CodcompassCodcompass
← Back to Blog
AI/ML2026-05-11·88 min read

Strict-schema LLM outputs: what we learned shipping to a HIPAA environment

By Adamo Software

Beyond Syntax: Engineering Semantic Trust in LLM Structured Outputs

Current Situation Analysis

The modern LLM ecosystem has largely solved the syntactic problem of structured generation. Providers like OpenAI, Anthropic, and Google now offer native structured output modes that mathematically constrain token sampling to guarantee JSON conformance. If you pass a schema, the model cannot return malformed JSON. This capability has fundamentally changed how developers approach integration, shifting the bottleneck from parsing failures to semantic reliability.

The industry pain point is no longer broken JSON. It is trustworthy data. Tutorials and quickstart guides treat schema validation as the finish line: define a model, pass it to the API, parse the response, and ship. In production environments where downstream systems, billing engines, or compliance frameworks consume LLM outputs, this assumption collapses. A schema guarantees shape, not truth. It cannot verify that a medication was actually prescribed to the patient versus a family member, that a dosage falls within physiological limits, or that sensitive identifiers were successfully stripped before logging.

This gap is frequently misunderstood because syntactic validation passes silently. Integration tests confirm the JSON structure matches the contract, but they rarely validate domain semantics. The result is a pipeline that appears healthy until it injects hallucinated field assignments into critical workflows. In regulated sectors like healthcare, finance, or legal, "valid JSON, incorrect attribution" is not a parsing bug—it is a compliance incident, a billing rejection, or a clinical safety risk.

Empirical evidence from production deployments consistently shows that relying solely on schema conformance leaves significant error surfaces exposed. Teams that transition from open-string categorical fields to closed enumerations report downstream parsing failures dropping from approximately 8% to under 0.5%. Furthermore, independent research on LLM-based sensitive data annotation demonstrates that combining extraction and de-identification in a single prompt degrades performance on both tasks, proving that semantic trust requires architectural separation, not just prompt engineering.

WOW Moment: Key Findings

The shift from syntactic validation to semantic guardrails fundamentally changes pipeline behavior. When you layer confidence routing, domain validation, and schema versioning on top of native structured outputs, you transform the LLM from a black-box data generator into a traceable, auditable component.

Approach Downstream Parsing Failures Compliance Exposure Risk Human Review Queue Volume Audit Reproducibility
Naive Schema Enforcement ~8% High (PHI/sensitive data leaks) Low (false negatives) None (raw outputs discarded)
Semantic Guardrail Architecture <0.5% Controlled (segregated redaction pass) Optimized (confidence-based routing) Full (versioned replay capability)

This finding matters because it decouples generation from trust. Instead of hoping the model gets it right, you build a pipeline that explicitly measures uncertainty, enforces domain boundaries, and preserves historical state for compliance audits. The architecture shifts from reactive debugging to proactive risk routing.

Core Solution

Building a production-grade structured output pipeline requires treating the LLM response as an untrusted intermediate artifact. The following implementation demonstrates how to layer semantic validation, confidence routing, and auditability using Python and Pydantic. The architecture is designed for regulated environments but applies to any system where downstream consumers depend on LLM-generated data.

Step 1: Replace Open Strings with Closed Enumerations + Escape Hatches

Freeform strings for categorical data create downstream fragmentation. Billing systems, EHRs, and analytics pipelines expect canonical values. When models return variations like "twice daily", "BID", or "every 12 hours", downstream parsers fail. The solution is to enforce a closed set via enumerations while preserving an escape hatch for edge cases.

from enum import Enum
from typing import Optional, List
from pydantic import BaseModel, Field, field_validator

class AdministrationInterval(str, Enum):
    ONCE_DAILY = "once_daily"
    TWICE_DAILY = "twice_daily"
    THREE_TIMES_DAILY = "three_times_daily"
    FOUR_TIMES_DAILY = "four_times_daily"
    AS_NEEDED = "as_needed"
    OTHER = "other"

class PharmacyRecord(BaseModel):
    drug_name: str = Field(..., min_length=1, max_length=150)
    strength_value: float = Field(..., gt=0)
    strength_unit: str = Field(..., pattern=r"^(mg|g|mcg|ml|units)$")
    interval: AdministrationInterval
    raw_interval_text: Optional[str] = Field(
        default=None,
        description="Preserve original transcript text when interval is OTHER"
    )

Rationale: The enum forces the model to map ambiguous natural language to a known set. The OTHER value paired with raw_interval_text prevents the schema from forcing incorrect mappings. Downstream systems can process canonical values instantly while routing OTHER cases to human review with full context.

