DETAILED ACTION
This Non Final Office Action is in response to Application filed on 02/27/2025.
Claims 21-40 filed on 02/27/2025 are being considered on the merits.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 02/27/2025 are accepted.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 05/22/2025 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly an initialed and dated copy of Applicant's IDS form 1449 filed 05/22/2025 are attached to the instant Office action.
Claim Objections
Claim 21 is objected to because of the following informalities:
Claim 21 includes method claim limitations with “if” conditions. Examiner submits that if the conditional limitation steps are not reached, then the remaining limitation step do not have to be performed and will render the remaining limitation not valid, therefore, it will not be required to show anticipation or obviousness for all paths of the conditional limitations. Examiner suggests replacing “if” with “when.”.
Claim 21 recites “if the original message…the host computing system if the original message is determined…”, should be “if the original message…the host computing system; if the original message is determined…”
Claim Rejections - 35 USC § 112
Claims 21-40 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The term “appropriate” in claims 21 and 31 is a relative term which renders the claim indefinite. The term “appropriate” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the
claimed invention is not identically disclosed as set forth in section 102, if the
differences between the claimed invention and the prior art are such that the
claimed invention as a whole would have been obvious before the effective filing
date of the claimed invention to a person having ordinary skill in the art to which
the claimed invention pertains. Patentability shall not be negated by the manner
in which the invention was made.
The factual inquiries for establishing a background for determining obviousness
under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 21, 23-24, 29-31, 33-34, and 39-40 are rejected under 35 U.S.C. 103 as being unpatentable over HENNIE (US 20190287662 A1), and further in view of Akinmeji (US 20180096102 A1) and ROSENBERG (US 20200143084 A1) and Gkoulalas-Divanis (US 20190266353 A1).
Regarding claim 21 (New), HENNIE teaches a method for de-identifying identifiable information of a patient (HENNIE [0008, 0012] discloses de-identifying health information of users), the method comprising:
securely linking a client computing system to a host computing system via a communications network comprising a first interface module and a second interface module[[s]] (HENNIE [0040]; “Electronic health information transaction system 120 may include an authentication processor 124 connected to electronic health information transaction application processor 122 to generate and process authentication data associated with a user trying to access the system generated health information monetization platform. Authentication processor 124 may receive user data and user input associated with an authentication request, sent from user device 140 via communication interface 142 to authenticate the user. Authentication processor 124 may evaluate the user data and user input, and upon authentication, online registry system may transmit a secure link to user device 140 that provides access to the generated health information monetization platform.”, The client computing system corresponds to “user device 140.” The host computing system corresponds to “Electronic health information transaction system 120.” The first and second interface modules corresponds to “authentication processor 124” and “communication interface 142.”),
wherein the first interface module resides on the client computing system and the second interface module resides on the host computing system (HENNIE [0040]; “Electronic health information transaction system 120 may include an authentication processor 124 connected to electronic health information transaction application processor 122 to generate and process authentication data associated with a user trying to access the system generated health information monetization platform. Authentication processor 124 may receive user data and user input associated with an authentication request, sent from user device 140 via communication interface 142 to authenticate the user.”, The first interface modules correspond to “authentication processor 124.” The second interface modules correspond to “communication interface 142.”),
each of the first interface module and the second interface module configured to obfuscate one or more data elements of the patient (HENNIE [0008] “The data source generator may de-identify the synthesized data, and encrypt the de-identified synthesized data for transmission.”, [0083] “As soon as a user connects to the associated data source, the mobile application may upload encrypted data to the electronic health information transaction system.”, [0093] “The system may prompt a user to import data. The mobile application may communicate over secure encrypted protocols with the system, and data may be automatically loaded to the health information transaction system upon connection with the data sources upon authorization from the user to upload data to a system server.”, where transmitted and imported data between the health system and user is always encrypted/de-identified);
upon receiving an original message originating from the client computing system at either of the first interface module or the second interface module, obfuscating the one or more data elements of the patient based upon respectively populated data fields in the original message, the one or more data elements associated with the original message while maintaining a file structure from the original message;
determining, at a receiving module of the host computing system, whether the one or more data elements have been obfuscated such that the original message has been deidentified as a deidentified message whereby the patient is not identifiable by name, one or more demographics, or one or more identifiers;
if the original message is determined to have been deidentified, transmitting the deidentified message otherwise corresponding to the original message to a data storage module associated with the host computing system (HENNIE [0008] “The data source generator may de-identify the synthesized data, and encrypt the de-identified synthesized data for transmission. An electronic health information transaction processor may upload the de-identified synthesized data from the data source generator…”, [0080]; “The system may utilize a master data source generator that may take as inputs data from disparate sources, e.g., data from public databases, data from private databases, and data from users.……. Additionally, the system may also automatically de-identify data so that it is indecipherable from the standpoint of the ability to trace a particular data item to a specific subject.” [0085]; “As each data source file is uploaded, the electronic health information transaction system 410 may parse the data and build a search index. The data may be parsed such that it may be used by the Research Tool search filters to facilitate a data acquisition transaction. The index data may be stored in a data source, which may include a database.”).
