DETAILED ACTION

This Final Office Action is in response to Applicant's amendments and arguments filed on November 7, 2022.  Applicant has amended claims 1, 9, 16, 18.  Currently, claims 1-20 are pending.   The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments

The 35 U.S.C. 101 rejections of claims 1- 20 are withdrawn in light of applicant’s amendments in light of applicant’s amendments to claims 1, 9, 16, 18.
The 35 U.S.C. 103 rejections of claims 1- 20 are withdrawn in light of applicant’s amendments in light of applicant’s amendments to claims 1, 9, 16, 18.  Applicant’s amendments necessitated the new grounds for rejection in this office action.

Response to Arguments

Applicant’s arguments submitted on 11/7/22 have been considered and are persuasive in regards to the 101 rejection but not the 103 rejections, which are moot in light of the newly applied Biswas reference.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-10, 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni (US 2013/0297346 A1) in view of Osborn et al. (US 2007/0239495 A1) (hereinafter Osborn) in view of Biswas et al. (US 2020/0273046 A1) (hereinafter Biswas).

Claims 1-16:
Kulkarni, as shown, discloses the following limitations of claims 1 and 16:
A method (and corresponding system see para [0010], [0036] - showing equivalent computer structure for implementing system) comprising: receiving a plurality of responses associated with an audit of a healthcare site (see para [0005], " The Healthcare Privacy Violation Detection System (HPV-DS) serves as a central point for investigative and auditing capability for HIPAA and HITECH or other compliance requirements on storing and accessing patient PHI, enabling healthcare providers to quickly and accurately monitor breaches within their systems. HPV-DS relies on past trends of authorized users in a healthcare facility to determine if an access was appropriate. Any outlier is reported, and all access that fit within normal activity are stored, but are not reported, so only the necessary occurrences are pointed out to authorities for review. The healthcare privacy violation detection system (HPV-DS) uses a healthcare facility's audit logs and non-healthcare audit logs to detect and report an authorized user's abnormal and potentially unauthorized access to a patient's personal health information (PHI)." where logs can be considered responses  );
calculating a deficiency score for the healthcare site based on a first quantity of a subset of the plurality of responses indicating a deficient status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the deficient status  and a second quantity of a subset of the plurality of responses indicating an improvement required status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the improvement required status (see para [0011], "The method can also include weighting the cumulative risk score according to a percentage of matching parameters, and/or weighting the risk score for each parameter based on a different risk of privacy violation for a particular parameter, and/or adding audit log parameters generated by the unknown authorized user to the new set of baseline parameters for the unknown authorized user for a predefined time frame, and/or a learning engine routine including creating and storing a new set of baseline parameters for an unknown authorized user when the audit log is generated by an unknown authorized user." where a privacy violation can be considered a deficient status and see para [0028], where the new baseline based on the new user data can be considered an improvement required status and see para [0032], “"Parameter matches are scored and these risk scores are added together") ;
calculating a total score for the healthcare site based on a third quantity of the plurality of responses and a fourth quantity of a subset of the plurality of responses indicating an inapplicable status (see para [0013], " discarding parameters considered to be irrelevant to a risk of privacy violation" and see para [0025], where the normalized data after discarding can be considered the total score);; and
calculating a risk score for the healthcare site based on the deficiency score and the total score (see para [0010], "adding together all of the risk scores to determine a cumulative risk score.").
Although discarding parameters can be considered an inapplicable status, it is not explicit.  In analogous art, Osborn discloses the following limitations:
a subset of the plurality of responses indicating an inapplicable status (see para [0048], "Not applicable ("n/a") responses are thrown out (excluded from all further calculations).")
It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Osborn with Kulkarni because an applicable status indication a risk assessment where resources will not be as ineffective on the risk control efforts (see Osborn, para [0007]-[0008]).                        
Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the application risk and control assessment tool as taught by Osborn in the method for detecting privacy violations as taught by Kulkarni since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Kulkarni and Osborn do not specifically disclose using a machine learning model to determine a risk value for each of the plurality of questions.  In analogous art, Biswas discloses the following limitations:
creating an audit that includes a plurality of questions (see para [0041], "In an embodiment, the data classification module 126 can analyze and classify data from one or more PTDSs (e.g., internal and external audit data). In an embodiment, the data classification module 126 analyzes internal and external audit results including individual procedural Non-Conformance (NC) findings that are accumulated over time. For example, the data classification module 125 analyzes a question asked, a corresponding RCMM level, and a corresponding Yes/No/Partial response for one or more of the following: for a unit of the entity being evaluated, for each audit selected to be part of the risk compliance index score calculation, for each control type and company function categorization available. In an embodiment, the questions can be configured or phrased such that a positive response (Yes) means that the risk is reduced (e.g., yes, process X is performed at the entity). In an embodiment, a findings level associated with audit data (herein an “audit level”) can be as follows: Level 0: Ad-hoc; Level 1: Defined; Level 2: Managed; Level 3: Measured; and Level 4: Optimized.");
using a machine learning model to determine a risk value for each of the plurality of questions, the machine learning model being trained using data regarding past audits for noncompliant healthcare sites and healthcare sites that experienced risk events (see para [0015], "The regulatory compliance assessment system monitors the multiple data source systems, extracts the regulatory-related data, and employs machine learning methodologies (e.g., heuristic pattern matching and multi-dimensional neural network processing) to classify the regulatory-related data for use in generating the risk compliance index score. In an embodiment, the regulatory compliance assessment system is configured to execute simulations associated with the risk compliance index score by modifying one or more data points contributing to the risk compliance index score to identify or predict one or more actions that can be taken by the entity to improve the risk compliance index score. The risk compliance score of entities in a specific industry segment (e.g. pharmaceutical industry) can be compared and presented at the industry level risk compliance score." and see para [0028], "the data classification module 126 of the machine learning component 124 is configured to analyze the extracted data elements of the collected regulatory-related data to classify the data based on a control type. Example control types include ... an investigation control type (e.g., internal audits, tracking of non-conformance to process, corrective actions, quality assurance)," and see para [0089], ", the historical audit data can be analyzed by the regulatory compliance assessment system 520 to generate a factor for use in determining a risk compliance index score for the entity based on multiple question sets (e.g., sets or questionnaires including 1,000 or more questions), multiple different function types (e.g., 20 or more function types) and multiple different countries (e.g., 30 or more countries) determined and collected in accordance with a collection frequency (e.g., 10,000 or more times per year). In an embodiment, the historical audit data can be stored for many years." and see para[ 0029], [0062]-[0063], [0068], [0088]);
the plurality of responses corresponding to the plurality of questions (see para [0041], " In an embodiment, the data classification module 126 can analyze and classify data from one or more PTDSs (e.g., internal and external audit data). In an embodiment, the data classification module 126 analyzes internal and external audit results including individual procedural Non-Conformance (NC) findings that are accumulated over time. For example, the data classification module 125 analyzes a question asked, a corresponding RCMM level, and a corresponding Yes/No/Partial response for one or more of the following: for a unit of the entity being evaluated, for each audit selected to be part of the risk compliance index score calculation, for each control type and company function categorization available. In an embodiment, the questions can be configured or phrased such that a positive response (Yes) means that the risk is reduced (e.g., yes, process X is performed at the entity). In an embodiment, a findings level associated with audit data (herein an “audit level”) can be as follows: Level 0: Ad-hoc; Level 1: Defined; Level 2: Managed; Level 3: Measured; and Level 4: Optimized.");
determining a status for each of the plurality of responses (see para [0041]-[0042], where the status of the answer can be positive, negative, yes, no, or partial);
It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Biswas with Kulkarni and Osborn because using machine learning to determine a risk value for the questions enables more effective auditing by enabling different types of compliance maturity levels for the audits (see Biswas, para [0001]-[0002]).                            
Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the business risk prediction system as taught by Biswas in the Kulkarni and Osborn combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claims 2 and 17:
Further, Kulkarni discloses the following limitations:
wherein the deficiency score is calculated by applying a first weight to the first quantity and a second weight to the second quantity (see para [0011], "The method can also include weighting the cumulative risk score according to a percentage of matching parameters, and/or weighting the risk score for each parameter based on a different risk of privacy violation for a particular parameter, and/or adding audit log parameters generated by the unknown authorized user to the new set of baseline parameters for the unknown authorized user for a predefined time frame, and/or a learning engine routine including creating and storing a new set of baseline parameters for an unknown authorized user when the audit log is generated by an unknown authorized user.")