Step 2: Inject Self-Assessment Metadata

Models cannot be trusted to self-correct without explicit uncertainty signals. By requiring confidence scores and source attribution, you change the model's reasoning path. It must ground claims in the input text before asserting them.

from typing import Literal

class SourceSpan(BaseModel):
    exact_quote: str = Field(..., description="Verbatim excerpt from input")
    speaker_role: Literal["clinician", "patient", "caregiver", "system"]

class ExtractedClaim(BaseModel):
    field_identifier: str
    asserted_value: str
    confidence_score: float = Field(..., ge=0.0, le=1.0)
    source_spans: List[SourceSpan] = Field(..., min_length=1)
    flag_for_clinical_review: bool

class ClinicalIntake(BaseModel):
    medications: List[ExtractedClaim]
    active_conditions: List[ExtractedClaim]
    follow_up_tasks: List[ExtractedClaim]

Rationale: Confidence must be a continuous float, not a categorical label. Categorical confidence ("high/medium/low") suffers from calibration drift and model gaming. Requiring exact quotes forces grounding. The flag_for_clinical_review boolean shifts the model from passive extraction to active triage. Downstream routers can automatically queue items where confidence_score < 0.85 or flag_for_clinical_review == True.

Step 3: Layer Domain-Specific Post-Validation

JSON Schema cannot express physiological limits, cross-field dependencies, or business rules. A dosage of 500000 mg is syntactically valid but clinically dangerous. You must run a secondary validation pass after schema conformance.

class ValidatedPharmacyRecord(PharmacyRecord):
    @field_validator("strength_value")
    @classmethod
    def enforce_physiological_bounds(cls, v: float, info) -> float:
        unit = info.data.get("strength_unit")
        thresholds = {"mg": 10000, "g": 50, "mcg": 50000, "ml": 5000, "units": 100000}
        max_allowed = thresholds.get(unit, 10000)
        
        if v > max_allowed:
            raise ValueError(
                f"Strength {v}{unit} exceeds safe threshold. "
                "Route to clinical review queue."
            )
        return v

    @field_validator("interval", mode="before")
    @classmethod
    def normalize_interval_input(cls, v):
        # Handle raw string inputs that might slip through
        if isinstance(v, str):
            try:
                return AdministrationInterval(v)
            except ValueError:
                return AdministrationInterval.OTHER
        return v

Rationale: Field validators catch out-of-distribution values that schemas miss. Cross-field logic (e.g., route vs. unit compatibility) belongs in model_validator decorators. Validation failures should not crash the pipeline; they should emit typed errors that route the record to a review queue alongside the original LLM output.

Step 4: Decouple Extraction from Sensitive Data Sanitization

Combining data extraction and PHI redaction in a single prompt degrades both tasks. The model's attention splits between structural accuracy and privacy compliance. Production pipelines require a two-pass architecture.

# Pass 1: Extraction (PHI preserved, runs in HIPAA-boundary)
class RawClinicalExtraction(BaseModel):
    intake_data: ClinicalIntake
    source_transcript: str
    extraction_model: str
    schema_version: str

# Pass 2: De-identification (gate before logging/egress)
class IdentifiedSpan(BaseModel):
    category: Literal["patient_name", "date_of_birth", "facility", "mrn", "contact", "other"]
    text_match: str
    start_offset: int
    end_offset: int

class SanitizedOutput(BaseModel):
    clean_transcript: str
    detected_spans: List[IdentifiedSpan]
    compliance_clearance: bool

Rationale: Pass 1 operates within a controlled environment with a Business Associate Agreement (BAA). Pass 2 runs immediately before data leaves the boundary or enters observability pipelines. This separation ensures extraction quality remains high while guaranteeing that no sensitive data reaches logs, traces, or downstream analytics.

Step 5: Version Schemas and Persist Raw Outputs

Schemas evolve. Enums expand, thresholds tighten, new fields become mandatory. In regulated environments, you must reproduce historical outputs for audits. Discarding raw LLM responses after parsing destroys auditability and forces expensive, non-deterministic re-runs.

from datetime import datetime
from typing import Dict, Any, Optional, List

class SchemaRelease(BaseModel):
    version_tag: str  # Semver: "2.1.0"
    deployment_timestamp: datetime
    breaking_modifications: List[str]

class PersistedExtraction(BaseModel):
    schema_version: str
    raw_json_payload: str  # Unparsed LLM response
    parsed_artifact: Dict[str, Any]
    model_identifier: str
    ingestion_time: datetime

    def replay_against_schema(self, target_schema: type[BaseModel]) -> tuple[Optional[BaseModel], List[str]]:
        try:
            validated = target_schema.model_validate_json(self.raw_json_payload)
            return validated, []
        except Exception as e:
            return None, [str(err) for err in getattr(e, "errors", lambda: [])()]

Rationale: Storing raw_json_payload enables deterministic replay. Compliance teams can request all extractions matching a specific schema version without re-invoking the model. This pattern also enables safe A/B testing of schema changes by routing traffic to parallel schema versions and comparing validation success rates.

Pitfall Guide

1. Treating Categorical Fields as Freeform Strings

Explanation: Allowing open strings for enums, statuses, or intervals creates downstream fragmentation. Billing and analytics systems expect canonical values. Natural language variation breaks parsers. Fix: Enforce closed enumerations at the schema level. Always include an OTHER escape hatch with a raw text field to capture edge cases without forcing incorrect mappings.