if the original message is determined to have been deidentified, preventing transmittal of the original message to the data storage module and generating a notification to the client computing system; and after the original message has been deidentified as the de-identified message, determining an appropriate destination for the deidentified message and routing at least a copy of the deidentified message to the determined destination.
HENNIE does not explicitly teach the below limitations.
Akinmeji discloses upon receiving an original message originating from the client computing system at either of the first interface module or the second interface module ([0050]- [0051]; “The data may be transmitted from these computing systems 105-107 via the network 102 to the data processing system 104 implementing the monitoring/log system 150 and optionally the healthcare cognitive system 160. The sensitive patient information engine 120 may perform a scrubbing operation on the received data prior to the data being used to generate monitoring/log data in the database 152 that is accessible by users and/or algorithms/applications, which may include users and/or algorithms/applications that should not be provided access to the sensitive patient information present in the originally received data.”),
obfuscating the one or more data elements of the patient based upon respectively populated data fields in the original message, the one or more data elements associated with the original message while maintaining a file structure from the original message ([0051]-[0052]; “where the scrubbing operation is an operation for identifying the presence of sensitive patient information in the received data, determining if the sensitive patient information should be obfuscated, obfuscating the data and providing the obfuscated data to the monitoring/log system 150 for use in generating monitoring/log data in database 152, and storing the redacted sensitive patient information in a redacted patient information database 140 for later retrieval by authorized individuals. The elements 122-128 of the sensitive patient information engine 120 work together to redact sensitive patient data (also referred to a private patient information) and replace it with a data type identifier and a redacted identifier while maintaining the redacted sensitive patient data in a data structure that permits access if necessary.”)
Akinmeji is directed to a redaction of sensitive patient data and is a analogous application to HENNIE. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE to incorporate the teaching of Akinmeji to utilize the above feature, with the motivation of protecting the privacy of a person's medical information, as may be stored in an electronic medical record (EMR), for example, is of significant importance in any medical system to not only protect the patient but also to avoid liability under governmental law, as recognized by (Akinmeji [0016]).
HENNIE, in view of Akinmeji, does not explicitly teach the below limitations.