Claims 3-7:
Kulkarni does not specifically disclose wherein the first weight is greater than the second weight.  In analogous art, Osborn discloses the following limitations:
wherein the first weight is greater than the second weight (see para [0066]-[0067], showing flexibility where the weights can be modified and depends on how important each which shows double or the second being greater the first are possible weightings)
wherein the first weight is at least two times larger than the second weight (see para [0066]-[0067], showing flexibility where the weights can be modified and depends on how important each which shows double or the second being greater the first are possible weightings)
wherein the total score is calculated by subtracting the fourth quantity from the third quantity ( see para [0069], where throwing out can be considered subtract where a total weighting of 100% would show the total score)
wherein the risk score is calculated by dividing the deficiency score by the total score (see para [0069]-[0073], showing use of division and ratios on the responses are well known for determining metrics)
wherein the risk score is calculated by subtracting an adjustment value from each of the deficiency score and the total score prior to dividing (see para [0069]-[0073], showing use of division and ratios on the responses are well known for determining metrics and see para [0066], showing a gap is used between risk and control score)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the application risk and control assessment tool as taught by Osborn in the method for detecting privacy violations as taught by Kulkarni since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 8: 
Further, Kulkarni discloses the following limitations:
wherein the adjustment value is determined based on the total score and a configurable value (see para [0028], "The patterns to be considered for creating a baseline may consist of previously configured criteria such as last logon time, location used from, normal patients viewed, systems the authorized user normally accesses, typical times of day authorized user uses a system, time spend on a system, patient records typically viewed, department authorized user works in, etc. many more such parameters may be added to the pattern list to suit the reporting needs of the facility.")

Claims 9 and 18:
Further, Kulkarni discloses the following limitations:
wherein at least one of the third quantity is calculated by summing risk values associated with the plurality of responses, and  the fourth quantity is calculated by summing risk values associated with the subset of the plurality of responses indicating the inapplicable status (see para [0032], “"Parameter matches are scored and these risk scores are added together").

Claims 10 and 19:
Kulkarni does not specifically disclose combining the risk score with a plurality of additional risk scores associated with additional healthcare sites to generate an aggregate risk score.  In analogous art, Osborn discloses the following limitations:
combining the risk score with a plurality of additional risk scores associated with additional healthcare sites to generate an aggregate risk score (see para [0078]-[0079], showing aggregating of individual assessments)
It would have been obvious to one of ordinary skill in the art at the time of the invention to include the application risk and control assessment tool as taught by Osborn in the method for detecting privacy violations as taught by Kulkarni since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 13:
Further, Kulkarni discloses the following limitations:
combining the first risk score and the second risk score to generate an overall risk score for the healthcare site (see para [0010], "adding together all of the risk scores to determine a cumulative risk score.")


