SYSTEMS AND METHODS FOR TRACKING, ACCESSING AND MERGING PROTECTED HEALTH INFORMATION

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims This action is in reply to the claims filed on 22 December 2025. Claims 1 and 18-19 were amended. Claims 13-17 were canceled. Claims 20-31 were previously canceled. Claims 1-12 and 18-19 are currently pending and have been examined. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-12 and 18-19 are rejected under 35 USC § 101 Step 1: Is the claim to a process, machine, manufacture, or composition of matter? Claims 1-12 and 18-19 fall within one or more statutory categories. Claims 1-12 fall within the category of a process. Claim 18 falls within the category of a machine. Claim 19 falls within the category of a manufacture. Step 2A Prong One: Does the claim recite an abstract idea, law of nature, or natural phenomenon? Claims 1-12 and 18-19 recite an abstract idea. Representative claim 1 recites: … create one or more associations among medical studies that are included in the de-identified medical study data; … [generating an identifier that] represents represent a unique association identifier common among the distinct set of de-identified medical studies linked by a distinct association of the one or more associations…; responsive to detecting the generated [identifier] differs from a [stored identifier] previously generated for the de-identified medical study or that there is no [stored identifier] previously generated for the de-identified medical study: sending to a remote service (a) an obfuscated ID that uniquely maps to the de-identified medical study and (b) the generated [identifier] linking the de-identified medical study to one or more other de-identified medical studies of the distinct set; and receiving … a request for a medical study…; authenticating … the request for the medical study …; requesting … PHI data associated with the requested medical study from the PHI system …; sending … the requested PHI data … responsive to the request; receiving … the requested PHI data from the PHI system …; sending … the requested PHI data to the [requestor] …, without decrypting the requested PHI data; and sending … de-identified medical study data for the requested medical study to the [requestor], wherein the requested PHI data is decrypted and merged, locally … [by the requestor], with the de-identified medical study data to generate re-identified medical study data… . Therefore, the claim as a whole is directed to “requesting deidentified medical data and corresponding PHI,” which is an abstract idea because it is a method of organizing human activity. “Requesting deidentified medical data and corresponding PHI” is considered to be a method of organizing human activity because it is an example of managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions). The broadest reasonable interpretation of the claim includes an example of the interaction between the requestor and the provider. Representative claim 1 also recites: generating … cryptographic hashes based on selected fields of the PHI data …; generating a cryptographic hash … based on appending common values in the selected fields for the distinct set and a cryptographic key; encrypting … the requested PHI data into an encrypted form; Under the broadest reasonable interpretation, these elements are directed to “hashing and encryption,” which is an abstract idea because it is a mathematical concept. “Hashing and encryption” is considered to be a mathematical concept because it is an example of mathematical calculation. The limitations that recite a method of organizing human activity and the limitations that recite mathematical concepts are considered together as a single abstract idea for further analysis. Step 2A Prong Two: Does the claim recite additional elements that integrate the judicial exception into a practical application? This judicial exception is not integrated into a practical application. In particular, claim 1 recites the following additional element(s): an analytics service provider (ASP) system and a protected health information (PHI) system; storing, by at least one processor of the ASP system, de-identified medical study data on at least one nontransitory processor-readable storage medium of the ASP system; storing, by at least one processor of the PHI system, PHI data associated with the de- identified medical study data on at least one nontransitory processor-readable storage medium of the PHI system; a client processor-based device; storing the cryptographic hash in a local cache; and at least one communications network. The additional elements individually or in combination do not integrate the exception into a practical application. These additional elements merely recite the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely include instructions to implement an abstract idea on a computer, or merely use a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Claim 1 is directed to an abstract idea. Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception? Claim 1 does not include additional elements, considered individually or in combination, that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element(s), individually and in combination, merely recite the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely include instructions to implement an abstract idea on a computer, or merely use a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). Accordingly, claim 1 is ineligible. Dependent claim 2 recites the method of claim 1, wherein: receiving, by at least one processor of the client processor-based device, the PHI data from the ASP system over the at least one communications network; receiving, by the at least one processor of the client processor-based device, the de- identified medical study data from the ASP system over the at least one communications network; merging, by the at least one processor of the client processor-based device, the PHI data and the de-identified medical study data to generate the re-identified medical study data; and presenting, by the at least one processor of the client processor-based device, the re- identified medical study data to a user of the client processor-based device. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 2 is considered to be ineligible. Dependent claim 3 recites the method of claim 1, wherein: receiving, by the at least one processor of the PHI system, medical study data which includes PHI data; removing, by the at least one processor of the PHI system, the PHI data from the medical study data to generate de-identified medical study data; storing, by the at least one processor of the PHI system, the PHI data in the at least one nontransitory processor-readable storage medium of the PHI system; and sending, by the at least one processor of the PHI system, the de-identified medical study data to the ASP system over the at least one communications network. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 3 is considered to be ineligible. Dependent claim 4 recites the method of claim 3, wherein: receiving medical study data which includes PHI data comprises receiving medical imaging data from a scanner. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 4 is considered to be ineligible. Dependent claim 5 recites the method of claim 1, wherein: removing the PHI data from the medical study data comprises: removing, by the at least one processor of the PHI system, fields which are allowed to be deleted; and replacing, by the at least one processor of the PHI system, data in fields which are not allowed to be deleted with obfuscated replacement data. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 5 is considered to be ineligible. Dependent claim 6 recites the method of claim 3, wherein: associating, by the at least one processor of the PHI system, a unique identifier with the medical study data for a medical study; storing, by the at least one processor of the PHI system, the unique identifier in the at least one nontransitory processor-readable storage medium of the PHI system; and sending, by the at least one processor of the PHI system, the unique identifier with the de- identified medical data for the medical study to the ASP system over the at least one communications network. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 6 is considered to be ineligible. Dependent claim 7 recites the method of claim 1, wherein: generating, by the at least one processor of the ASP system, analytics data relating to the de-identified medical study data; and sending, by the at least one processor of the ASP system, the generated analytics data to the PHI system over the at least one communications network. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 7 is considered to be ineligible. Dependent claim 8 recites the method of claim 1, wherein: the sending the received PHI data to the requesting client processor-based device includes: sending the received PHI data to the requesting client processor-based device without persistently storing the PHI data by the ASP system. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 8 is considered to be ineligible. Dependent claim 9 recites the method of claim 1, wherein: the sending the received PHI data to the requesting client processor-based device includes: sending the received PHI data to the requesting client processor-based device without decrypting the received PHI data by the ASP system. This merely further limits the abstract idea of claim 1 discussed above and does not provide further additional elements. Therefore, claim 9 is considered to be ineligible. Dependent claim 10 recites the method of claim 1, wherein: the requesting the PHI data associated with the requested medical study from the PHI system includes: sending to a server of the PHI system, by the at least one processor of the ASP system, an HTTPS long polling request for the PHI data associated with the requested medical study, wherein the server of the PHI system holds the request open until the PHI data associated with the requested medical study is available and wherein the sending the requested PHI data to the ASP system is in response to the HTTPS long polling request sent to the server of the PHI system. The additional elements present in this claim merely recites the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). These types of additional elements are not enough to integrate the abstract idea into a practical application, nor do they amount to significantly more than the judicial exception. Accordingly, claim 10 is ineligible. Dependent claim 11 recites the method of claim 1, wherein: the sending the requested PHI data to the ASP system includes: sending, by the at least one processor of the PHI system, the requested PHI data to the ASP system in response to an HTTPS long polling request sent to a server of the PHI system from the ASP system. The additional elements present in this claim merely recites the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). These types of additional elements are not enough to integrate the abstract idea into a practical application, nor do they amount to significantly more than the judicial exception. Accordingly, claim 11 is ineligible. Dependent claim 12 recites the method of claim 11, wherein: in response to the receiving the PHI data from the PHI system, immediately sending to the PHI system, by the at least one processor of the ASP system, another HTTPS long polling request for new PHI data from the PHI system over the at least one communications network. The additional elements present in this claim merely recites the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). These types of additional elements are not enough to integrate the abstract idea into a practical application, nor do they amount to significantly more than the judicial exception. Accordingly, claim 12 is ineligible. Claims 18-19 are parallel in nature to claim 1. Accordingly claims 18-19 are rejected as being directed towards ineligible subject matter