Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Status of the Application
The following is a non-Final Office Action. 
In response to Examiner’s communication on 5/20/2022, Applicant Request for Continuation Examination on 11/20/2022. Amended Claim 1 and 18. 

Claims 1-18 is/are currently pending, per Applicant’s Election, Species II, Claim 1, 9-16, 18 have been examined in this application. Non-elected Species I, 2-8, 17, are withdrawn from consideration. 


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/20/2022 has been entered. 




	
Response to Amendment
Applicant's amendments to claims 1, 18 are not sufficient to overcome the 35 USC 101 rejections set forth in the previous action. 

Applicant's amendments to Claims 1, 18 are not sufficient to overcome the prior art rejections set forth in the previous action. 





Response to Arguments - 35 USC § 101
Applicant’s arguments with respect to the rejections have been fully considered, but they are not persuasive. 

Applicant submits, “...The independent claims, as amended and as a whole, recite additional limitations integrating the recited judicial exception into a practical application. As amended, independent claims 1 and 18 recite the limitation of applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained. This limitation invokes the "other meaningful limitation." An organization is able to use the information obtained from the recited judicial exception to take corrective action based on real-time information before and after and employee, contractor or vendor is retained. (Applicant's Specification,   0043.) This is an advantage over current and known systems and methods, which rely on their insurance policy and human resources at the time of hire to address risks presented by employees, contractors or vendors. (Id.) Accordingly, an organization is able to predict, prevent, and monitor its risks at a point prior to actually hiring an employee, contractor or vendor and take corrective action thereon based on real-time information. This limitation is a practical application of the recited exception and eligible under 35 U.S.C. § 101. Applicant respectfully request withdrawal of this rejection in light of the claim amendments.,...” Examiner respectfully disagrees. 

Analyzing under Step 2A, Prong 1:
The limitations regarding, …requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through..., under the broadest reasonable interpretation, can include a human using their mind and pen and paper to, ...requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through...; therefore, the claims are directed to a mental process. 

Further, ...requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through......, under the broadest reasonable interpretation, is managing human employee behavior in an organization, therefore it is managing personal behavior or relationships or interactions between people. Furthermore, risk mitigation, contracting, is/are fundamental economic practice.  Thus, the claims are directed to certain methods of organizing human activity. 

Accordingly, the claims are directed to a mental process and certain methods of organizing human activities, and thus, the claims are directed to an abstract idea under the first prong of Step 2A.

Analyzing under Step 2A, Prong 2:
This judicial exception is not integrated into a practical application under the second prong of Step 2A. 
In particular, the claims recite the additional elements beyond the recited abstract idea identified under Step 2A, Prong 1, such as:

Claim 1, 18: Application Programming Interface, database
Claim 18: encryption or smart contracts
Claim 13: encryption or smart contracts
Claim 14: encryption is blockchain.
Claim 16: smart devices  
  
, and pursuant to the broadest reasonable interpretation, as an ordered combination, each of the additional elements are computing elements recited at high level of generality implementing the abstract idea, and thus, are no more than applying the abstract idea with generic computer components. Further, these additional elements generally link the abstract idea to a technical environment, namely the environment of a computer. 

Additionally, with respect to the elements, requesting practices and policies..., providing the requested practices and policies..., determining a source ...obtaining from one or more of the determined sources..., providing, by the employee, additional sources..., producing updated prediction models..., generating recommendations and a risk score..., these elements do not add a meaningful limitations to integrate the abstract idea into a practical application because they are extra-solution activity, pre and post solution activity - i.e. data gathering – requesting practices and policies..., determining a source ...obtaining from one or more of the determined sources..., providing, by the employee, additional sources..., data output – producing updated prediction models..., generating recommendations and a risk score..., providing the requested practices and policies 










Response to Arguments – Prior Art
Applicant’s arguments with respect to the rejections have been fully considered, but they are not persuasive. However, Applicant’s arguments are moot in light of new grounds of rejection necessitated by Applicant’s amendments. 
























Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claims 1, 9-16, 18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Claim 1 recite, 
“A method to monitor, alert and predict precursory behavior, comprising the steps of: 
requesting practices and policies information from an organization as part of a self-audit process; 
providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; 
determining a source of information specific to occupational behaviors; 
obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; 
storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; and 
generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and separately for the organization based on its employee's occupational behaviors and the organization's practices and policies information and proof of an organization's practices and policies; and 
applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained.”  

Claim 18 recite,
“A method to monitor, alert and predict precursory behavior, comprising the steps of: 
requesting practices and policies information from an organization as part of a self-audit process; 
providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; 
determining a source of information specific to occupational behaviors; 
obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; 
storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; 
generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and 
applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; 
providing, by the employee, additional sources of information for improvement of the employee's risk score; 
continuously updating the predetermined factors obtained from one or more of the determined sources; 
producing updated prediction models for recommendations; 
generating recommendations to the employee for improving the risk score and reinforcing compliance; and 
permission-based sharing of the employee's risk score through....”


Analyzing under Step 2A, Prong 1:
The limitations regarding, …requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through..., under the broadest reasonable interpretation, can include a human using their mind and pen and paper to, ...requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through...; therefore, the claims are directed to a mental process. 