Gkoulalas-Divanis discloses determining, at a receiving module of the host computing system, whether the one or more data elements have been obfuscated such that the original message has been deidentified as a deidentified message whereby the patient is not identifiable by name, one or more demographics, or one or more identifiers (Gkoulalas-Divanis [0032]; “data suppression is performed only when data generalization cannot adequately de-identify a dataset.”; [0040]; “Operation 270 determines whether the dataset is sufficiently de-identified. In some embodiments, a dataset's privacy metric is compared to a pre-defined threshold to determine whether the dataset is sufficiently de-identified. The threshold may be supplied by a data owner or may be required for the dataset to comply with a particular privacy regulation or standard.”; [00041]-[0042]; “If it is determined that the dataset has been sufficiently de-identified, then de-identification method 200 proceeds to operation 280 to output the de-identified dataset……… The de-identified dataset may be stored in storage 180, database 120, or sent to user device 110.”, where the de-identification is performed on [0067] “(e.g., sensitive data (personal information (PI) including information pertaining to patients”);
if the original message is determined to have been deidentified, preventing transmittal of the original message to the data storage module and generating a notification to the client computing system (Gkoulalas-Divanis [0032]; “data suppression is performed only when data generalization cannot adequately de-identify a dataset.”; [0040]; “Operation 270 determines whether the dataset is sufficiently de-identified. In some embodiments, a dataset's privacy metric is compared to a pre-defined threshold to determine whether the dataset is sufficiently de-identified. The threshold may be supplied by a data owner or may be required for the dataset to comply with a particular privacy regulation or standard.”; [00041]-[0042]; “If it is determined that the dataset has been sufficiently de-identified, then de-identification method 200 proceeds to operation 280 to output the de-identified dataset……… The de-identified dataset may be stored in storage 180, database 120, or sent to user device 110.”; [0037]; “A data owner may also be warned that applying a particular de-identification provider may impact a dataset's utility to such an extent that the dataset will no longer support certain analytic tasks or use-cases. In some embodiments, any de-identification providers that would prevent a data owner from performing a particular analytic task or use-case on the dataset are not included in the recommendation. In some embodiments, any de-identification providers that block some analytic tasks or use-cases are highlighted so that the user is aware to avoid selecting them.”, [0036-0037] further discloses dashboard presenting the effect of each de-identification provider with respect to its associated privacy score, therefore, the method 200 prevents outputting original data de-identified data, [0041] discloses de-identifying the data, however insufficient it may be, and then may performs iteration back to 230 in Figure 2, where a recommendation notification is provided to the user in step 240 as disclosed in [0038]).
Gkoulalas-Divanis is directed to interactive execution of data de-identification processes and is a analogous application to HENNIE, in view of Akinmeji. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji, to incorporate the teaching of Gkoulalas-Divanis to utilize the above feature, with the motivation of by iterating this process with different de-identification processes, a dataset may achieve a high level of anonymization while preserving its utility, as recognized by (Gkoulalas-Divanis [0014]).
HENNIE, in view of Akinmeji and Gkoulalas-Divanis do not explicitly disclose the below limitation.
ROSENBERG discloses after the original message has been deidentified as the de-identified message, determining an appropriate destination for the deidentified message and routing at least a copy of the deidentified message to the determined destination (ROSENBERG [0053] “At step 206, the user can select the desired medical data to de-identify.”, after step 206 in Figure 2 where the medical data is de-identified, [0056]; “the de-identified medical data can be automatically routed to a pre-specified or pre-determined destination. For example, the de-identified medical data can be routed based on pre-defined routing rules, a pre-defined destination based on the user's profile, a pre-defined destination based on the recipient 112, or based on a previously utilized destination by the user.”; [0062]-[0065]; “If associated medical reports are not stored with diagnostic images within the medical data, then at step 308, the data provider 100 retrieves the associated medical reports from a corresponding storage location. In an embodiment, the corresponding storage location can be a database on the data provider 100, such as database 102, or can be located on the PACS 108, another server, distributed server system, data storage facility, or provided by another data provider.……. At step 314, the header data and the parseable document are copied and stored into a database 114, such as database 114 affiliated with recipient 112.”).
ROSENBERG is directed to systems and methods for de-identifying medical and healthcare data and is a analogous application to HENNIE, in view of Akinmeji and Gkoulalas-Divanis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji and Gkoulalas-Divanis, to incorporate the teaching of ROSENBERG to utilize the above feature, with the motivation of to maintain patient privacy in the context of research and various third-party uses, it must be ensured that any medical information used in aggregate is not associated with any specific patient or individual, and that only authorized entities based on a patient's informed consent have access to such medical data, as recognized by (ROSENBERG [0004]).
Regarding claim 31, claim 31 is directed to a system claim that recites a similar limitation as the method of claim 21. Therefore claim 31 is rejected based on the same rational and motivation as claim 21 above.
Regarding claim 23 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis and ROSENBERG teaches the method of claim 21.
de-identification is based on sensitive data, which is construed as pre-determined in order to identify the sensitive data. HENNIE in view of Gkoulalas-Divanis,
and ROSENBERG does not explicitly disclose the below limitation.