based upon the same analysis above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-9 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Dormer et al. (U.S. 2017/0076043), hereinafter “Dormer,” in view of Vesper et al. (U.S. 2011/0153351), hereinafter “Vesper,” and further in view of Stalling et al. (U.S. 2016/0342738), hereinafter “Stalling.” Regarding Claim 1, Dormer discloses a method of operating a medical analytics platform, the medical analytics platform comprising: an analytics service provider (ASP) system and a protected health information (PHI) system (See Dormer Fig. 8; the system can include an ASP cloud system and a PHI service system.), the method comprising: storing, by at least one processor of the ASP system, de-identified medical study data on at least one nontransitory processor-readable storage medium of the ASP system (See Dormer [0007] the ASP system stores the de-identified medical study data.); storing, by at least one processor of the PHI system, PHI data associated with the de-identified medical study data on at least one nontransitory processor-readable storage medium of the PHI system (See Dormer [0007] the PHI system stores PHI data associated with the de-identified medical study data.); generating and communicating, by at least one processor of the PHI system, cryptographic hashes based on selected fields of the PHI data (See Dormer [0318] the PHI system can replace the plain text PHI with a hash of the PHI.); receiving, by the at least one processor of the ASP system, a request for a medical study from a client processor-based device (See Dormer [0337] the client system can request a report from the ASP system.) over at least one communications network (See Dormer [0337] the ASP system can send the de-identified medical study data to the client device over the at least one communications network.); authenticating, by the at least one processor of the ASP system, the request for the medical study received from the client processor-based device (See Dormer [0365] the user can be authenticated to gain access to the ASP system. See also Dormer [0008].); requesting … PHI data associated with the requested medical study from the PHI system over the at least one communications network (See Dormer [0332] the user can request and receive the PHI data from the PHI system.); encrypting, by the at least one processor of the PHI system, the requested PHI data into an encrypted form (See Dormer [0322] the system transmits the PHI data in an encrypted form.); sending … the requested PHI data to the client processor-based device over the at least one communications network (See Dormer [0332] the user can request and receive the PHI data from the PHI system. [0322] the system transmits the PHI data in an encrypted form.); sending, by the at least one processor of the ASP system, de-identified medical study data for the requested medical study to the client processor-based device over the at least one communications network (See Dormer [0337] the ASP system can send the de-identified medical study data to the client device over the at least one communications network.). Dormer does not disclose: [generating the cryptographic hashes] to create one or more associations among medical studies that are included in the de-identified medical study data, wherein the generating and communicating comprises, for each de-identified medical study of a distinct set of de-identified medical studies: generating a cryptographic hash to represent a unique association identifier common among the distinct set of de-identified medical studies linked by a distinct association of the one or more associations, [generating the cryptographic hash] based on appending common values in the selected fields for the distinct set and a cryptographic key; and responsive to detecting the generated cryptographic hash differs from a cached cryptographic hash previously generated for the de-identified medical study or that there is no cached cryptographic hash previously generated for the de-identified medical study: sending to a remote service (a) an obfuscated ID that uniquely maps to the de-identified medical study and (b) the generated cryptographic hash linking the de-identified medical study to one or more other de-identified medical studies of the distinct set; and storing the cryptographic hash in a local cache; and [requesting the PHI data] by the at least one processor of the ASP system, sending, by the at least one processor of the PHI system, the requested PHI data in the encrypted form to the ASP system over the at least one communications network responsive to the request; receiving, by the at least one processor of the ASP system, the requested PHI data in the encrypted form from the PHI system over the at least one communications network; [sending the requested PHI data] by the at least one processor of the ASP system, … without decrypting the requested PHI data; and wherein the requested PHI data is decrypted and merged, locally on the client processor-based device, with the de-identified medical study data to generate re- identified medical study data on the client processor-based device. Vesper teaches: [generating the cryptographic hashes] to create one or more associations among medical studies that are included in the de-identified medical study data (See Vesper [0252] images can then be fingerprinted, which includes embedding or attaching information to the image so that the image can be uniquely identified. [0254] the images can be fingerprinted using a hashing function. [0342] the fingerprinting can be used to link discrete images across storage repositories. This fingerprinting is understood to meet the broadest reasonable interpretation of this claim element, creating associations among medical studies by using common fields in the PHI like patient identifying information.), wherein the generating and communicating comprises, for each de-identified medical study of a distinct set of de-identified medical studies: generating a cryptographic