Further, ...requesting practices and policies information from an organization as part of a self-audit process; providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; determining a source of information specific to occupational behaviors; obtaining from one or more of the determined sources, using an ..., a plurality of predetermined factors associated with an organization and at least one employee of that organization; storing in a ... the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained; providing, by the employee, additional sources of information for improvement of the employee's risk score; continuously updating the predetermined factors obtained from one or more of the determined sources; producing updated prediction models for recommendations; generating recommendations to the employee for improving the risk score and reinforcing compliance; and permission-based sharing of the employee's risk score through......, under the broadest reasonable interpretation, is managing human employee behavior in an organization, therefore it is managing personal behavior or relationships or interactions between people. Furthermore, risk mitigation, contracting, is/are fundamental economic practice.  Thus, the claims are directed to certain methods of organizing human activity. 

Accordingly, the claims are directed to a mental process and certain methods of organizing human activities, and thus, the claims are directed to an abstract idea under the first prong of Step 2A.

Analyzing under Step 2A, Prong 2:
This judicial exception is not integrated into a practical application under the second prong of Step 2A. 
In particular, the claims recite the additional elements beyond the recited abstract idea identified under Step 2A, Prong 1, such as:

Claim 1, 18: Application Programming Interface, database
Claim 18: encryption or smart contracts
Claim 13: encryption or smart contracts
Claim 14: encryption is blockchain.
Claim 16: smart devices  
  
, and pursuant to the broadest reasonable interpretation, as an ordered combination, each of the additional elements are computing elements recited at high level of generality implementing the abstract idea, and thus, are no more than applying the abstract idea with generic computer components. Further, these additional elements generally link the abstract idea to a technical environment, namely the environment of a computer. 

Additionally, with respect to the elements, requesting practices and policies..., providing the requested practices and policies..., determining a source ...obtaining from one or more of the determined sources..., providing, by the employee, additional sources..., producing updated prediction models..., generating recommendations and a risk score..., these elements do not add a meaningful limitations to integrate the abstract idea into a practical application because they are extra-solution activity, pre and post solution activity - i.e. data gathering – requesting practices and policies..., determining a source ...obtaining from one or more of the determined sources..., providing, by the employee, additional sources..., data output – producing updated prediction models..., generating recommendations and a risk score..., providing the requested practices and policies 

Analyzing under Step 2B:
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under Step 2B. 
As noted above, the aforementioned additional elements beyond the recited abstract idea are not sufficient to amount to significantly more than the recited abstract idea because, as an order combination, the additional elements are no more than mere instructions to implement the idea using generic computer components (i.e. apply it). 
Additionally, as an order combination, the additional elements append the recited abstract idea to well-understood, routine, and conventional activities in the field as individually evinced by the applicant’s own disclosure, as required by the Berkheimer Memo, in at least:
[0023] Fig. 5 depicts a non-limiting example of the system's blockchain driven risk modeling
[0046] This risk profile snapshot, to include tailored filters and reports of worker risk assessments, can be used to assist the organization with strategic decision making, risk mitigation and prevention and potentially reduced premiums through the sharing of the organization's risk profile with the broker, insurer or via smart contracts to Canopy, the insurance industry's blockchain, using smart contracts
[0050] Worker IQ serves as the SaaS based dashboard for the employer. Through the user secured dashboard, the employer logs on, selects additional products and adds credit card details and uploads workers to be assessed either through bulk upload or manually. If the credit card is valid and background monitoring with Metric Score Factors or solely Metric Score is selected, the employer can opt to connect to their existing HRMS, Payroll or Risk Management, which will in turn extract pertinent details as they relate to subject occupational factors or the employer can manually enter the information.
[0085] The employer can be ported into smart contract or encryption for security purposes with permission-based file transfer to insurers, agents and/or business associates and connected to Canopy, the insurance industry's blockchain, to show real-time changes in risk condition, for . favorable premium and financial outcomes. 
[0093] The software's artificial intelligence and machine learning makes recommendations on strategic loss control actions that can be taken to reduce prevent and control employer liability risk. Employer Risk profile is portable to the insurer via blockchain or other encrypted methods to provide accurate rating and assessment and employee, contractor and worker risk profile is portable using encrypted file transfer or smart contracts to their next employer via blockchain or encrypted methods to gain a vested interest in maintaining favorable conduct and reduce hiring times. 
[0099] Relational database stores, metric score, history of checks, compliance training and educational certificates which can be ported to the next employer via encrypted file or blockchain per permission by employee, contractor or vendor
[00112] Encrypted method or blockchain may be used to port risk profile to agent, insurer or legal counsel. 
[00114] The employer can assess their risk, implement changes and stop here. Or, if the employer wishes to do so, they can share their risk profile through encrypted method and/or blockchain. 
[00134]	The employer can opt to share their risk profile with their insurer or broker for a reduction in premium and may wish to connect via the system to Canopy, the insurance industry's blockchain initiative and marketplace, to provide the opportunity for optimal pricing through connected insurers. 
[00135] The system is to be used to reduce worker crime and employer liability and later to be utilized for other lines of insurance and other industries, wherein worker units are substituted with other variables (i.e., equipment with sensors or smart devices for health)
[00136] Those of skill in the art will appreciate that the various illustrative logical blocks, module, units, and steps described in connection with the embodiments disclosed herein can often be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the particular constraints imposed on the overall system. Skilled persons can implement the described functionality in varying ways for each particular system, but such implementation decisions should not be interpreted as causing a departure from the scope of the invention. In addition, the grouping of functions within a unit, module, block, or step is for ease of description. Specific functions or steps can be moved from one unit, module, block, or step without departing from the invention. 
[00137] The above description of the disclosed embodiments, and that provided in the accompanying documents, is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles described herein, and in the accompanying documents, can be applied to other embodiments without departing from the spirit or scope of the invention. Thus, it is to be understood that the description and drawing presented herein, and presented in the accompanying documents, represent particular aspects and embodiments of the invention and are therefore representative examples of the subject matter that is broadly contemplated by the present invention. It is further understood that the scope of the present invention fully encompasses other embodiments that are, or may become, obvious to those skilled in the art and that the scope of the present invention is accordingly not limited by the descriptions presented herein, or by the descriptions presented in the accompanying documents. 