Akinmeji discloses wherein the respectively populated data fields in the original message are predetermined (Akinmeji [0057] “The scores generated for the data types and/or combination of data types, or an aggregation of the scores for the data types and/or combination of data types, are compared to at least one threshold by the data type scorer logic 124. If one or more of the scores, or aggregation of the scores, equal or exceed that threshold, meaning that the data types either alone or in combination are likely to be uniquely identifying of the patient, then the patient data corresponding to those data types marked for redaction by the data type scorer logic 124 such that they may be redacted and replaced with data type identifiers and a redacted identifiers by the sensitive data redaction logic 126. In some embodiments, the data types may be ranked based on the scores and only those data types contributing to scores equal to or higher than the threshold are redacted. The evaluation of the sensitivity scores may be done at various levels of granularity, such as on an individual data type basis, a pattern of a predetermined number of data types.”, This is consistent with the specification: [0062] “the one or more patient data elements to be obfuscated may be determined according to respectively populated data fields in the message, wherein for example the data fields have been predetermined.”).
Akinmeji is directed to a redaction of sensitive patient data and is a analogous application to HENNIE. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE to incorporate the teaching of Akinmeji to utilize the above feature, with the motivation of protecting the privacy of a person's medical information, as may be stored in an electronic medical record (EMR), for example, is of significant importance in any medical system to not only protect the patient but also to avoid liability under governmental law, as recognized by (Akinmeji [0016]).
Regarding claim 24 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
de-identification is based on sensitive data, which is construed as pre-determined in order to identify the sensitive data. HENNIE in view of Gkoulalas-Divanis,
and ROSENBERG does not explicitly disclose the below limitation.
Akinmeji discloses wherein the one or more data elements to be obfuscated are determined according to a rules-based analysis of the one or more data elements in the original message (Akinmeji [0057]; “The scores generated for the data types and/or combination of data types, or an aggregation of the scores for the data types and/or combination of data types, are compared to at least one threshold by the data type scorer logic 124. If one or more of the scores, or aggregation of the scores, equal or exceed that threshold, meaning that the data types either alone or in combination are likely to be uniquely identifying of the patient, then the patient data corresponding to those data types marked for redaction by the data type scorer logic 124 such that they may be redacted and replaced with data type identifiers and a redacted identifiers by the sensitive data redaction logic 126. In some embodiments, the data types may be ranked based on the scores and only those data types contributing to scores equal to or higher than the threshold are redacted.”, This is consistent with the specification: [0008] “the one or more patient data elements to be obfuscated may be determined according to respectively populated data fields in the message, according to a rules-based analysis of message data, and/or according to the file structure of the original message.”).
Akinmeji is directed to a redaction of sensitive patient data and is a analogous application to HENNIE. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE to incorporate the teaching of Akinmeji to utilize the above feature, with the motivation of protecting the privacy of a person's medical information, as may be stored in an electronic medical record (EMR), for example, is of significant importance in any medical system to not only protect the patient but also to avoid liability under governmental law, as recognized by (Akinmeji [0016]).
Regarding claim 33, claim 33 is directed to a system claim that recites a similar limitation as the method of claim 23. Therefore claim 33 is rejected based on the same rational and motivation as claim 23 above.
Regarding claim 34, claim 34 is directed to a system claim that recites a similar limitation as the method of claim 24. Therefore claim 34 is rejected based on the same rational and motivation as claim 24 above.
Regarding claim 29 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
HENNIE, in view of Gkoulalas-Divanis and ROSENBERG does not explicitly disclose the below limitation.
Akinmeji discloses wherein the first interface module or the second interface module delivers deidentified messages to the receiving module on the host computing system (Akinmeji [0051]; “Thus, the data may be decrypted and then scrubbed using the sensitive patient information engine 120, where the scrubbing operation is an operation for identifying the presence of sensitive patient information in the received data, determining if the sensitive patient information should be obfuscated, obfuscating the data and providing the obfuscated data to the monitoring/log system 150 for use in generating monitoring/log data in database 152, and storing the redacted sensitive patient information in a redacted patient information database 140 for later retrieval by authorized individuals.”).
Akinmeji is directed to a redaction of sensitive patient data and is a analogous application to HENNIE. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE to incorporate the teaching of Akinmeji to utilize the above feature, with the motivation of protecting the privacy of a person's medical information, as may be stored in an electronic medical record (EMR), for example, is of significant importance in any medical system to not only protect the patient but also to avoid liability under governmental law, as recognized by (Akinmeji [0016]).
