Under the HIPAA Privacy Rule (45 CFR 164.508), covered entities must obtain written authorization before using or disclosing PHI for research, unless an IRB or Privacy Board grants a waiver.
Authorization can be combined with informed consent or stand alone. It must describe the PHI to be used, the purpose, recipients, an expiration, and the right to revoke.