Furthermore, as an ordered combination, these elements amount to generic computer components receiving or transmitting data over a network, performing repetitive calculations, electronic record keeping, and storing and retrieving information in memory, which, as held by the courts, are well-understood, routine, and conventional. See MPEP 2106.05(d).

Moreover, the remaining elements of dependent claims do not transform the recited abstract idea into a patent eligible invention because these remaining elements merely recite further abstract limitations that provide nothing more than simply a narrowing of the abstract idea recited in the independent claims. 

Looking at these limitations as an ordered combination adds nothing additional that is sufficient to amount to significantly more than the recited abstract idea because they simply provide instructions to use a generic arrangement of generic computer components to “apply” the recited abstract idea, perform insignificant extra-solution activity, and generally link the abstract idea to a technical environment. Thus, the elements of the claims, considered both individually and as an ordered combination, are not sufficient to ensure that the claim as a whole amounts to significantly more than the abstract idea itself. Since there are no limitations in these claims that transform the exception into a patent eligible application such that these claims amount to significantly more than the exception itself, claims 1, 9-16, 18 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 9, 10, 15, 18 is/are rejected under 35 U.S.C. 102 as being unpatentable by US Patent Publication to US20170053076A1 to Lulla et al., (hereinafter referred to as “Lulla”).
As per Claim 1, Lulla teaches: (Currently amended) A method to monitor, alert and predict precursory behavior, comprising the steps of: 
requesting practices and policies information from an organization as part of a self-audit process; (in at least [0274] FIG. 16 is an example screen 1600 showing a menu 1610 at left of options and operations that a user can select. In this example the user can select Business Associate Agreements 1620.)
providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; (in at least [0275] FIG. 17 shows a Business Associates Agreement screen 1700. Displayed is a Key Activity. Two progress bars are shown depicting progress in complying with relevant operations 1711, 1712. Each operation can be associated with a timeframe 1750, 1760, and progress charted thereby. Here operation 1711 can be associated with the colors green 1720, 1730 yellow 1721, 1731 and red 1722, 1732 to indicate percent completion. Colors can be assigned as desired.)
determining a source of information specific to occupational behaviors; (in at least [0276] in FIG. 18, selecting the Key Activity 1810 at the top of the screen (or in another suitable location) displays specific tasks 1820, 1821, 1822, 1823, 1824 associated with that Activity so each individual tasks can be completed.)
obtaining from one or more of the determined sources, using an Application Programming Interface, a plurality of predetermined factors associated with an organization and at least one employee of that organization; (in at least [0098] FIG. 7 is an example of functionalities and architectures that can deploy agent risk analysis and assessment of PHI. A web services mechanism 710 can be used. An entity/user 720, such as covered entities, can be in operative communication with application logic 730, itself in operative communication with an application performance management functionality 740 such as AppDynamics and other Application Performance Systems (APMs). A “wall” 750 can be interposed and there be an API gateway 760 and a load balancer 770. In communication therewith can be several devices 781, 782, 783, 784 such as but not limited to servers that can use address functionality such as Elastic IP 785 and be in communication with a bucket 786 functionality, itself in communication with a database. 790. [0114] FIG. 13 shows an example database structure. A table in the database contains the 11 areas (SolutionAreas) 1310 and an associated primary key 1311 (SolutionAreaID) for each. This primary, key exists as a secondary key in a table containing the 168 audit measures 1312 or other measures (ProtocolMeasures). This enables the grouping of each measure into specific areas.)
storing in a database the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; (in at least [0087] HIPAA compliance server 130 can carry out multiple actions, functionalities and processes, can be operatively associated with database 150, as by a network 120. HIPAA compliance server 130 can comprise a processor(s) 131, memory(ies) 132 including RAM and ROM, database 133, and software modules 134. Additional server(s) 140, 160 can be in operative communication with elements associated with the computing environment 100. Database 150, which can comprise multiple databases, can comprise extensive PHI associated with many individuals and entities, storing or having access to individual profiles, entity profiles, and any relevant information related to health processes and management. )
generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and separately for the organization based on its employee's occupational behaviors and the organization's practices and policies information and proof of an organization's practices and policies; and (in at least [0108] Each individual activity associated with the 168 measures (rules) can be assessed upon entry into methods, systems and platforms herein. This assessment can be displayed as a summary report showing the overall HIPAA score based on each of the 12 areas. This report can further break down the individual scores for each of the 12 areas so that Senior Management will know immediately the areas requiring further resources. [0143] The scoring can provide not only an overall score but each solution area can be scored based on each individual measure, task and action step. At any point in time, appropriate employees of the client can be able to identify exactly where the gaps are in meeting compliance and identify the tasks and action steps that need to improve compliance as well as the individuals accountable for each action step. [0174] Train appropriate employees on new policies/procedures [0331] Since the scoring and gap analyses for each organization can reside on a HIPAA Compliant Secure Cloud server there can be the ability to aggregate data across all organizations. There can be a categorization of each organization based on their structure and line of business to create like organizations. For each organization, a benchmark score sheet can be developed to provide a comparison of their posture score and the gap areas to like organizations. This can provide standardization across the healthcare environment and allow Senior Management to better determine comfort with their approach to HIPAA. [0372] The same solution can apply to multiple nodes in chains, other subsets, and in other ways. Multiplier factors can be assigned based on role, group, entity, permissions level and other parameters. An added parameter of concern could be ability of an individual, group, entity or other parameter to modify data such as PHI data; the same can be understood as a node associated with an individual, group, etc.)
applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained. (in at least [0174] Train appropriate employees on new policies/procedures [0372] If this node is particularly vulnerable—e.g., employee associated with node departed more than one week prior—then a multiplier can be accorded the percentage. Thus, a risk factor of 1.5 can be assigned such that the equation reflects 1.8×0.7 =1.26. An added threshold can be assessed based on such a risk factor multiplier. In other words, if the risk factor threshold is predetermined at 1.1, then because 1.26 exceeds 1.1 then special protection/risk can be associated with this node. The same solution can apply to multiple nodes in chains, other subsets, and in other ways. Multiplier factors can be assigned based on role, group, entity, permissions level and other parameters. An added parameter of concern could be ability of an individual, group, entity or other parameter to modify data such as PHI data; the same can be understood as a node associated with an individual, group, etc. Tree designs can be factored in. For example, the sequence of nodes can be significant. Turning to FIG. 3 again, if one of the core functionalities 310 is considered to be in a risky network topology with respect to an added functionality or functionalities in level 312, 314, then this could be assigned a certain value. If a hospital is in direct connection with another functionality and this is considered undesirable this can be another “red flag” accorded a different value. [0374] If undesirable levels of risk are found, a workflow can be altered. A node can be bypassed. A node can be “shut down”. Added security measures can be applied. Intrusion tracking can be enhanced. Monitoring and tracking can be strengthened. Other measures can be taken to address, manage and/or lower risk.)


