automatically by a subsystem based on the aggregate efficiency and/or accuracy data. The aggregate performance data can include categorized performance data 534, for example, corresponding to different scan types, different anatomical regions, different subsystems, different interactive interface features and/or display parameters. The categorized performance data 534 can be determined automatically by a subsystem based on the scan type data 421 and/or anatomical region data 422 of the medical scan associated with each contribution, one or more subsystems 101 associated with each contribution, and/or interactive interface feature data 524 associated with each contribution).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by the combination of DIVANIS and Scaiano to incorporate the teachings of Yao such that the method of the combination of DIVANIS and Scaiano includes wherein the second interim result data is interim result data updated from the first interim result data by adding a result of the second de-identification process with accumulating on the first interim result data. One would have been motivated to make such combination so that the aggregate performance score data can be generated automatically by a subsystem based on the aggregate efficiency and/or accuracy data. (Yao, Para [0093]).
	Regarding Claim 4, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 above,
	wherein: the first analysis metric is generated based on a part of all of data subsets included in the first interim result data (Scaiano, Para [0083] Embodiments in accordance with the present disclosure use novel risk prediction processes and novel risk measurement processes. Embodiments also provide usage of computer-implemented data structures that are novel in this usage space. The anonymity histogram data structure combined with risk prediction using histograms helps enable selection of a de-identification strategy, including but not limited to the amount of suppression predicted to lower the risk of re-identification to an acceptable level. Embodiments in accordance with the present disclosure address the following problems and include at least the following benefits), and
	the second analysis metric is generated based on a part of all of data subsets included in the second interim result data (Scaiano, Para [0077] Suppose there is a dataset for which a risk measurement is to be determined. The anonymity histogram summarizes in histogram form every individual's risk score or anonymity, for use in making predictions. … This shift may be applied to the histogram to calculate a new histogram. From the new histogram, embodiments may can calculate what the risk will be from that shifted histogram. Embodiments take the histogram, find an appropriate shift for a generalization, apply the shift, and then calculate a risk estimate associated with the generalization).
	The motivation/rationale to combine the references is similar to claim 1 above.
	Regarding Claim 5, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 above,
	wherein: the final result data is generated based on a part of all of data subsets included in the first interim result data or the second interim result data (Scaiano, Para [0094] Step 409 of process 400 determines whether the predicted risk from step 407 is acceptable. If the dataset does not have sufficiently low risk, then control of process 400 returns to step 403, where a new de-identification strategy is generated, and steps 405, 407, 409 are repeated. If the outcome of step 409 is that the dataset using the strategy does have sufficiently low risk, then a solution has been found and control of process 400 transitions to optional step 410. At optional step 410, a transformed dataset may be supplied. For example, the user may apply the strategy, or the strategy may be directly applied to the dataset and a low risk dataset be produced. Thereafter, process 400 transitions to step 411 to wrap up and complete process 400).
	The motivation/rationale to combine the references is similar to claim 1 above.
	Regarding Claim 6, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 above,
	wherein: the first de-identification process corresponds to a first type de-identification process, and the second de-identification process corresponds to a second type de-identification process (Scaiano, Para [0070] Standard de-identification techniques known in the art include generalization, suppression, and subsampling. A set of de-identification techniques, with particular settings for particular variables, will be referred to as a de-identification strategy. A de-identification strategy describes the transformations to a dataset for the purposes of de-identification).
	The motivation/rationale to combine the references is similar to claim 1 above.
	Regarding Claim 7, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 and claim 6 above,
	The method according to claim 6, further comprising: performing at least one additional de-identification process corresponding to the first type de-identification process or the second type de-identification process, when the first analysis metric does not satisfy the first de-identification criterion or the second analysis metric does not satisfy the second de-identification criterion (DIVANIS,  Para [0008] According to one embodiment of the present invention, a system dynamically changes a data de-identification ruleset applied to a dataset for de-identifying data and comprises at least one processor. The system periodically monitors a dataset derived from data that is de-identified according to a data de-identification ruleset under a set of conditions. The set of conditions for the data de-identification ruleset is evaluated with respect to the monitored data to determine applicability of the data de-identification. One or more rules of the data de-identification ruleset are dynamically changed in response to the evaluation indicating one or more conditions of the set of conditions for the initial data de-identification ruleset are no longer satisfied);
	generating an additional interim result data for each of the at least one additional de-identification process (DIVANIS, Para [0009] This provides a mechanism that continuously (e.g., in real time) or periodically evaluates the validity of assumptions made by a statistical expert, and adapts the data de-identification rules as necessary in order to maintain a high level of privacy protection. The data de-identification may be adapted based on machine learning to provide a cognitive and intelligent adaptation of the data de-identification. In other words, the mechanism maintains a re-identification risk below an acceptable threshold, usually based on the applicable privacy requirements and legal frameworks (e.g., HIPAA Safe Harbor, etc.));
	generating an additional analysis metric for the additional interim result data (DIVANIS, Para [0037] Evaluation module 116 executes condition evaluation processes corresponding to conditions 230 of active data de-identification ruleset 225, where each condition evaluation process preferably determines a numeric value or score. The determined score is compared to a threshold, preferably set by a user (e.g., data de-identification expert, etc.) to determine compliance with a corresponding condition 230. When each condition 230 of active data de-identification ruleset 225 is satisfied, the active data de-identification ruleset is enforced at flow 250); and
	generating final result data based on the additional interim result data, when the additional analysis metric satisfies an additional de-identification criterion (DIVANIS, Para [0048] Once each condition of active data de-identification ruleset 225 has been processed, the presence of an invalid condition is determined at step 335. When each condition is satisfied, active data de-identification ruleset 225 is maintained at step 340. If at least one condition is indicated as invalid, active data de-identification ruleset 225 is provided to rule module 120 for modification or replacement at step 345).