Regarding claim 39, claim 39 is directed to a system claim that recites a similar limitation as the method of claim 29. Therefore claim 39 is rejected based on the same rational and motivation as claim 29 above.
Regarding claim 30 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21, further comprising archiving, in a data warehouse services (DWS) module, the one or more data elements associated with the original message in an encrypted format (HENNIE [0008] “The data source generator may de-identify the synthesized data, and encrypt the de-identified synthesized data for transmission.”, [0083] “As soon as a user connects to the associated data source, the mobile application may upload encrypted data to the electronic health information transaction system.”, [0093] “The system may prompt a user to import data. The mobile application may communicate over secure encrypted protocols with the system, and data may be automatically loaded to the health information transaction system upon connection with the data sources upon authorization from the user to upload data to a system server.”, where transmitted and received data between the health system and user is always encrypted/de-identified, where DWS are part of the health system).
Regarding claim 40 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the system of claim 31, wherein the host computing system archives the one or more data elements associated with the original message in an encrypted format ([0083] “ As soon as a user connects to the associated data source, the mobile application may upload encrypted data to the electronic health information transaction system. For example the data may be encrypted using HTTPS. The data may be stored in data storage on the electronic health information transaction system, which may include file storage, and the stored data may be linked to a user's account. For example, the data may be linked via a unique identifier. The data may be encrypted utilizing keys, for example AWS KMS-Managed Keys (SSE-KMS).”).
Claims 22, 25-26, 32, 35-36 are rejected under 35 U.S.C. 103 as being unpatentable over HENNIE (US 20190287662 A1), and further in view of Akinmeji (US 20180096102 A1) and ROSENBERG (US 20200143084 A1) and Gkoulalas-Divanis (US 20190266353 A1) and MABOTUWANA (An HL7 Data Pseudonymization Pipeline, 10-01-2015 International Conference on Healthcare Information (Pages 303-309)).
Regarding claim 22 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG does not explicitly disclose the below limitations.
MABOTUWANA discloses wherein obfuscating the one or more data elements associated with the original message while maintaining the file structure from the original message is performed at least in part by determining the one or more data elements to be obfuscated and further generating one-way hashes to be inserted into an original file structure in place of the one or more patient elements (MABOTUWANA Page 304 Col 2 Paragraph 4; “At a conceptual level, the data de-identification process involves parsing the HL7 messages, extracting information from fields containing PHI, de-identifying PHI and reconstructing HL7 using de-identified data. The data processing pipeline we developed is shown in Figure 3.”; Page 305 Col 2 Paragraph 6; “We arbitrarily decided to start the de-identified value at 1, although it is feasible to start with a randomly generated number. Similarly, for each new key, a new random number can be generated (ensuring this random number has not been generated previously). Using this type of hashing mechanism for unique identifiers allows the consumer of the de-identified data to perform aggregate calculations. For instance, hospitals typically use a medical record number (MRN) to uniquely identify patients – the method described herein ensures that all records belonging to the same patient will always get the same unique de-identifier.”; Page 304 Col 1 Paragraph 5; “Re-identification is the process of pseudonymizing a data set while providing a series of reverse mapping structures to re-identify the original data.”; Page 304 Col 2 Paragraph 3; “For re-identification, we employed an ‘honest broker’ approach [8] where the pseudonymization happens on the same machine where the data with PHI is stored, and the reverse mapping structures are also stored on the same machine. In a hospital environment for instance, this ensures that the data containing PHI does not leave the safety nets of the hospital. At the same time, the reverse mapping structures provide the flexibility for authorized personnel to trace back to the original data.”).
MABOTUWANA is directed to an HL7 data pseudonymization pipeline and is a analogous application to HENNIE, in view of Akinmeji and ROSENBERG, Gkoulalas-Divanis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji and ROSENBERG, to incorporate the teaching of MABOTUWANA to utilize the above feature, with the motivation of maintaining a mapping function allows us to de-identify data on a routine basis to construct a longitudinal record of de-identified data, as recognized by (MABOTUWANA Page 308 Col 1 Paragraph 2).
Regarding claim 32, claim 32 is directed to a system claim that recites a similar limitation as the method of claim 22. Therefore claim 32 is rejected based on the same rational and motivation as claim 22 above.