As per Claim 9, Lulla teaches:  (Original) The method according to claim 1, 
wherein the source of information available to the employee is the predetermined factors relied upon to develop the employee's risk score including background check information and occupational information from the organization for the employee. (in at least [0114] FIG. 13 shows an example database structure. A table in the database contains the 11 areas (SolutionAreas) 1310 and an associated primary key 1311 (SolutionAreaID) for each. This primary, key exists as a secondary key in a table containing the 168 audit measures 1312 or other measures (ProtocolMeasures). This enables the grouping of each measure into specific areas. [0143] establishment of a scoring (HIPAA Posture Score) can in real-time, or near real-time, quickly communicate how well a client is doing relative to compliance. The scoring can provide not only an overall score but each solution area can be scored based on each individual measure, task and action step. At any point in time, appropriate employees of the client can be able to identify exactly where the gaps are in meeting compliance and identify the tasks and action steps that need to improve compliance as well as the individuals accountable for each action step.)


As per Claim 10, Lulla teaches:  (Original) The method according to claim 9, further comprising 
providing, by the employee, additional sources of information for improvement of the employee's risk score.  (in at least [0087] Database 150, which can comprise multiple databases, can comprise extensive PHI associated with many individuals and entities, storing or having access to individual profiles, entity profiles, and any relevant information related to health processes and management [0359] Individual nodes can be identified by function associated therewith (e.g., security), role associated therewith (e.g., COO), IP address, or other parameters. If a user has improper credentials associated with a given IP address, this could represent an undesirable level of risk. For example, if an employee whose role involves processing PHI at rest, motion or use leaves the entity, there may be a relatively low risk the next day. However, if the same node is accorded the same level of security 30 days after the employee leaves as one day after the employee leaves, it can represent an undesirable risk. The vulnerability is greater for the one than the other. [0377] FIG. 38 is an example network topology. Shown are a node 3810 associated with 5 tiers and 6 nodes in communication with node 3812 which is associated with one node. Further, there is Amazon fulfilment queue 3814, node 3816 representing a network and db 3818.)


As per Claim 15, Lulla teaches:  (Original) The method of claim 1, 
wherein obtaining a plurality of predetermined factors is from manual input or existing determined sources for ongoing and real time changes in the requisite predetermined factors to populate those applicable to the risk score. (in at least [0258] Date field in methods, systems and platforms herein can be populated from document attributes or manually if attributes are not available.)   