Claims 11-15, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni, Osborn and Biswas, as applied above, and further in view of Brannon et al. (US 2022/0035896 A1) (hereinafter Brannon)

Claims 11-15, 20:
Kulkarni, Osborn and Biswas do not specifically disclose combining the risk score with at least one previous risk score associated with the healthcare site to generate a risk trend measurement for the healthcare site.  In analogous art, Brannon discloses the following limitations:
combining the risk score with at least one previous risk score associated with the healthcare site to generate a risk trend measurement for the healthcare site (see para [0280], "the system is adapted for automatically measuring the privacy of a business group, or other group, within a particular organization that is using the system. This may provide an automated way of measuring the privacy maturity, and one or more trends of change in privacy maturity of the organization, or a selected sub-group of the organization." And see para [0557], showing healthcare as a business sector that can be integrated)
wherein (a) includes receiving a first plurality of responses associated with a regional audit of the healthcare site (see para [0569], " In various embodiments, the system may be configured to generate a master questionnaire at any appropriate time. For example, in a particular embodiment, the system may prompt a user to indicate one or more territories (e.g., regions, jurisdictions, and/or countries) and/or sectors in which an entity is doing business and, at least partially in response to receiving the user's input, generate a threshold list of questions that the system may then use to determine which territories require disclosure of a particular data breach. In another particular embodiment, the system may prompt a user to indicate one or more territories (e.g., regions, jurisdictions, and/or countries) and/or sectors affected (e.g., potentially affected) by a particular data breach and, at least partially in response to receiving the user's input, generate a threshold list of questions that the system may then use to determine which territories affected by the data breach require disclosure of the data breach." and see para [0560]) and a second plurality of responses associated with an on-site audit (see para [130], "As shown in FIG. 3, a variety of different parties may access the data, and the data may be stored in any of a variety of different locations, including on-site, or in “the cloud”, i.e., on remote servers that are accessed via the Internet or other suitable network." and see para [0596], "each particular question may be answered with: (1) unsubstantiated data provided by the entity or vendor; (2) data that is substantiated via a remote interview; or (3) data that is substantiated by an on-site audit."), and wherein (b)-(d) are performed twice to calculate a first risk score based on the first plurality of responses and a second risk score based on the second plurality of responses (see para [0264], "Each customer can weight each question within an assessment as desired and set up addition/multiplication logic to determine an aggregated risk score that takes into account the customized weightings given to each question within the assessment. " and see para [0415], "the system may be configured to determine an overall risk rating for a particular vendor based on the privacy awareness rating in combination with one or more additional factors (e.g., one or more additional risk factors described herein). In any such embodiment, the system may assign one or more weighting factors or relative risk ratings to each of the privacy awareness score and other risk factors when calculating an overall risk rating. The system may then be configured to provide the risk score for the vendor, software, and/or service for use in calculating a risk of undertaking a particular processing activity that utilizes the vendor, software, and/or service (e.g., in any suitable manner described herein).")
wherein the deficient status includes any response indicating that a condition corresponding to the response does not comply with requirements for the condition (see para [0466], "the system may then be configured to calculate an updated vendor risk score based, at least in part, on one or more pieces of the updated information. In any embodiment described herein, the system may be configured to determine whether the one or more pieces of updated information are sufficient to demonstrate continued compliance, by the vendor, with one or more obligations under one or more privacy laws, standards and/or regulations, one or more obligations under one or more vendor contracts, etc.")
wherein the improvement required status includes any response indicating that a condition corresponding to the response currently complies with requirements for the condition, but required correction before achieving compliance (see para [0219]-[0228], showing gap analysis and recommended steps are part of the analysis based on the initial assessment and see para [0093], showing assessment is a risk rating)
It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Brannon with Kulkarni, Osborn and Biswas because determining a trend enables users to work with vendors more likely to handle their data properly (see Brannon, para [0003]-[0005]).                          
Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the system for assessing vendor risk as taught by Brannon in the Kulkarni, Osborn and Biswas combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:

US 20190050780 A1
US 20200253820 A1
US 20140257047 A1

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUJAY KONERU whose telephone number is 571-270-3409. The examiner can normally be reached on Monday-Friday, 9 am to 5 pm.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patricia Munson can be reached on 571- 270-5396.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SUJAY KONERU/
Primary Examiner, Art Unit 3624