http://php.net/manual/en/function.passthru.php is the way to serve files from another location, then if hidden, don't serve the file.
There is probably a way to do this as well with fancy rewrites.
Another way is to change file permissions, but this is not really a good solution.
An example is this link:
Need to look inside of aiki for another solution.
The path being hidden is probably enough, and then routing through Aiki. Needs more exploration.