hash to represent a unique association identifier common among the distinct set of de-identified medical studies linked by a distinct association of the one or more associations (See Vesper [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. [0343] the images are not stored in aggregated studies after fingerprinting/hashing. [0339] images are not stored in aggregated studies, but can be queried based on Facility ID or study UID. Therefore, it is understood that the hashing is directedly connected to the association between the images, making them accessible in the aggregate based on linked information.); and responsive to detecting the generated cryptographic hash differs from a cached cryptographic hash previously generated for the de-identified medical study or that there is no cached cryptographic hash previously generated for the de-identified medical study (See Vesper [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. [0305] The central index can use the DICOM header information to determine if the image is new or it is an update to an existing image. The system returns a new ID or the ID to be updated.): sending to a remote service (a) an obfuscated ID that uniquely maps to the de-identified medical study and (b) the generated cryptographic hash linking the de-identified medical study to one or more other de-identified medical studies of the distinct set; and storing the cryptographic hash in a local cache (See Vesper [0252] images can then be fingerprinted, which includes embedding or attaching information to the image so that the image can be uniquely identified. [0254] the images can be fingerprinted using a hashing function. [0342] the fingerprinting can be used to link discrete images across storage repositories. This fingerprinting is understood to meet the broadest reasonable interpretation of this claim element, creating hashes linking se-identified medical studies to other de-identified medical studies.); and [requesting the PHI data] by the at least one processor of the ASP system, sending, by the at least one processor of the PHI system, the requested PHI data in the encrypted form to the ASP system over the at least one communications network responsive to the request (See Vesper [0305] the system can move the anonymized image to cache storage. [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. Therefore, the system stores any generated hash in a local cache.); receiving, by the at least one processor of the ASP system, the requested PHI data in the encrypted form from the PHI system over the at least one communications network (See Vesper Fig. 45 and [0388]-[0394] the system can include the use of apps for collecting the PHI data and the de-identified image data and sending it to the consumer. This includes the app requesting the PHI data that corresponds to the requested study.); [sending the requested PHI data] by the at least one processor of the ASP system (See Vesper Fig. 45 and [0388]-[0394] the system can include the use of apps for collection the PHI data and the de-identified image data and sending it to the consumer. Through the app, the user can receive both the PHI and the de-identified study data.), … without decrypting the requested PHI data (See Vesper [0269] the personal information, being encrypted prior to transmission, can be decrypted by the consumer. Therefore, it is not encrypted until it is received by the consumer.); and wherein the requested PHI data is decrypted and merged, locally on the client processor-based device, with the de-identified medical study data to generate re- identified medical study data on the client processor-based device (See Vesper [0269] the personal information, being encrypted prior to transmission, can be decrypted by the consumer. The medical imaging record can be formed on a record consumer computer using the decrypted personal information and coupled with the anonymized DICOM image. Therefore, the decryption and merging happens locally on the consumer device.). The system of Vesper is applicable to the disclosure of Dormer as they both share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dormer to include data communication through a separate app and hash encryption and decryption as taught by Vesper. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Dormer in order to provide a secure system for accessing and moving those records among authorized parties (see Vesper [0006]). Stalling teaches: [generating the cryptographic hash] based on appending common values in the selected fields for the distinct set and a cryptographic key (See Stalling [0080] the system can replace patient information, such as patient ID, with a “mapped ID” that is an anonymized hash (see [0075] for a description of the hash function). [0081] the system generates the same mapped id, if the input is the same. this means that two images belonging to the same patient can be exported independently, and without storing the mapped ID, both images will have the same mapped ID. This means the mapped ID is based on common PHI fields.). The system of Stalling is applicable to the disclosure of Dormer in view of Vesper as they both share characteristics and capabilities, namely, they are directed to collecting an displaying medical images. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dormer in view of Vesper to include mapping medical documents with unique hashes as taught by Stalling. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Dormer in order so that two images belonging to the same patient can be exported independently, and without storing the mapped ID, both images will have the same mapped ID (see Stalling [0081]). Regarding claim 2, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, comprising: receiving, by at least one processor of the client processor-based device, the PHI data … over the at least one communications network (See Dormer [0332] the user can request and receive the PHI data from the PHI system.); receiving, by the at least one processor of the client processor-based device, the de- identified medical study data from the ASP system over the at least one communications network (See Dormer [0008] the client device can receive the de-identified medical study data from the ASP system over the at least one communications network. See also Dormer claim 9.); merging, by the at least one processor of the client processor-based device, the PHI data and the de-identified medical study data to generate the re-identified medical study data (See Dormer [0008] the client device can merge the PHI data and the de-identified medical study data to generate re-identified medical study data. See also Dormer claim 9.); and presenting, by the at least one processor of the client processor-based device, the re- identified medical study data to a user of the client processor-based device (See Dormer [0008] the client device can present the re-identified medical study data to a user of the client processor-based device. See also Dormer claim 9.). Dormer does not disclose: receiving the PHI data from the ASP system. Vesper teaches: receiving the PHI data from the ASP system (See Vesper Fig. 45 and [0388]-[0394] the system can include the use of apps for collection the PHI data and the de-identified image data and sending it to the consumer. Through the app, the user can receive both the PHI and the de-identified study data.). The system of Vesper is applicable to the disclosure of Dormer as they both share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dormer to include data communication through a separate app and local decryption/merging as taught by Vesper. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Dormer in order to provide a secure system for accessing and moving those records among authorized parties (see Vesper [0006]). Regarding claim 3, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, comprising: receiving, by the at least one processor of the PHI system, medical study data which includes PHI data (See Dormer [0008] the PHI system can receive medical study data which includes PHI data. See also Dormer claim 4.); removing, by the at least one processor of the PHI system, the PHI data from the medical study data to generate de-identified medical study data (See Dormer [0008] the PHI system can remove the PHI data from the medical study data to generate de-identified medical study data See also Dormer claim 4.); storing, by the at least one processor of the PHI system, the PHI data in the at least one nontransitory processor-readable storage medium of the PHI system (See Dormer [0008] the PHI system can store the PHI data in the at least one nontransitory processor-readable storage medium of the PHI system. See also Dormer claim 4.); and sending, by the at least one processor of the PHI system, the de-identified medical study data to the ASP system over the at least one communications network (See Dormer [0008] the PHI system can send the de-identified medical study data to the ASP system over the at least one communications network. See also Dormer claim 4.). Regarding claim 4, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: receiving medical study data which includes PHI data comprises receiving medical imaging data from a scanner (See Dormer [0008] the system can receive medical study data which includes PHI data including medical imaging data from a scanner. See also Dormer Claim 5.). Regarding claim 5, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: removing the PHI data from the medical study data comprises: removing, by the at least one processor of the PHI system, fields which are allowed to be deleted (See Dormer [0008] the PHI system can remove fields which are allowed to be deleted. See also Dormer claim 7.); and replacing, by the at least one processor of the PHI system, data in fields which are not allowed to be deleted with obfuscated replacement data (See Dormer [0008] the PHI system can replace data in fields which are not allowed to be deleted with obfuscated replacement data. See also Dormer claim 7.). Regarding claim 6, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, comprising: associating, by the at least one processor of the PHI system, a unique identifier with the medical study data for a medical study (See Dormer [0008] the PHI system can associate a unique identifier with the medical study data for a medical study. See also Dormer claim 8.); storing, by the at least one processor of the PHI system, the unique identifier in the at least one nontransitory processor-readable storage medium of the PHI system (See Dormer [0008] the PHI system can store the unique identifier in the at least one nontransitory processor-readable storage medium of the PHI system. See also Dormer claim 8.); and sending, by the at least one processor of the PHI system, the unique identifier with the de- identified medical data for the medical study to the ASP system over the at least one communications network (See Dormer [0008] the PHI system can send the unique identifier with the de-identified medical data for the medical study to the ASP system over the at least one communications network. See also Dormer claim 8.). Regarding claim 7, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, comprising: generating, by the at least one processor of the ASP system, analytics data relating to the de-identified medical study data (See Dormer [0008] the ASP system can generate analytics data relating to the de-identified medical study data. See also Dormer claim 10.); and sending, by the at least one processor of the ASP system, the generated analytics data to the PHI system over the at least one communications network (See Dormer [0008] the ASP system can send the generated analytics data to the PHI system over the at least one communications network. See also Dormer claim 10.). Regarding claim 8, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: the sending the received PHI data to the requesting client processor-based device includes: sending the received PHI data to the requesting client