As per Claim 18, Lulla teaches:  (Currently amended) A method to monitor, alert and predict precursory behavior, comprising the steps of: 
requesting practices and policies information from an organization as part of a self-audit process; (in at least [0274] FIG. 16 is an example screen 1600 showing a menu 1610 at left of options and operations that a user can select. In this example the user can select Business Associate Agreements 1620.)
providing the requested practices and policies information and proof of an organization's practices and policies in support of the self-audit process; (in at least [0275] FIG. 17 shows a Business Associates Agreement screen 1700. Displayed is a Key Activity. Two progress bars are shown depicting progress in complying with relevant operations 1711, 1712. Each operation can be associated with a timeframe 1750, 1760, and progress charted thereby. Here operation 1711 can be associated with the colors green 1720, 1730 yellow 1721, 1731 and red 1722, 1732 to indicate percent completion. Colors can be assigned as desired.)
determining a source of information specific to occupational behaviors; (in at least [0276] in FIG. 18, selecting the Key Activity 1810 at the top of the screen (or in another suitable location) displays specific tasks 1820, 1821, 1822, 1823, 1824 associated with that Activity so each individual tasks can be completed.)
obtaining from one or more of the determined sources, using an Application Programming Interface, a plurality of predetermined factors associated with an organization and at least one employee of that organization;  (in at least [0098] FIG. 7 is an example of functionalities and architectures that can deploy agent risk analysis and assessment of PHI. A web services mechanism 710 can be used. An entity/user 720, such as covered entities, can be in operative communication with application logic 730, itself in operative communication with an application performance management functionality 740 such as AppDynamics and other Application Performance Systems (APMs). A “wall” 750 can be interposed and there be an API gateway 760 and a load balancer 770. In communication therewith can be several devices 781, 782, 783, 784 such as but not limited to servers that can use address functionality such as Elastic IP 785 and be in communication with a bucket 786 functionality, itself in communication with a database. 790. [0114] FIG. 13 shows an example database structure. A table in the database contains the 11 areas (SolutionAreas) 1310 and an associated primary key 1311 (SolutionAreaID) for each. This primary, key exists as a secondary key in a table containing the 168 audit measures 1312 or other measures (ProtocolMeasures). This enables the grouping of each measure into specific areas.)
storing in a database the plurality of predetermined factors and the practices and policies information and proof of an organization's practices and policies; (in at least [0087] HIPAA compliance server 130 can carry out multiple actions, functionalities and processes, can be operatively associated with database 150, as by a network 120. HIPAA compliance server 130 can comprise a processor(s) 131, memory(ies) 132 including RAM and ROM, database 133, and software modules 134. Additional server(s) 140, 160 can be in operative communication with elements associated with the computing environment 100. Database 150, which can comprise multiple databases, can comprise extensive PHI associated with many individuals and entities, storing or having access to individual profiles, entity profiles, and any relevant information related to health processes and management. )
generating recommendations and a risk score based on the plurality of predetermined factors and associated with the at least one employee and the organization's practices and policies information and proof of an organization's practices and policies; and (in at least [0108] Each individual activity associated with the 168 measures (rules) can be assessed upon entry into methods, systems and platforms herein. This assessment can be displayed as a summary report showing the overall HIPAA score based on each of the 12 areas. This report can further break down the individual scores for each of the 12 areas so that Senior Management will know immediately the areas requiring further resources. [0143] The scoring can provide not only an overall score but each solution area can be scored based on each individual measure, task and action step. At any point in time, appropriate employees of the client can be able to identify exactly where the gaps are in meeting compliance and identify the tasks and action steps that need to improve compliance as well as the individuals accountable for each action step. [0174] Train appropriate employees on new policies/procedures [0331] Since the scoring and gap analyses for each organization can reside on a HIPAA Compliant Secure Cloud server there can be the ability to aggregate data across all organizations. There can be a categorization of each organization based on their structure and line of business to create like organizations. For each organization, a benchmark score sheet can be developed to provide a comparison of their posture score and the gap areas to like organizations. This can provide standardization across the healthcare environment and allow Senior Management to better determine comfort with their approach to HIPAA. [0372] The same solution can apply to multiple nodes in chains, other subsets, and in other ways. Multiplier factors can be assigned based on role, group, entity, permissions level and other parameters. An added parameter of concern could be ability of an individual, group, entity or other parameter to modify data such as PHI data; the same can be understood as a node associated with an individual, group, etc.)
applying the recommendations to the organization's practices and policies to improve the organization's risk score before an employee, contractor or vendor is retained;  (in at least [0174] Train appropriate employees on new policies/procedures [0372] If this node is particularly vulnerable—e.g., employee associated with node departed more than one week prior—then a multiplier can be accorded the percentage. Thus, a risk factor of 1.5 can be assigned such that the equation reflects 1.8×0.7 =1.26. An added threshold can be assessed based on such a risk factor multiplier. In other words, if the risk factor threshold is predetermined at 1.1, then because 1.26 exceeds 1.1 then special protection/risk can be associated with this node. The same solution can apply to multiple nodes in chains, other subsets, and in other ways. Multiplier factors can be assigned based on role, group, entity, permissions level and other parameters. An added parameter of concern could be ability of an individual, group, entity or other parameter to modify data such as PHI data; the same can be understood as a node associated with an individual, group, etc. Tree designs can be factored in. For example, the sequence of nodes can be significant. Turning to FIG. 3 again, if one of the core functionalities 310 is considered to be in a risky network topology with respect to an added functionality or functionalities in level 312, 314, then this could be assigned a certain value. If a hospital is in direct connection with another functionality and this is considered undesirable this can be another “red flag” accorded a different value. [0374] If undesirable levels of risk are found, a workflow can be altered. A node can be bypassed. A node can be “shut down”. Added security measures can be applied. Intrusion tracking can be enhanced. Monitoring and tracking can be strengthened. Other measures can be taken to address, manage and/or lower risk.)
providing, by the employee, additional sources of information for improvement of the employee's risk score; (in at least [0087] Database 150, which can comprise multiple databases, can comprise extensive PHI associated with many individuals and entities, storing or having access to individual profiles, entity profiles, and any relevant information related to health processes and management [0359] Individual nodes can be identified by function associated therewith (e.g., security), role associated therewith (e.g., COO), IP address, or other parameters. If a user has improper credentials associated with a given IP address, this could represent an undesirable level of risk. For example, if an employee whose role involves processing PHI at rest, motion or use leaves the entity, there may be a relatively low risk the next day. However, if the same node is accorded the same level of security 30 days after the employee leaves as one day after the employee leaves, it can represent an undesirable risk. The vulnerability is greater for the one than the other. [0377] FIG. 38 is an example network topology. Shown are a node 3810 associated with 5 tiers and 6 nodes in communication with node 3812 which is associated with one node. Further, there is Amazon fulfilment queue 3814, node 3816 representing a network and db 3818.)
continuously updating the predetermined factors obtained from one or more of the determined sources;  (in at least [0238] The database can be updated using the individual action step for each task in a given solution area with the average task values (T(i,j)) and equation (1). Using these average task values for a given solution area and the above equation (2), the average area scores (A(i)) can be updated in the database. In addition, the final HIPAA score can be calculated and updated in the database using equation (3) above. [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period.)
producing updated prediction models for recommendations; (in at least [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period.)
generating recommendations to the employee for improving the risk score and reinforcing compliance; and (in at least [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period. Accordingly Management, the PM and individuals can be able to see how their actions are improving compliance. This feedback can be a stimulator to further improvement. Managers can be able to see the impact of their daily decisions on HIPAA compliance and be able to change their tactics quickly to help identify the most efficient way to address their compliance issues.)
permission-based sharing of the employee's risk score through encryption or smart contracts.  (in at least [0094] A Documents Upload Flow module 560 can comprise a number of modules and functionalities. It can operate in conjunction with network 561. A domain name server 562 can be used. A natural language control interface 563 can be provided. A search functionality can be provided 564. In communication therewith can be database 565 comprising encrypted database using MS SQL (encrypted) and be in communication with a secondary database slave 566 (encrypted). [0100] FIG. 9 is an example functionality and architecture diagram illustrating PHI document and secure file import. A user 910 can via SFTP 914 communicate in secure fashion (such as by https) via a network 920 with a domain name server 930. In addition, a user 912 can via application functionality in accord with the invention communicate with a network 920 and domain name server 930. In turn, a load balancer 940 can be provided. Instances of the application 960, 961 can reside in communication with a relevant module mediated by a web services application 950. Provided also can be a monitoring application 962 and performance management application 963. In addition, there can be provided also an encrypted database 964, and database 965 which may or may not be differentiated by storage speed, throughput, cost, etc., such as Amazon S3 or Glacier respectively. Further, code functionality 966, a natural language control interface 967, a database 968, and search functionality 969 can be provided.)








