AUDIT-BASED COMPLIANCE DETECTION FOR HEALTHCARE SITES

§101 §103

DETAILED ACTION This Non-Final Office Action is in response to Applicant's amendments and arguments and request for continued examination filed on November 04, 2025. Applicant has amended claims 21 and 32. Currently, claims 21-40 are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/4/25 has been entered. Response to Amendments The 35 U.S.C. 101 rejection of claims 21-40 are maintained in light of applicant’s amendments to claims 21 and 32. The 35 U.S.C. 103 rejection of claims 21-40 are maintained in light of applicant’s amendments to claims 21 and 32. Response to Arguments Applicant’s remarks submitted on 11/4/25 have been considered but are not persuasive. Applicant argues on p. 7 of the remarks that the 101 rejection is improper. Examiner disagrees. Applicant argues on p. 8 of the remarks that the office action is silent on how the limitations how claims interact and impact each other. Examiner disagrees and notes office action explicitly noted that the additional elements were considered the both individually and in combination. Applicant argues on p. of the remarks that the claims recite an improvement over prior art systems by using a machine learning model to determine a risk value for each of a plurality of questions of an audit of a healthcare site. Examiner disagrees and notes that the claims are an improvement over using a model to determine a risk value for each of a plurality of questions of an audit for healthcare sites, at least some of the questions corresponding to one or more policy requirements for healthcare sites, the model being trained using data regarding past audits for noncompliant healthcare sites and healthcare sites that experienced risk events. the model configured to assign relatively high risk values for questions that are more likely to be associated with a risk event or noncompliance of healthcare sites and questions that correspond to a greater number of policy requirements for healthcare sites and receiving a plurality of responses associated with the audit of a healthcare site, the plurality of responses corresponding to the plurality of questions and determining a status for each of the plurality of responses, the status including a deficient status or an improvement required status and calculating a deficiency score for the healthcare site based on a first quantity of a subset of the plurality of responses indicating a deficient status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the deficient status using the risk values that were determined for the plurality of questions corresponding to the plurality of responses indicating the deficient status, and a second quantity of a subset of the plurality of responses indicating an improvement required status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the improvement required status using the risk values that were determined for the plurality of questions corresponding to the plurality of responses indicating the improvement required status. This is an improvement to an abstract idea and not an improvement to a computer or another technology. Although applicant’s claims recite machine learning, machine learning is a tool for implementing the abstract idea and not what it is being improved. Therefore, the 101 rejections are improved. Applicant further argues on p. 10 of the remarks that the 103 rejections are improper. Examiner disagrees. Applicant argues on p. 11 of the remarks that Kulkarni does not show risk values determined by the machine learning model for the plurality of questions. Examiner notes the obviousness rejection is based on a combination of references. Biswas is the secondary reference which at para [0041]-[0054] shows risk level and score determined by responses to audit and at para [0015] shows employing machine learning to classify the data and generate the risk score where it would be obvious to one of ordinary skill in the art that the classification could be the privacy violation/deficient status from Kulkarni and where it would be obvious to one of ordinary skill in the art that the classification could be the new baseline/improvement requirement status from Kulkarni. Therefore, the 103 rejections are maintained. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 21-40 are clearly drawn to at least one of the four categories of patent eligible subject matter recited in 35 U.S.C. 101 (system and method). Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claims 21 and 32 recite the abstract idea of using a model to determine a risk value for each of a plurality of questions of an audit for healthcare sites, at least some of the questions corresponding to one or more policy requirements for healthcare sites, the model being trained using data regarding past audits for noncompliant healthcare sites and healthcare sites that experienced risk events. the model configured to assign relatively high risk values for questions that are more likely to be associated with a risk event or noncompliance of healthcare sites and questions that correspond to a greater number of policy requirements for healthcare sites and receiving a plurality of responses associated with the audit of a healthcare site, the plurality of responses corresponding to the plurality of questions and determining a status for each of the plurality of responses, the status including a deficient status or an improvement required status and calculating a deficiency score for the healthcare site based on a first quantity of a subset of the plurality of responses indicating a deficient status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the deficient status using the risk values that were determined for the plurality of questions corresponding to the plurality of responses indicating the deficient status, and a second quantity of a subset of the plurality of responses indicating an improvement required