Publishing an app simply means that the app will be assigned to a certain stream. Whether or not a certain user can see that app still depends on the rules for the app. Many deployments will add a rule that states that you can access an app if you can access the stream in which the app resides, but this is not the only way to organize access.
One option for you could be to add a security rule (or ask your system administrator to add one) that gives the user in question access to the specific app. That way you don't even have to publish it; she can access your unpublished app. The user won't be able to see the app listed in the hub, but she would be able to open it directly in a browser using the url for the app (with the app ID as part of the url).