Claim Rejections – 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 11-14, 16  is/are rejected under 35 U.S.C. 103 as being unpatentable by US Patent Publication to US20170053076A1 to Lulla et al., (hereinafter referred to as “Lulla”) in view of US Patent Publication to US20180078843A1 to Tran et al. (hereinafter referred to as “Tran”).

As per Claim 11, Lulla teaches:  (Original) The method according to claim 10, 
wherein the additional sources of information include ... of the employee.  (in at least [0087] Database 150, which can comprise multiple databases, can comprise extensive PHI associated with many individuals and entities, storing or having access to individual profiles, entity profiles, and any relevant information related to health processes and management [0359] Individual nodes can be identified by function associated therewith (e.g., security), role associated therewith (e.g., COO), IP address, or other parameters. If a user has improper credentials associated with a given IP address, this could represent an undesirable level of risk. For example, if an employee whose role involves processing PHI at rest, motion or use leaves the entity, there may be a relatively low risk the next day. However, if the same node is accorded the same level of security 30 days after the employee leaves as one day after the employee leaves, it can represent an undesirable risk. The vulnerability is greater for the one than the other. [0377] FIG. 38 is an example network topology. Shown are a node 3810 associated with 5 tiers and 6 nodes in communication with node 3812 which is associated with one node. Further, there is Amazon fulfilment queue 3814, node 3816 representing a network and db 3818.)

Although implied, Lulla does not expressly disclose the following limitations, which however, are taught by Tran,
...biographical data, social media data, and licenses and certifications of the employee...(in at least [0274] a permissioned blockchain is used where predetermined trusted parties are authorized to initiate individuals or organizations onto the blockchain and thus vouched for by a trusted point, such as a government license issuer (dept of public safety or the social security administration, . . . ), a professional licensing authority (bar association or a pharmacy licensing board, for example), an identity provider, a bank, or other organization with whom they already have a trusted relationship. Individuals can initiate their own identity if they wish. Once an initial identity record has been established, an identity owner can add additional identity “claims” (attributes, identity transactions, identity proofs) to their identity. Only the identity owner can see and manage this data. [0821] A recommendation may be provided to the user automatically upon finishing the item (e.g., after reading an entire eBook) to lend his or her item to another user in the social network. The system that generates the recommendations may be configured to recommend lending to users based on distance or reputation in the social network or to users with high lending metrics more so than other users. [0822] the user may have items to lend and may also wish to borrow non-monetary items. A loan-matching infrastructure may identify another user with complementary lendable items and borrowing desires. The loan matching may additionally function as a mechanism for introducing users that are in the same social network but not yet connected to one another in that social network, or it may serve to strengthen the relationship between users who are already connected. [0825] rotating credit associations in which the members are trustworthy due to their social network links)