status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the improvement required status using the risk values that were determined for the plurality of questions corresponding to the plurality of responses indicating the improvement required status. The claims are directed to a type of a risk score determination. Under prong 1 of Step 2A, these claims are considered abstract because the claims are certain methods of organizing human activity such as certain methods of organizing human activity such as fundamental economic practices (including mitigating risk) and commercial actions (business relations). Applicant’s claims show a risk score determination based on a business data which can be considered a type of mitigating a risk because that is the purpose of understanding a risk score of a healthcare site and because the determination about the business is based on various commercial actions such as what the responses about the health site are indicating. Under prong 2 of Step 2A, the judicial exception is not integrated into a practical application because the claims (the judicial exception and any additional elements individually or in combination such as a system comprising: a processor; and a memory storing instructions which, when executed by the processor, cause the processor to perform steps and a model that is a machine learning model and determining risk values by the machine learning model are not an improvement to a computer or a technology, the claims do not apply the judicial exception with a particular machine, the claims do not effect a transformation or reduction of a particular article to a different state or thing nor do the claims apply the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment such that the claims as a whole is more than a drafting effort designed to monopolize the exception. These limitations at best are merely implementing an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Under Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements individually or in combination such a system comprising: a processor; and a memory storing instructions which, when executed by the processor, cause the processor to perform steps and a model that is a machine learning model and determining risk values by the machine learning model (as evidenced by para [0048], [0086]-[0097] of applicant’s own specification) are well understood, routine and conventional in the field. Dependent claims 22-31, 33-40 also do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements either individually or in combination are merely an extension of the abstract idea itself by further showing wherein the deficiency score is calculated by applying a first weight to the first quantity and a second weight to the second quantity and wherein the deficient status includes a response indicating that a condition corresponding to the response does not comply with requirements for the condition and wherein improvement required status includes a response indicating that a condition corresponding to the response currently complies with requirements for the condition, but required correction before achieving compliance and calculate a total score for the healthcare site based on a third quantity of the plurality of responses and a fourth quantity of a subset of the plurality of responses indicating an inapplicable status; and calculate a risk score for the healthcare site based on the deficiency score and the total score and wherein the risk score is calculated by: subtracting the fourth quantity from the third quantity; and dividing the deficiency score by the total score and wherein at least one of the third quantity is calculated by summing risk values associated with the plurality of responses, and the fourth quantity is calculated by summing risk values associated with the subset of the plurality of responses indicating the inapplicable status and combine the risk score with a plurality of additional risk scores associated with additional healthcare sites to generate an aggregate risk score and combine the risk score with a plurality of additional risk scores associated with additional healthcare sites to generate an aggregate risk score and combine the risk score with at least one previous risk score associated with the healthcare site to generate a risk trend measurement for the healthcare site and wherein includes receiving a first plurality of responses associated with a regional audit of the healthcare site and a second plurality of responses associated with an on-site audit, and are performed twice to calculate a first deficiency score based on the first plurality of responses and a second deficiency score based on the second plurality of responses and combining the first deficiency score and the second deficiency score to generate an overall deficiency score for the healthcare site. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 21-22 and 32-33 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni (US 2013/0297346 A1) in view of Biswas et al. (US 2020/0273046 A1) (hereinafter Biswas) in view of Perlroth et al. (US 2017/0262609 A1) (hereinafter Perlroth). Claims 21 and 32: Kulkarni, as shown, discloses the following limitations of claims 21 and 32: A system (and corresponding method) comprising: a processor; and a memory storing instructions which, when executed by the processor, cause the processor to (see para [0010], [0036] - showing equivalent computer structure for implementing system): (b) receive a plurality of responses associated with the audit of a healthcare site, the plurality of responses corresponding to the plurality of questions (see para [0005], " The Healthcare Privacy Violation Detection System (HPV-DS) serves as a central point for investigative and auditing capability for HIPAA and HITECH or other compliance requirements on storing and accessing patient PHI, enabling healthcare providers to quickly and accurately monitor