2. Using Qualitative Confidence Labels

Explanation: Labels like "high", "medium", or "low" suffer from model calibration drift. LLMs tend to cluster around "high" to appear competent, rendering the field useless for routing. Fix: Require a continuous float between 0.0 and 1.0. Calibrate thresholds empirically using a validation dataset. Route items below the calibrated threshold to human review.

3. Merging Extraction and Redaction in One Prompt

Explanation: Asking a model to extract structured data and strip sensitive information simultaneously splits its attention. Research confirms this degrades both extraction accuracy and redaction completeness. Fix: Implement a two-pass pipeline. Pass 1 extracts with PHI preserved. Pass 2 scans and redacts before data crosses environment boundaries or enters logging systems.

4. Relying Solely on Schema Validators for Business Logic

Explanation: JSON Schema enforces shape, not domain truth. It cannot validate physiological limits, cross-field dependencies, or regulatory thresholds. Fix: Layer post-validation passes using framework-specific validators (e.g., Pydantic field_validator, model_validator). Route validation failures to review queues with full context.

5. Discarding Raw LLM Responses After Parsing

Explanation: Parsing and immediately deleting the raw JSON destroys auditability. Schema updates or compliance requests force expensive, non-deterministic re-runs that may violate data processing agreements. Fix: Persist the raw JSON payload alongside schema version, model ID, and timestamp. Implement a replay function that re-parses historical payloads against current or legacy schemas.

6. Hardcoding Review Thresholds Without Calibration

Explanation: Setting confidence < 0.8 or requires_review == True as static rules ignores model drift and domain variability. Thresholds that work for medication extraction may fail for diagnostic coding. Fix: Establish a validation dataset with ground truth. Measure precision/recall at different confidence cutoffs. Implement dynamic thresholding or periodic recalibration pipelines.

7. Assuming Schema Updates Are Backward-Compatible

Explanation: Adding required fields, renaming enums, or tightening validators breaks existing stored outputs. Deploying schema changes without versioning causes silent data loss or pipeline crashes. Fix: Treat schemas like database migrations. Version every change, document breaking modifications, and maintain a replay mechanism. Deploy new versions to shadow traffic before full rollout.

Production Bundle

Action Checklist

  • Replace all categorical string fields with closed enumerations and an OTHER escape hatch
  • Inject float-based confidence scores and required source attribution spans into extraction schemas
  • Implement domain-specific post-validation passes for range checks and cross-field logic
  • Decouple extraction and sensitive data redaction into separate pipeline stages
  • Persist raw LLM JSON payloads with schema version, model ID, and timestamp
  • Calibrate confidence thresholds using a ground-truth validation dataset
  • Implement schema replay functionality for compliance auditing and A/B testing
  • Route validation failures and low-confidence items to a structured review queue

Decision Matrix

Scenario Recommended Approach Why Cost Impact
Internal analytics dashboard Single-pass extraction with basic schema validation Low compliance risk; speed prioritized over auditability Minimal (single API call)
HIPAA-compliant clinical pipeline Two-pass architecture (extract → redact) with versioned schemas Regulatory requirement; prevents PHI leakage to logs Moderate (extra API call + storage)
Financial audit system Full semantic guardrails + raw payload persistence + replay Compliance mandates deterministic reproducibility Higher (storage + validation compute)
High-volume customer support Enum constraints + confidence routing + async review queue Balances automation with human oversight for edge cases Low-Moderate (queue infrastructure)

Configuration Template

# pipeline_config.py
from pydantic import BaseModel, Field
from typing import List, Optional, Literal
from enum import Enum
from datetime import datetime

class ReviewRouting(BaseModel):
    confidence_threshold: float = Field(default=0.85, ge=0.0, le=1.0)
    auto_approve_max_items: int = Field(default=5)
    escalation_path: Literal["queue", "alert", "block"] = "queue"

class SchemaRegistry(BaseModel):
    current_version: str = "3.0.0"
    deployment_date: datetime = Field(default_factory=datetime.utcnow)
    breaking_changes: List[str] = []
    legacy_versions: List[str] = ["2.1.0", "2.0.0"]

class PipelineConfig(BaseModel):
    extraction_schema: str = "clinical_intake_v3"
    redaction_enabled: bool = True
    review_routing: ReviewRouting = ReviewRouting()
    schema_registry: SchemaRegistry = SchemaRegistry()
    persist_raw_output: bool = True
    storage_backend: Literal["s3", "gcs", "azure_blob", "postgres"] = "postgres"

Quick Start Guide

  1. Define your extraction schema using closed enumerations and float confidence fields. Add source attribution spans to force grounding.
  2. Implement post-validation hooks for domain-specific rules (range limits, cross-field dependencies). Route failures to a review queue instead of crashing.
  3. Deploy a two-pass pipeline if handling sensitive data. Run extraction in a controlled environment, then execute redaction before logging or egress.
  4. Persist raw JSON payloads alongside schema version and model ID. Implement a replay function to re-parse historical outputs against current schemas.
  5. Calibrate routing thresholds using a validation dataset. Set confidence cutoffs and review flags based on empirical precision/recall, not defaults. Monitor drift monthly.