	Regarding Claim 8, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 and claim 6 above,
	wherein: the first type de-identification process includes at least one de-identification process performed before or after the second type de-identification process (Scaiano, Para [0017] Embodiments in accordance with the present disclosure include a system and a method to produce an anonymized cohort using a predetermined de-identification strategy, members of the cohort having less than a predetermined risk of re-identification.  Para [0050] A de-identification strategy including a combination of field generalization, cell suppression and subsampling will transform the patient's anonymity in a manner that embodiments can estimate), and
	the second type de-identification process includes at least one de-identification process of applying a predetermined privacy protection model (DIVANIS, Para [0009] This provides a mechanism that continuously (e.g., in real time) or periodically evaluates the validity of assumptions made by a statistical expert, and adapts the data de-identification rules as necessary in order to maintain a high level of privacy protection).
	The motivation/rationale to combine the references is similar to claim 1 above.
	Regarding Claim 11, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 above,
	wherein: the first analysis metric includes standardized measurement data applicable to a result of the first de-identification process, and the second analysis metric includes standardized measurement data applicable to a result of the second de-identification process (DIVANIS, Para [0019] Present invention embodiments pertain to automated, periodic re-evaluation of a data de-identification ruleset over a dataset (or data stream) with respect to an ability of the data de-identification ruleset to offer sufficient data de-identification (compliant with data de-identification requirements of laws, policies, standards, etc.).  Para [0049] … When the active data de-identification ruleset is to be modified as determined at step 410, the various data de-identification rules and/or conditions may be adjusted for new dataset 220 to comply with the conditions at step 415. The adjustments are restricted to those within the limits of any data de-identification requirements (e.g., of laws, policies, standards, etc.)).
	Regarding Claim 12, 
Claim 12 is rejected for similar reasons as in claim 1.
	Additionally, Scaiano teaches
	An apparatus for de-identification for a data, the apparatus comprising: a transceiver; a memory; a user interface; and a processor (Para [0017] … The method includes receiving a query via a communication channel (i.e. transceiver) coupled to a processor, the query comprising a request to predict the risk of re-identification based on an anonymity histogram and de-identification strategy, … Para [0069] FIG. 2 shows a system 200 for performing risk assessment of a dataset, in accordance with an embodiment of the present disclosure. System 200 executes on a computer including a processor 202, memory 204, and input/output interface 206).
	Regarding Claim 14, 
Claim 14 is rejected for similar reasons as in claim 1.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over GKOULALAS-DIVANIS (US 20190188292), hereinafter DIVANIS in view of Scaiano et al. (US 20170124351), hereinafter Scaiano in view of Yao et al. (US 20210366106), hereinafter Yao in view of Gkoulalas-Divanis (US 20190266353), hereinafter Divanis (2) in view of Erickson et al. (US 20040199781), hereinafter Erickson.
	Regarding Claim 15, the combination of DIVANIS, Scaiano, and Yao teaches all the limitations of claim 1 and claim 6 above,
	The combination of DIVANIS, Scaiano, and Yao does not explicitly teach wherein: the first type de-identification process includes at least one of data value deletion, pseudonymization, totalization, categorization, or data masking.
	In the same field of endeavor, Divanis (2) teaches
	wherein: the first type de-identification process includes at least one of data value deletion, pseudonymization, totalization, categorization, or data masking (Para [0025] Provider evaluation module 160 may associate each attribute identified by vulnerability analysis module 150 with one or more de-identification providers. Each de-identification provider may be a particular process for de-identifying or anonymizing data. For example, a de-identification provider may be a data masking algorithm for protecting email or postal addresses of individuals, or a data generalization method for abstracting data values related to individuals such as dates, diagnosis codes, purchased items, etc.).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by the combination of DIVANIS, Scaiano, and Yao to incorporate the teachings of Divanis (2) such that the method of the combination of DIVANIS, Scaiano, and Yao includes wherein: the first type de-identification process includes at least one of data value deletion, pseudonymization, totalization, categorization, or data masking. One would have been motivated to make such combination in order to provide optimizing the data de-identification process by executing multiple different de-identification processes to iteratively de-identify data (Divanis (2), Para [0013]).
	The combination of DIVANIS, Scaiano, Yao, and Divanis (2) does not explicitly teach the second type de-identification process includes applying at least one privacy protection model of K-anonymity, L-diversity, or T-closeness.
	In the same field of endeavor, Erickson teaches
	the second type de-identification process includes applying at least one privacy protection model of K-anonymity, L-diversity, or T-closeness (Para [0021] The systems and methods described herein include, among other things, systems and methods that employ a k-anonymity analysis of abstract to produce a new data set that protects patient privacy, while providing as much information as possible from the original data set. Para [0046] Next, in step 112, the process creates an output dataset that is identical to the input dataset, except that the process has scrubbed out the minimum necessary number of data elements, from the least vital fields in the dataset, to achieve the pre-selected k-anonymity).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by the combination of DIVANIS, Scaiano, Yao, and Divanis (2) to incorporate the teachings of Erickson such that the method of the combination of DIVANIS, Scaiano, Yao, and Divanis (2) includes the second type de-identification process includes applying at least one privacy protection model of K-anonymity, L-diversity, or T-closeness. One would have been motivated to make such combination so that the approach is based on the well-known k-anonymity concept. K-anonymity states that for every unique record there must be a total of at least k records with exactly the same field values (Erickson, Para [0008]).	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMID TALAMINAEI whose telephone number is (571)270-3283. The examiner can normally be reached Flexible, M-F 7:30 -5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/HAMID TALAMINAEI/Examiner, Art Unit 2436                                                                                                                                                                                                        
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436