At the time the invention was filed, it would have been obvious for one of ordinary skill in the art to have modified the teachings of Lulla by, ...An Internet of Thing (IoT) device includes a sensor coupled to a processor; and a transceiver coupled to the processor. Blockchain smart contracts can be used with the device to facilitate secure operation...to frequently monitor and dynamically update the insurance rate and action recommendations,...The smart electronic or on-line assistant agent can issue smart contracts...Smart electronic locks can be unlocked with a device that carries the appropriate token...the process can recommend a strategy in light of the opponent's historical performance. In tennis, a player's historical weakness can be ascertained and a recommendation can be made to optimize success...A recommendation may be provided to the user automatically upon finishing the item (e.g., after reading an entire eBook) to lend his or her item to another user in the social network. The system that generates the recommendations may be configured to recommend lending to users based on distance or reputation in the social network or to users with high lending metrics more so than other users...the user may have items to lend and may also wish to borrow non-monetary items. A loan-matching infrastructure may identify another user with complementary lendable items and borrowing desires. The loan matching may additionally function as a mechanism for introducing users that are in the same social network but not yet connected to one another in that social network, or it may serve to strengthen the relationship between users who are already connected...rotating credit associations in which the members are trustworthy due to their social network links...Security is enabled with two way authentication where prior to withdrawing, a code is sent to the member's smart phone or social network messaging system or email. To provide a back up protection, the system can be put in a suspended mode where no fund contribution or withdrawals are allowed. Each ROSCA's foreperson or main contact can communicate with the system and request fund withdrawal using wiring or checking system and may then disburse the withdrawn funds to all participants of the RCA..., as taught by Tran, with a reasonable expectation of success if arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make this modification to the teachings of Lulla with the motivation of, ....to improve monitoring accuracy,...helps the driver for effectively improving the driving skills....to optimize cost or operational efficiency on behalf of its master which can be another electronic smart agent or a human master...The contracts can be automatically executed by the agents as needed, thus distributing the decision making to the last possible moment with current condition and optimizing cost/benefits...tokens are bought on the Ethereum blockchain, a public blockchain network optimized for smart contracts that uses its own cryptocurrency, called Ether. The owner of a smart lock that wishes to rent their house or car sets a price for timed access to that electronic door lock. An interested party can use a mobile app to identify the lock, pay the requested amount in Ethers, then communicate with the lock via a properly signed message to unlock it. Billing is simplified by having all the locks operating on the same blockchain...On the basis of credit scores, differentiated lending treatments can be designed and optimized over time for each risk score cluster of the credit model...the process can recommend a strategy in light of the opponent's historical performance. In tennis, a player's historical weakness can be ascertained and a recommendation can be made to optimize success..., as recited in Tran.


As per Claim 12, Lulla teaches:  (Original) The method according to claim 11, further comprising: 
continuously updating the predetermined factors obtained from one or more of the determined sources; (in at least [0238] The database can be updated using the individual action step for each task in a given solution area with the average task values (T(i,j)) and equation (1). Using these average task values for a given solution area and the above equation (2), the average area scores (A(i)) can be updated in the database. In addition, the final HIPAA score can be calculated and updated in the database using equation (3) above. [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period.)
producing updated prediction models for recommendations; and (in at least [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period.)
generating recommendations to the employee for improving the risk score and reinforcing compliance.  (in at least [0300] to have the data available and the score calculated upon entry into the system. When action steps for a task are completed the score is updated to reflect the change in status. Reports defining discrete time periods (to be determined by the client and adjustable as desired) can show the client how each area has progressed during that time period. Accordingly Management, the PM and individuals can be able to see how their actions are improving compliance. This feedback can be a stimulator to further improvement. Managers can be able to see the impact of their daily decisions on HIPAA compliance and be able to change their tactics quickly to help identify the most efficient way to address their compliance issues.)


As per Claim 13, Lulla teaches:  (Original) The method according to claim 12, 
further comprising permission-based sharing of the employee's risk score through encryption or smart contracts. (in at least [0094] A Documents Upload Flow module 560 can comprise a number of modules and functionalities. It can operate in conjunction with network 561. A domain name server 562 can be used. A natural language control interface 563 can be provided. A search functionality can be provided 564. In communication therewith can be database 565 comprising encrypted database using MS SQL (encrypted) and be in communication with a secondary database slave 566 (encrypted). [0100] FIG. 9 is an example functionality and architecture diagram illustrating PHI document and secure file import. A user 910 can via SFTP 914 communicate in secure fashion (such as by https) via a network 920 with a domain name server 930. In addition, a user 912 can via application functionality in accord with the invention communicate with a network 920 and domain name server 930. In turn, a load balancer 940 can be provided. Instances of the application 960, 961 can reside in communication with a relevant module mediated by a web services application 950. Provided also can be a monitoring application 962 and performance management application 963. In addition, there can be provided also an encrypted database 964, and database 965 which may or may not be differentiated by storage speed, throughput, cost, etc., such as Amazon S3 or Glacier respectively. Further, code functionality 966, a natural language control interface 967, a database 968, and search functionality 969 can be provided.)


As per Claim 14, Lulla teaches:  (Original) Although implied, Lulla does not expressly disclose the following limitations, which however, are taught by Tran, The method according to claim 13, 
wherein the encryption is blockchain.   (in at least [0828] funds are controlled by an Ethereum smart contract, and the participants, including the foreperson, can withdraw only according to the rules of the RCA. An organizer is the individual who initiates the RCA, determines the parameters, participants, educating participants, and makes sure the contributions are made. The blockchain approach provides simplified accounting, tracking, bidding, and tracking of payments. Blockchain transactions serve as canonical source of truth, simplified management, ability to easily add/remove people to a group seamlessly without having to wait until end of an epoch, ease of use with digital currency vs cash, security of not having to handle cash, game theory mechanisms to reduce default rates. The organizer is responsible for specifying the terms for the RCA, such as RCA name, number of participants, payment frequency, payment amount, start date, and your fees. All participants would need to agree to all these terms to join a RCA. Participant are invited to join a RCA by sending an email, text message, or a mail pigeon (with a link) to participants and they will be prompted to create an account and then they can click on “Join a RCA” to join the group. [0829] The smart contract has a unique address and is written in Solidity. Within each contract, function declarations implement the defining rules of the smart contract. Solidity also provides language constructs specifically targeted at logging on the blockchain, such as the event primitive and the indexed keyword. A Solidity program is eventually compiled into bytecode, to be run on the Ethereum Virtual Machine (EVM). [0831] Security is enabled with two way authentication where prior to withdrawing, a code is sent to the member's smart phone or social network messaging system or email. To provide a back up protection, the system can be put in a suspended mode where no fund contribution or withdrawals are allowed. Each ROSCA's foreperson or main contact can communicate with the system and request fund withdrawal using wiring or checking system and may then disburse the withdrawn funds to all participants of the RCA.) 
The reasons and rationale to combine  Lulla and Tran is the same as recited above.