processor-based device without persistently storing the PHI data by the ASP system (See Dormer [0332] the user can request and receive the PHI data from the PHI system. [0330] the PHI data is not provided directly to the ASP system, therefore it is not persistently stored by the ASP system. See also [0370].). Regarding claim 9, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: the sending the received PHI data to the requesting client processor-based device includes: sending the received PHI data to the requesting client processor-based device without decrypting the received PHI data by the ASP system (See Dormer [0332] the user can request and receive the PHI data from the PHI system. [0330] the PHI data is not provided directly to the ASP system, therefore it is not is not decrypted by the ASP system. See also [0370].). Regarding claim 18, Dormer discloses a processor-based system, comprising: at least one nontransitory processor-readable storage medium that stores at least one of processor-executable instructions or data (See Dormer Fig. 2 and [0065] system can include the use of a plurality of nontransitory storage media and a processing unit.); and at least one processor communicably coupled to the at least one nontransitory processor-readable storage medium (See Dormer Fig. 2 and [0065] system can include the use of a plurality of nontransitory storage media and a processing unit.), in operation the at least one processor implements a method comprising: storing de-identified medical study data on at least one nontransitory processor- readable storage medium of an analytics service provider (ASP) system of a medical analytics platform (See Dormer [0007] the ASP system stores the de-identified medical study data.); causing storing of protected health information (PHI) data associated with the de-identified medical study data on at least one nontransitory processor-readable storage medium of a PHI system of the medical analytics platform (See Dormer [0007] the PHI system stores PHI data associated with the de-identified medical study data.), wherein the PHI system generates and communicates cryptographic hashes based on selected fields of the PHI data (See Dormer [0318] the PHI system can replace the plain text PHI with a hash of the PHI.); receiving a request for a medical study from a client processor-based device (See Dormer [0337] the client system can request a report from the ASP system.) over at least one communications network (See Dormer [0337] the ASP system can send the de-identified medical study data to the client device over the at least one communications network.); authenticating the request for the medical study received from the client processor-based device (See Dormer [0365] the user can be authenticated to gain access to the ASP system. See also Dormer [0008].); requesting PHI data associated with the requested medical study from the PHI system of the medical analytics platform, over the at least one communications network (See Dormer [0332] the user can request and receive the PHI data from the PHI system.); sending the PHI data to the client processor-based device over the at least one communications network (See Dormer [0332] the user can request and receive the PHI data from the PHI system. [0322] the system transmits the PHI data in an encrypted form.)…; sending de-identified medical study data for the requested medical study to the client processor-based device over the at least one communications network (See Dormer [0337] the ASP system can send the de-identified medical study data to the client device over the at least one communications network.). Dormer does not disclose: [the system generates the cryptographic hashes] to create one or more associations among medical studies that are included in the de-identified medical study data, wherein the generating and communicating comprises, for each de-identified medical study of a distinct set of de-identified medical studies: generating a cryptographic hash to represent a unique association identifier common among the distinct set of de-identified medical studies linked by a distinct association of the one or more associations; [generating the cryptographic hash] based on appending common values in the selected fields for the distinct set and a cryptographic key; and responsive to detecting the generated cryptographic hash differs from a cached cryptographic hash previously generated for the de-identified medical study or that there is no cached cryptographic hash previously generated for the de-identified medical study: sending to a remote service (a) an obfuscated ID that uniquely maps to the de-identified medical study and (b) the generated cryptographic hash linking the de- identified medical study to one or more other de-identified medical studies of the distinct set; and storing the cryptographic hash in a local cache; and receiving the PHI data in an encrypted form from the PHI system over the at least one communications network responsive to the request; [sending the PHI data] without decrypting the PHI data; and wherein the PHI data is decrypted and merged, locally on the client processor-based device, with the de-identified medical study data to generate re-identified medical study data on the client processor-based device. Vesper teaches: [the system generates the cryptographic hashes] to create one or more associations among medical studies that are included in the de-identified medical study data (See Vesper [0252] images can then be fingerprinted, which includes embedding or attaching information to the image so that the image can be uniquely identified. [0254] the images can be fingerprinted using a hashing function. [0342] the fingerprinting can be used to link discrete images across storage repositories. This fingerprinting is understood to meet the broadest reasonable interpretation of this claim element, creating associations among medical studies by using common fields in the PHI like patient identifying information.), wherein the generating and