Regarding claim 25 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG does not explicitly disclose the below limitation.
MABOTUWANA discloses wherein the one or more data elements to be obfuscated are determined at least in part according to the file structure of the original message (Page 304 Col 1 Paragraph 5 and Col 2 Paragraph 1; “In general, anonymization of a data element means removal of all PHI therein, typically by replacing PHI with blank values. After anonymization, the data element can no longer be traced back to any individual. Pseudonymization is a subset of anonymization which replaces certain data elements with new values so that PHI is replaced by a new patient profile. This has the advantage of the data continuing to look complete while not containing any PHI. Re-identification is the process of pseudonymizing a data set while providing a series of reverse mapping structures to re-identify the original data. A common use case for re-identification is when data needs to be sent to an external system for processing and the result needs to be pushed back into the patient file [6] or when it is desirable to have a longitudinal view of the patient’s care. The primary focus of this research was to develop a de-identified HL7 dataset from production data. As such, we used a pseudonymization technique so that a realistic dataset can be constructed. However, we also included some data re-identification elements so that there is a mechanism to trace back to the patient if needed and also to support routine extraction of data to create a longitudinal record.”).
MABOTUWANA is directed to an HL7 data pseudonymization pipeline and is a analogous application to HENNIE, in view of Akinmeji and ROSENBERG. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji Gkoulalas-Divanis and ROSENBERG, to incorporate the teaching of MABOTUWANA to utilize the above feature, with the motivation of maintaining a mapping function allows us to de-identify data on a routine basis to construct a longitudinal record of de-identified data, as recognized by (MABOTUWANA Page 308 Col 1 Paragraph 2).
Regarding claim 35, claim 35 is directed to a system claim that recites a similar limitation as the method of claim 25. Therefore claim 35 is rejected based on the same rational and motivation as claim 25 above.
Regarding claim 26 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG does not explicitly disclose the below limitation.
MABOTUWANA discloses wherein obfuscating one or more data elements associated with the original message while maintaining the file structure for the original message is performed at least in part by selecting an obfuscation model for the original message based on an original file structure, and wherein the one or more data elements are selected for obfuscation and subsequently obfuscated via application of the selected obfuscation model (Page 304 Col 1 Paragraph 5 and Col 2 Paragraph 1; “In general, anonymization of a data element means removal of all PHI therein, typically by replacing PHI with blank values. After anonymization, the data element can no longer be traced back to any individual. Pseudonymization is a subset of anonymization which replaces certain data elements with new values so that PHI is replaced by a new patient profile. This has the advantage of the data continuing to look complete while not containing any PHI. Re-identification is the process of pseudonymizing a data set while providing a series of reverse mapping structures to re-identify the original data. A common use case for re-identification is when data needs to be sent to an external system for processing and the result needs to be pushed back into the patient file [6] or when it is desirable to have a longitudinal view of the patient’s care. The primary focus of this research was to develop a de-identified HL7 dataset from production data. As such, we used a pseudonymization technique so that a realistic dataset can be constructed. However, we also included some data re-identification elements so that there is a mechanism to trace back to the patient if needed and also to support routine extraction of data to create a longitudinal record.”).
MABOTUWANA is directed to an HL7 data pseudonymization pipeline and is a analogous application to HENNIE, in view of Akinmeji Gkoulalas-Divanis and ROSENBERG. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji and ROSENBERG, to incorporate the teaching of MABOTUWANA to utilize the above feature, with the motivation of maintaining a mapping function allows us to de-identify data on a routine basis to construct a longitudinal record of de-identified data, as recognized by (MABOTUWANA Page 308 Col 1 Paragraph 2).
Regarding claim 36, claim 36 is directed to a system claim that recites a similar limitation as the method of claim 26. Therefore claim 36 is rejected based on the same rational and motivation as claim 26 above.
Claims 27, and 37 are rejected under 35 U.S.C. 103 as being unpatentable over HENNIE (US 20190287662 A1), and further in view of Akinmeji (US 20180096102 A1) and ROSENBERG (US 20200143084 A1) and Gkoulalas-Divanis (US 20190266353 A1) and Dove (US 20120159637 A1).
Regarding claim 27 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG teaches the method of claim 21.
HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG does not disclose the below limitation.
