The code you have doesn't care if the directory is inside or outside the document root. Just link to a PHP file to retrieve the file itself (instead of a link to the file upload since it's not available). To retrieve a file you just need to grab the contents using a script and output it.
Something like this:
<?php
$path = '/var/www/uploads';
$file = do_something_to_make_this_safe($_POST['file_to_retrieve']);
$type = mime_content_type( $path . '/' . $file );
$contents = file_get_contents($path . '/' . $file);
header('Content-Type: ' . $type);
header('Content-Disposition: attachment;filename=' . $file);
print $contents;
?>
Note you'll need to make sure someone isn't polluting for file path with things like ..
to try to access forbidden files. (thus the do_something_to_make_this_safe()
)