breaches within their systems. HPV-DS relies on past trends of authorized users in a healthcare facility to determine if an access was appropriate. Any outlier is reported, and all access that fit within normal activity are stored, but are not reported, so only the necessary occurrences are pointed out to authorities for review. The healthcare privacy violation detection system (HPV-DS) uses a healthcare facility's audit logs and non-healthcare audit logs to detect and report an authorized user's abnormal and potentially unauthorized access to a patient's personal health information (PHI)." where logs can be considered responses); the status including a deficient status or an improvement required status (see para [0011], where privacy violation is considered a deficient status given broadest reasonable interpretation and see para [0028], where the new baseline based on the new user data can be considered an improvement required status given broadest reasonable interpretation); (d) calculate a deficiency score for the healthcare site based on a first quantity of a subset of the plurality of responses indicating a deficient status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the deficient status, and a second quantity of a subset of the plurality of responses indicating an improvement required status for the healthcare site by summing risk values associated with the subset of the plurality of responses indicating the improvement required status (see para [0011], "The method can also include weighting the cumulative risk score according to a percentage of matching parameters, and/or weighting the risk score for each parameter based on a different risk of privacy violation for a particular parameter, and/or adding audit log parameters generated by the unknown authorized user to the new set of baseline parameters for the unknown authorized user for a predefined time frame, and/or a learning engine routine including creating and storing a new set of baseline parameters for an unknown authorized user when the audit log is generated by an unknown authorized user." where a privacy violation can be considered a deficient status and see para [0028], where the new baseline based on the new user data can be considered an improvement required status and see para [0032], “"Parameter matches are scored and these risk scores are added together"). Kulkarni, however, does not specifically disclose using a machine learning model to determine a risk value for each of the plurality of questions. In analogous art, Biswas discloses the following limitations: (a) use a machine learning model to determine a risk value for each of a plurality of questions of an audit for healthcare sites, at least some of the questions corresponding to one or more policy requirements for healthcare sites, the machine learning model being trained using data regarding past audits for noncompliant healthcare sites and healthcare sites that experienced risk events (see para [0015], "The regulatory compliance assessment system monitors the multiple data source systems, extracts the regulatory-related data, and employs machine learning methodologies (e.g., heuristic pattern matching and multi-dimensional neural network processing) to classify the regulatory-related data for use in generating the risk compliance index score. In an embodiment, the regulatory compliance assessment system is configured to execute simulations associated with the risk compliance index score by modifying one or more data points contributing to the risk compliance index score to identify or predict one or more actions that can be taken by the entity to improve the risk compliance index score. The risk compliance score of entities in a specific industry segment (e.g. pharmaceutical industry) can be compared and presented at the industry level risk compliance score." and see para [0028], "the data classification module 126 of the machine learning component 124 is configured to analyze the extracted data elements of the collected regulatory-related data to classify the data based on a control type. Example control types include ... an investigation control type (e.g., internal audits, tracking of non-conformance to process, corrective actions, quality assurance)," and see para [0089], ", the historical audit data can be analyzed by the regulatory compliance assessment system 520 to generate a factor for use in determining a risk compliance index score for the entity based on multiple question sets (e.g., sets or questionnaires including 1,000 or more questions), multiple different function types (e.g., 20 or more function types) and multiple different countries (e.g., 30 or more countries) determined and collected in accordance with a collection frequency (e.g., 10,000 or more times per year). In an embodiment, the historical audit data can be stored for many years." and see para[ 0029], [0062]-[0063], [0068], [0088]), (c) determine a status for each of the plurality of responses (see para [0041]-[0042], where the status of the answer can be positive, negative, yes, no, or partial); using the risk values that were determined by the machine learning model for the plurality of questions corresponding to the plurality of questions indicating the deficient status (see para [0041]-[0054], showing risk level and score determined by responses to audit and see para [0015] showing employing machine learning to classify the data and generate the risk score where it would be obvious to one of ordinary skill in the art that the classification could be the privacy violation/deficient status from Kulkarni); using the risk values that were determined by the machine learning model for the plurality of questions corresponding to the plurality of questions indicating the improvement requires status (see para [0041]-[0054], showing risk level and score determined by responses to audit and see para [0015] showing employing machine learning to classify the data and generate the risk score where it would be obvious to one of ordinary skill in the art that the classification could be the new baseline/improvement requirement status from Kulkarni) It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Biswas with Kulkarni because using machine learning to determine a risk value for the questions enables more effective auditing by enabling different types of compliance maturity levels for the audits (see Biswas, para [0001]-[0002]). Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the business risk prediction system as taught by Biswas in the method for detecting privacy violations as taught by Kulkarni since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Kulkarni and Biswas do not specifically disclose the machine learning model configured to assign relatively high risk values for questions that are more likely to be associated with a risk event or noncompliance. In analogous art, Perlroth discloses the following limitations: the machine learning model configured to assign relatively high risk values for questions that are more likely to be associated with a risk event or noncompliance of healthcare sites and questions that correspond to a greater number of policy requirements for healthcare sites (see para [0056]-[0058], "To accurately determine the patient's behavioral health risk, the risk assessment service 140 selects 430 a sequence of personalized and adaptive screening questions for the patient. For example, the machine learning module 320 of the risk assessment service 140 trains the patient screener model 310 to select the sequence of customized questions from multiple candidate questions; a subsequent question in the sequence is selected based on the patient's answer to the previously presented screening question. Upon receiving the patient's answers to the sequence of screening questions, the risk assessment service 140 compares 440 the user responses with one or more clinically derived risk baselines for common behavioral health conditions and determines 450 the patient's behavioral health risk. Depending on the determined risk, the risk assessment service 140 refers 470 the patient to an appropriate health care provider for treatment. For example, if the patient was an elderly person determined to have a severe risk of developing depression, then the risk assessment service 140 may refer the patient to a psychiatrist who specializes in treating depression for the elderly. Responsive to receiving activity and sleep monitoring data of the patient, the risk assessment service 140 updates 460 machine learning models in the patient's personalized risk assessment module 300 by analyzing the contribution to the behavioral health risk from the received activity and sleep monitoring data. In one embodiment, the risk assessment service 140 uses a patient's answers to the sequence of screening questions and/or the determined behavioral health risk for the patient to categorize the patient as a high (or low) cost individual. In particular, a patient with a high risk for a behavioral health condition is likely to incur high health care costs due to their behavioral health condition, e.g., emergency room or intensive outpatient partial hospitalization programs. Further, the risk assessment service 140 can also categorize the patient's risk for low productivity and/or low functionality due to behavioral health. For example, a patient who has a high risk for alcoholism is more likely to have lower productivity on a job due to absenteeism (i.e., productivity lost by not showing up to work) and/or presenteeism (i.e., productivity lost by showing up to work, but not being fully functional)." where it would be obvious to one of ordinary skill in the art that the same process for assigning risk for questions related to a person could be used for a site and because healthcare site risk using questions is considered in Kularkarni (para [0005], [0011]) and Biswas (para [0005], [0041]) and thus could be used with the machine learning model for risk for patients shown in Perlroth to show risk for health care sites in a similar fashion); It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Perlroth with Kulkarni and Biswas because assigning risk based on the questions can enable more adaptive assessment based on responses (see Perlroth, para [0001]-[0003]). Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the risk assessment system as taught by Perlroth in the Kulkarni and Biswas combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Claims 22 and 33: Further, Kulkarni discloses the following limitations: wherein the deficiency score is calculated by applying a first weight to the first quantity and a second weight to the second quantity (see para [0011], "The method can also include weighting the cumulative risk score according to a percentage of matching parameters, and/or weighting the risk score for each parameter based on a different risk of privacy violation for a particular parameter, and/or adding audit log parameters generated by the unknown authorized user to the new set of baseline parameters for the unknown authorized user for a predefined time frame, and/or a learning engine routine including creating and storing a new set of baseline parameters for an unknown authorized user when the audit log is generated by an unknown authorized user.") Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni, Biswas, and Perlroth, as applied above, and further in view of Brannon et al. (US 2022/0035896 A1) (hereinafter Brannon) Claims 23-24: Kulkarni, Biswas, and Perlroth do not specifically disclose wherein the deficient status includes a response indicating that a condition corresponding to the response does not comply with requirements for the condition. In analogous art, Brannon discloses the following limitations: wherein the deficient status includes a response indicating that a condition corresponding to the response does not comply with requirements for the condition (see para [0466], "the system may then be configured to calculate an updated vendor risk score based, at least in part, on one or more pieces of the updated information. In any embodiment described herein, the system may be configured to determine whether the one or more pieces of updated information are sufficient to demonstrate continued compliance, by the vendor, with one or more obligations under one or more privacy laws, standards and/or regulations, one or more obligations under one or more vendor contracts, etc.") wherein improvement required status includes a response indicating that a condition corresponding to the response currently complies with requirements for the condition, but required correction before achieving compliance (see para [0219]-[0228], showing gap analysis and recommended steps are part of the analysis based on the initial assessment and see para [0093], showing assessment is a risk rating) It would have been obvious to one of ordinary skill in the art at the time of the invention to include the system for assessing vendor risk as taught by Brannon in the Kulkarni, Biswas and Perloth combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Claims 25-28, 34-40 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni, Biswas, and Perlroth, as applied above, and further in view of Osborn et al. (US 2007/0239495 A1) (hereinafter Osborn) Claims 25-26, 28, 35: Further, Kulkarni discloses the following limitations: calculate a total score for the healthcare site based on a third quantity of the plurality of responses and a fourth quantity of a subset of the plurality of responses indicating an inapplicable status (see para [0013], " discarding parameters considered to be irrelevant to a risk of privacy violation" and see para [0025], where the normalized data after discarding can be considered the total score); and calculate a risk score for the healthcare site based on the deficiency score and the total score (see para [0010], "adding together all of the risk scores to determine a cumulative risk score.") Although discarding parameters can be considered an inapplicable status, it is not explicit in Kulkarni, Biswas, and Perloth. In analogous art, Osborn discloses the following limitations: a subset of the plurality of responses indicating an inapplicable status (see para [0048], "Not applicable ("n/a") responses are thrown out (excluded from all further calculations).") wherein the risk score is calculated by: subtracting the fourth quantity from the third quantity (see para [0069], where throwing out can be considered subtract where a total weighting of 100% would show the total score); and dividing the deficiency score by the total score (see para [0069]-[0073], showing use of division and ratios on the responses are well known for determining metrics). combine the risk score with a plurality of additional risk scores associated with additional healthcare sites to generate an aggregate risk score (see para [0078]-[0079], showing aggregating of individual assessments) It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Osborn with Kulkarni, Biswas, and Perloth because an applicable status indication a risk assessment where resources will not be as ineffective on the risk control efforts (see Osborn, para [0007]-[0008]). Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the application risk and control assessment tool as taught by Osborn in the Kulkarni, Biswas, and Perloth combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Claims 27 and 40: Further, Kulkarni discloses the following limitations: wherein at least one of the third quantity is calculated by summing risk values associated with the plurality of responses, and the fourth quantity is calculated by summing risk values associated with the subset of the plurality of responses indicating the inapplicable status (see para [0032], “"Parameter matches are scored and these risk scores are added together") Claims 34, 36-38: Kulkarni, Biswas, and Perloth do not specifically disclose wherein the first weight is greater than the second weight. Osborn discloses the following limitations: wherein the first weight is greater than the second weight (see para [0066]-[0067], showing flexibility where the weights can be modified and depends on how important each which shows double or the second being greater the first are possible weightings) wherein the total score is calculated by subtracting the fourth quantity from the third quantity ( see para [0069], where throwing out can be considered subtract where a total weighting of 100% would show the total score) wherein the risk score is calculated by dividing the deficiency score by the total score (see para [0069]-[0073], showing use of division and ratios on the responses are well known for determining metrics) wherein the risk score is calculated by subtracting an adjustment value from each of the deficiency score and the total score prior to dividing (see para [0069]-[0073], showing use of division and ratios on the responses are well known for determining metrics and see para [0066], showing a gap is used between risk and control score) It would have been obvious to one of ordinary skill in the art at the time of the invention to include the application risk and control assessment tool as taught by Osborn in the Kulkarni, Biswas, and Perloth combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Claim 39: Further, Kulkarni discloses the following limitations: wherein the adjustment value is determined based on the total score and a configurable value (see para [0028], "The patterns to be considered for creating a baseline may consist of previously configured criteria such as last logon time, location used from, normal patients viewed, systems the authorized user normally accesses, typical times of day authorized user uses a system, time spend on