Dove disclose wherein the original message originating from the client computing system is received by the host computing system via one of the first interface module or the second interface module depending on a type of the original message ([0032]; “FIG. 1 shows two different environments, a production environment 102 and a de-identified environment 104. A production environment 102 corresponds to a setting in which the revelation of sensitive information is permitted.”; [0033]; “By contrast, the de-identified environment 104 corresponds to a setting in which the revelation of sensitive information is not permitted for any reason.”; [0066]; “The architecture of the original message-inception functionality 106 accommodates various usage scenarios. In one use case, the transformation module 120 is configured to produce a de-identified message when triggered by the receipt of an original message. As a result, the transformation module 120 can forward de-identified messages to the de-identified environment 104 at generally the same times that original messages are forwarded to the production environment 102. This manner of operation corresponds to a real-time mode of de-identification.”).
Dove is directed to functionality for providing de-identified data and healthcare data and is a analogous application to HENNIE, in view of Akinmeji and ROSENBERG, Gkoulalas-Divanis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji and ROSENBERG, Gkoulalas-Divanis to incorporate the teaching of Dove to utilize the above feature, with the motivation of helping preserve the privacy of the sensitive information while still retaining some context associated with the sensitive information, as recognized by (Dove [0092]).
Regarding claim 37, claim 37 is directed to a system claim that recites a similar limitation as the method of claim 27. Therefore claim 37 is rejected based on the same rational and motivation as claim 27 above.
Claims 28 and 38 are rejected under 35 U.S.C. 103 as being unpatentable over HENNIE (US 20190287662 A1), and further in view of Akinmeji (US 20180096102 A1) and ROSENBERG (US 20200143084 A1) and Gkoulalas-Divanis (US 20190266353 A1) and Dove (US 20120159637 A1) and MABOTUWANA (An HL7 Data Pseudonymization Pipeline).
Regarding claim 28 (New), HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG and Dove teaches the method of claim 27.
HENNIE, in view of Akinmeji and Gkoulalas-Divanis ROSENBERG and Dove does not explicitly disclose the below limitation.
MABOTUWANA discloses wherein the type of the original message corresponds to the file structure of the original message (Page 303 Col 2 Paragraph 4 and Page 304 Col 1 Paragraphs 1 and 2; “An HL7 message is composed of a series of segments with each segment identifying the type of information the message contains (e.g., patient demographics, lab/observation result, diagnosis, insurance and next of kin). In turn, each segment includes one or more composites (also referred to as “fields”) that contain the actual information (such as names and result values). Composites can contain sub-composites (or sub-fields) – for instance, patient name is a composite within the ‘PID’ segment and can contain over six sub-composites (such as family name, given name, middle name and suffix). Components are typically separated by a “|” character, while sub-components are usually separated using “^”. Each HL7 message starts with a message header, corresponding to segment MSH, and defines the message’s source, purpose, destination, and other syntax specifics like composite delimiters. MSH field 9, denoted by MSH-9, is particularly important since this specifies the type of message that is being transmitted (such as ADT, ORM, ORU, ACK and so on [4]). The segments present in a given message vary depending on the type of message that is being transmitted. For instance, Figure 1 shows the composition of an ADT message (used to convey information related to patient admission, discharge and transfers) containing seven segments (MSH, EVN, PID and so on).”).
MABOTUWANA is directed to an HL7 data pseudonymization pipeline and is a analogous application to HENNIE, in view of Akinmeji Gkoulalas-Divanis and ROSENBERG and Dove. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified HENNIE, in view of Akinmeji Gkoulalas-Divanis and ROSENBERG and Dove, to incorporate the teaching of MABOTUWANA to utilize the above feature, with the motivation of maintaining a mapping function allows us to de-identify data on a routine basis to construct a longitudinal record of de-identified data, as recognized by (MABOTUWANA Page 308 Col 1 Paragraph 2).
Regarding claim 38, claim 38 is directed to a system claim that recites a similar limitation as the method of claim 28. Therefore claim 38 is rejected based on the same rational and motivation as claim 28 above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Curbera (US 20180082024 A1) discloses patient information/data may be de-identified, anonymized, or obfuscated prior to patient information/data exchange among the participants
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BASSAM A NOAMAN/Primary Examiner, Art Unit 2497