As per Claim 16, Lulla teaches:  (Original) The method of claim 14, 
wherein the predetermined factors are updated in real-time through smart devices. (in at least [0087] Computer, input device and display 110, 112, 114 can comprise a personal computer, a laptop, a tablet, a mobile device 116, 118 such as a smart phone, smart glasses, or a smart watch; it will be appreciated that any device containing or in operative association with a processor(s) and a memory(ies) can serve the purpose of computer and input device 110, 112, 114. [0143] the establishment of a scoring (HIPAA Posture Score) can in real-time, or near real-time, quickly communicate how well a client is doing relative to compliance.) 





Conclusion
Relevant prior art not relied upon:
Ganor, US20180375892A1, A system includes a memory to store network-related security policies and procedures associated with an enterprise, a display and at least one device. The device is configured to monitor enterprise activity associated the enterprise's networked and determine, based on the enterprise activity, whether the enterprise is complying with the security policies and procedures. The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric. The device may also be configured to receive, via the GUI, an input to initiate a change with respect to at least one of the enterprise's networked devices or initiate the generation of a plan to make a change to at least one of the networked devices.

Burrows, US20170323265A1, Disclosed is a compliance database and management system for auditing, assessing, and tracking the compliance of companies and their suppliers and method for performing the same. A method for performing supply chain compliance includes collecting supply chain data, such as information about one or more suppliers, compiling (e.g., building) the supply chain data (e.g., into a database) and providing the compiled supply chain data so that the data is accessible to a user. The compiled supply chain data can be analyzed, filtered by one or more parameters, organized by one or more parameters, or a combination thereof by a user.

Byun, US20180322107A1, An embodiment may involve transmitting, to a first client device, a representation of a first graphical user interface. The first graphical user interface may define fillable web-based forms. The embodiment may involve receiving, from the first client device, a first submission of the fillable web-based forms. The embodiment may involve transmitting, to a second client device, a representation of a second graphical user interface. The second graphical user interface may allow the second client device to fill out the fillable web-based forms. The embodiment may further involve receiving, from the second client device, a second submission of the fillable web-based forms. The embodiment may further involve determining numerical scores associated with each of the fillable web-based forms. The embodiment may also involve transmitting a representation of a third graphical user interface. The third graphical user interface may show the fillable web-based forms and their respective numerical scores.

Syed, US20170103466A1, The present disclosure is directed towards systems and methods for generating a recommendation to on-board a candidate document to an on-line research system, which comprises receiving from an electronic device, a set of data items associated with a candidate document, the candidate document being a document that is a candidate to be made available via the on-line research system and storing the set of data items in a memory. The systems and methods of the present disclosure then automatically analyze the set of data items using a computer program stored in the memory and generate a recommendation as to whether to obtain or not obtain the candidate document. A signal is then generated and transmitted to the electronic device, the signal based upon the recommendation.

Tran, US20180001184A1, An Internet of Thing (IoT) device includes a camera coupled to a processor; and a wireless transceiver coupled to the processor. Blockchain smart contracts can be used with the device to facilitate secure operation.

Verma, US20160358268A1, In one aspect a computerized method for detecting anomalies anomalies in expense reports of an enterprise includes the step, of implementing a semantic analysis algorithm on an expense report data submitted by an employee, wherein the expense report data is provided in a computer-readable format. The method includes the step of, with one or more machine learning algorithms, detecting an anomaly expense report data. The method includes the step of obtaining an augmentation of the expense report data with a se of web scale data. The method includes the step of verifying receipts associated with an expense report. The method includes the step of determining that the employee or any employee has previously claimed an expense in the expense report data. The method includes the step of identifying an inappropriate expense in the expense report data.

Kolb, US20180218456A1, An automated interconnection system for recording and transferring ownership of insurance-related assets is provided. Risk units associated with an asset and perils to the asset are created and stored in a shared database. The risk units are tied to smart policies that pertain to risk coverage of the asset. The risk units are priced and incorporated into smart contracts created between participants of the system. Methods and computer readable media are also provided.

Chetal, US20190287182A1, The system may be configured to perform operations including receiving a transaction history for a consumer having transaction information associated with a plurality of transactions; detecting within the transaction information for each transaction a characteristic, resulting in a plurality of characteristics; calculating a respective value associated with each characteristic, wherein the respective value is at least one of a number or percentage of transactions having the characteristic; assigning a respective weight to each characteristic, producing an assigned respective weight for each characteristic; applying the assigned respective weight to the respective value associated with each characteristic to produce a respective weighted value for each characteristic; combining the respective weighted values of the plurality of characteristics; and/or producing a compliance score in response to the combining the respective weight values.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PO HAN MAX LEE whose telephone number is (571) 272-3821.  The examiner can normally be reached on Mon-Thurs 8:00 am - 7:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on (571) 272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/PO HAN MAX LEE/Examiner, Art Unit 3623

/CHARLES GUILIANO/Primary Examiner, Art Unit 3623