a system, patient records typically viewed, department authorized user works in, etc. many more such parameters may be added to the pattern list to suit the reporting needs of the facility.") Claims 29-31 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni, Biswas, Perlroth, and Osborn, as applied above, and further in view of Brannon. Claims 29-30: Kulkarni, Biswas, Perloth and Osborn do not specifically disclose combining the risk score with at least one previous risk score associated with the healthcare site to generate a risk trend measurement for the healthcare site. In analogous art, Brannon discloses the following limitations: combine the risk score with at least one previous risk score associated with the healthcare site to generate a risk trend measurement for the healthcare site (see para [0280], "the system is adapted for automatically measuring the privacy of a business group, or other group, within a particular organization that is using the system. This may provide an automated way of measuring the privacy maturity, and one or more trends of change in privacy maturity of the organization, or a selected sub-group of the organization." and see para [0557], showing healthcare as a business sector that can be integrated) wherein (b) includes receiving a first plurality of responses associated with a regional audit of the healthcare site (see para [0569], " In various embodiments, the system may be configured to generate a master questionnaire at any appropriate time. For example, in a particular embodiment, the system may prompt a user to indicate one or more territories (e.g., regions, jurisdictions, and/or countries) and/or sectors in which an entity is doing business and, at least partially in response to receiving the user's input, generate a threshold list of questions that the system may then use to determine which territories require disclosure of a particular data breach. In another particular embodiment, the system may prompt a user to indicate one or more territories (e.g., regions, jurisdictions, and/or countries) and/or sectors affected (e.g., potentially affected) by a particular data breach and, at least partially in response to receiving the user's input, generate a threshold list of questions that the system may then use to determine which territories affected by the data breach require disclosure of the data breach." and see para [0560]) and a second plurality of responses associated with an on-site audit (see para [130], "As shown in FIG. 3, a variety of different parties may access the data, and the data may be stored in any of a variety of different locations, including on-site, or in “the cloud”, i.e., on remote servers that are accessed via the Internet or other suitable network." and see para [0596], "each particular question may be answered with: (1) unsubstantiated data provided by the entity or vendor; (2) data that is substantiated via a remote interview; or (3) data that is substantiated by an on-site audit."), and wherein (c) and (d) are performed twice to calculate a first deficiency score based on the first plurality of responses and a second deficiency score based on the second plurality of responses (see para [0264], "Each customer can weight each question within an assessment as desired and set up addition/multiplication logic to determine an aggregated risk score that takes into account the customized weightings given to each question within the assessment. " and see para [0415], "the system may be configured to determine an overall risk rating for a particular vendor based on the privacy awareness rating in combination with one or more additional factors (e.g., one or more additional risk factors described herein). In any such embodiment, the system may assign one or more weighting factors or relative risk ratings to each of the privacy awareness score and other risk factors when calculating an overall risk rating. The system may then be configured to provide the risk score for the vendor, software, and/or service for use in calculating a risk of undertaking a particular processing activity that utilizes the vendor, software, and/or service (e.g., in any suitable manner described herein)."). It would have been obvious to a person of ordinary skill in the art at the time the invention was made to combine the teachings of Brannon with Kulkarni, Biswas, Perloth and Osborn because determining a trend enables users to work with vendors more likely to handle their data properly (see Brannon, para [0003]-[0005]). Moreover, it would have been obvious to one of ordinary skill in the art at the time of the invention to include the system for assessing vendor risk as taught by Brannon in the Kulkarni, Biswas, Perloth and Osborn combination since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Claim 31: Further, Kulkarni discloses the following limitations: combining the first deficiency score and the second deficiency score to generate an overall deficiency score for the healthcare site (see para [0010], "adding together all of the risk scores to determine a cumulative risk score.") Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kayser et al. (US 2019/0336085 A1), a system for assessing medical risks of a patient includes an analytics engine and equipment that provides data to the analytics engine that analyzes the data from the equipment to determine a sepsis risk score, a falls risk score, and a pressure injury score and displays that are communicatively coupled to the analytics engine and that display the sepsis, falls, and pressure injury risk scores Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUJAY KONERU whose telephone number is (571)270-3409. The examiner can normally be reached M-F, 8:30 AM to 5 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patricia Munson can be reached on 571- 270-5396. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SUJAY KONERU/ Primary Examiner, Art Unit 3624