communicating comprises, for each de-identified medical study of a distinct set of de-identified medical studies: generating a cryptographic hash to represent a unique association identifier common among the distinct set of de-identified medical studies linked by a distinct association of the one or more associations (See Vesper [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. [0343] the images are not stored in aggregated studies after fingerprinting/hashing. [0339] images are not stored in aggregated studies, but can be queried based on Facility ID or study UID. Therefore, it is understood that the hashing is directedly connected to the association between the images, making them accessible in the aggregate based on linked information.); responsive to detecting the generated cryptographic hash differs from a cached cryptographic hash previously generated for the de-identified medical study or that there is no cached cryptographic hash previously generated for the de-identified medical study (See Vesper [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. [0305] The central index can use the DICOM header information to determine if the image is new or it is an update to an existing image. The system returns a new ID or the ID to be updated.): sending to a remote service (a) an obfuscated ID that uniquely maps to the de-identified medical study and (b) the generated cryptographic hash linking the de- identified medical study to one or more other de-identified medical studies of the distinct set (See Vesper [0252] images can then be fingerprinted, which includes embedding or attaching information to the image so that the image can be uniquely identified. [0254] the images can be fingerprinted using a hashing function. [0342] the fingerprinting can be used to link discrete images across storage repositories. This fingerprinting is understood to meet the broadest reasonable interpretation of this claim element, creating hashes linking se-identified medical studies to other de-identified medical studies.); and storing the cryptographic hash in a local cache (See Vesper [0305] the system can move the anonymized image to cache storage. [0342] the images are fingerprinted with a hashing algorithm using GUID and stored. Therefore, the system stores any generated hash in a local cache.); and receiving the PHI data in an encrypted form from the PHI system over the at least one communications network responsive to the request (See Vesper Fig. 45 and [0388]-[0394] the system can include the use of apps for collection the PHI data and the de-identified image data and sending it to the consumer. This includes the app receiving the PHI data from the repository. [0096] the PHI data can be encrypted.); [sending the PHI data] without decrypting the PHI data (See Vesper [0269] the personal information, being encrypted prior to transmission, can be decrypted by the consumer. Therefore, it is not encrypted until it is received by the consumer.); and wherein the PHI data is decrypted and merged, locally on the client processor-based device, with the de-identified medical study data to generate re-identified medical study data on the client processor-based device (See Vesper [0269] the personal information, being encrypted prior to transmission, can be decrypted by the consumer. The medical imaging record can be formed on a record consumer computer using the decrypted personal information and coupled with the anonymized DICOM image. Therefore, the decryption and merging happens locally on the consumer device.). The system of Vesper is applicable to the disclosure of Dormer as they both share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dormer to include data communication through a separate app and hash encryption and decryption as taught by Vesper. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Dormer in order to provide a secure system for accessing and moving those records among authorized parties (see Vesper [0006]). Stalling teaches: [generating the cryptographic hash] based on appending common values in the selected fields for the distinct set and a cryptographic key (See Stalling [0080] the system can replace patient information, such as patient ID, with a “mapped ID” that is an anonymized hash (see [0075] for a description of the hash function). [0081] the system generates the same mapped id, if the input is the same. this means that two images belonging to the same patient can be exported independently, and without storing the mapped ID, both images will have the same mapped ID. This means the mapped ID is based on common PHI fields.). The system of Stalling is applicable to the disclosure of Dormer in view of Vesper as they both share characteristics and capabilities, namely, they are directed to collecting an displaying medical images. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dormer in view of Vesper to include mapping medical documents with unique hashes as taught by Stalling. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Dormer in order so that two images belonging to the same patient can be exported independently, and without storing the mapped ID, both images will have the same mapped ID (see Stalling [0081]). Regarding claim 19, Dormer in view of Vesper and Stalling discloses the method of claim 18 as discussed above. Claim 19 recites a non-transitory computer-readable storage medium having processor-executable instructions stored thereon that, when executed, cause at least one computer processor to perform a method substantially similar to the method performed by the system of claim 18. Accordingly, claim 19 is rejected based on the same analysis. Claims 10-12 are rejected under pre-AIA 35 U.S.C. 103 as being unpatentable over Dormer et al. (U.S. 2017/0076043), hereinafter “Dormer,” in view of Vesper et al. (U.S. 2011/0153351), hereinafter “Vesper,” and Stalling et al. (U.S. 2016/0342738), hereinafter “Stalling,” and further in view of Douglas (U.S. 2016/0147944), hereinafter “Douglas.” Regarding claim 10, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: the requesting the PHI data associated with the requested medical study from the PHI system includes: sending to a server of the PHI system, by the at least one processor of the ASP system, an HTTPS … request for the PHI data associated with the requested medical study, wherein the sending the requested PHI data to the ASP system is in response to the HTTPS … sent to the server of the PHI system (See Dormer [0333] the system can use HTTPS protocol for all communication inside and outside the medical provider’s network.). Dormer does not disclose: the HTTPS is a long polling protocol, … wherein the server of the PHI system holds the request open until the PHI data associated with the requested medical study is available. Douglas teaches: the HTTPS is a long polling protocol, … wherein the server of the PHI system holds the request open until the PHI data associated with the requested medical study is available (See Douglas [0063] the system can use long polling to assist in receiving medical records.). The system of Douglas is applicable to the disclosure of Dormer in view of Vesper and Stalling as they all share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. Douglas shows that the use of long polling for server communication was known in the art before the effective filing date of the claimed inventions. Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself, that is in the substitution of the long polling of Douglas for the generic HTTPs protocol of Dormer. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. Regarding claim 11, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, comprising: the sending the requested PHI data to the ASP system includes: sending, by the at least one processor of the PHI system, the requested PHI data to the ASP system in response to an HTTPS … request sent to a server of the PHI system from the ASP system (See Dormer [0333] the system can use HTTPS protocol for all communication inside and outside the medical provider’s network.). Dormer does not disclose: the HTTPS is a long polling protocol. Douglas teaches: the HTTPS is a long polling protocol (See Douglas [0063] the system can use long polling to assist in receiving medical records.). The system of Douglas is applicable to the disclosure of Dormer in view of Vesper and Stalling as they all share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. Douglas shows that the use of long polling for server communication was known in the art before the effective filing date of the claimed inventions. Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself, that is in the substitution of the long polling of Douglas for the generic HTTPs protocol of Dormer. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. Regarding claim 12, Dormer in view of Vesper and Stalling discloses the method of claim 1 as discussed above. Dormer further discloses a method, wherein: in response to the receiving the PHI data from the PHI system, immediately sending to the PHI system, by the at least one processor of the ASP system, another HTTPS … request for new PHI data from the PHI system over the at least one communications network (See Dormer [0333] the system can use HTTPS protocol for all communication inside and outside the medical provider’s network. This includes subsequent requests for data.). Dormer does not disclose: the HTTPS is a long polling protocol. Douglas teaches: the HTTPS is a long polling protocol (See Douglas [0063] the system can use long polling to assist in receiving medical records.). The system of Douglas is applicable to the disclosure of Dormer in view of Vesper and Stalling as they all share characteristics and capabilities, namely, they are directed to de-identifying and collecting medical data. Douglas shows that the use of long polling for server communication was known in the art before the effective filing date of the claimed inventions. Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself, that is in the substitution of the long polling of Douglas for the generic HTTPs protocol of Dormer. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. Response to Arguments Applicant's arguments filed 22 December 2025, with respect to the 35 U.S.C. §101 rejection of the claims, have been fully considered but they are not persuasive. Applicant argues that the inclusion of encryption and hashing integrate the abstract idea into a practical application (see Applicant Remarks page 11). This is not persuasive. The elements related to hashing and encryption, as currently presented, recite an abstract idea falling into the category of mathematical concepts. Therefore, as part of the recited abstract idea, these elements cannot integrate the abstract idea into a practical application. Further, the additional elements that are recited in the claims merely reciting the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely including instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). There are no additional elements present in the claims that integrate the abstract idea into a practical application or amount to significantly more than the abstract idea. Accordingly, the claims remain rejected as being directed to ineligible subject matter. Applicant’s arguments, filed 22 December 2025, with respect to the 35 U.S.C. §103 rejection of the claims, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the newly cited portions of the Vesper and Stalling reference. Examiner further notes, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Patti (U.S. 2016/0224805) discloses a system and method for anonymized medical data analysis. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN L HANKS whose telephone number is (571)270-5080. The examiner can normally be reached Monday-Friday 8am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shahid Merchant can be reached at (571) 270-1360. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /B.L.H./Examiner, Art Unit 3684 /KENNETH BARTLEY/Primary Examiner, Art Unit 3684